Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication chaining does not work if the user search attribute of the LDAP authentication module does not match that of the data store #84

Closed
tsujiguchitky opened this issue May 9, 2019 · 0 comments
Closed

Authentication chaining does not work if the user search attribute of the LDAP authentication module does not match that of the data store #84

tsujiguchitky opened this issue May 9, 2019 · 0 comments
Assignees
@kurotsu
Milestone
OpenAM 14.0.0

Comments

@tsujiguchitky
Copy link
Contributor

Description

When using e-mail address as user name at login and performing multi-factor authentication such as HOTP by authentication chain, it is considered that the following settings are made.

  1. Configure LDAP data store with uid as LDAP Users Search Attribute
  2. Configure LDAP auth module with mail as Attributes Used to Search for a User to be Authenticated
  3. Configure HOTP auth module
  4. Configure auth chain with required modules LDAP + HOTP
  5. Try the above auth chain

However, this configuration does not work. That's because what is passed as a username for HOTP authentication is an email address, and with this value HOTP authentication can not get the user from the data store.

The fix for OPENAM-4856 has been changed to use alias attribute. This is for only HOTP auth. Therefore, multiple authentication modules have the same problem.

The alias attribute allows multiple searches to identify users. Not only does this increase processing, I think that there is a risk of matching another user. We need a solution that does not use alias attributes.

Steps to reproduce

See Description.

Expected Results

HOTP authentication works fine.

Actual Results

Because HOTP authentication can not identify the user, it can not send one-time passwords.

References
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kurotsu kurotsu

Labels
None yet
Projects
None yet
Milestone
OpenAM 14.0.0
Development

No branches or pull requests
2 participants
@kurotsu @tsujiguchitky