Resolve LDAP Connection Issues in BEA WebLogic Server (Continued)
You can also edit the config.xml and the MBean element in the <ServerDebug/> stanza for each server that you want to debug and set it to a value of "true" to enable or "false" to disable:
<ServerDebug
DebugSecurityAdjudicator="true"
// for security adjucator debug
DebugSecurityAtn="true"
// for security authentication debug
DebugSecurityAtz="true"
// for security authorization debug
DebugSecurityRoleMap="true"
// for security role mapping debug
Name="MyServer"/>
Then you must restart the admin server.
Make sure the StdoutDebugEnabled is set to "true". You could verify this in config.xml. Debug to stdout may be enabled via the console or via the command-line using:
-Dweblogic.StdoutDebugEnabled=true
The debug information will be logged into the server log as well as to the standard out. The server log file is specified at the startup by the message BEA-170019:
BEA-170019 Notice: The server log file fileName
is opened. All server side log events will be
written to this file.
User authentication failure. WLS connects first to LDAP and then tries to search for the user based on the "User Base DN" and the "User Filter" defined in the authentication provider. Once the user is found, WLS tries to authenticate using the password provided.
If authentication fails, after enabling the debug flags, search for the pattern getDNForUser in the log file to see why it failed. It is possible that either the user does not exist in LDAP (javax.security.auth.login.FailedLoginException) or the password is not correct (authentication failed error 49).
The search will be similar to:
<SecurityDebug><getDNForUser search
("ou=people,dc=beasys,dc=com",
"(&(uid=fred)(objectclass=person))",
base DN & below)
If the user does not exist, we will see this message:
<SecurityDebug><returnConnection
conn:netscape.ldap.LDAPConnection@e4bb3c>
javax.security.auth.login.FailedLoginException:
[Security:090302]Authentication Failed:
User fred denied
If the user password is not correct we will see that the full DN was retrieved from LDAP, but authentication fails:
<SecurityDebug> <DN for user fred:
uid=fred,ou=People,dc=beasys,dc=com>
<SecurityDebug> <authenticate user:fred with
DN:uid=fred,ou=People,dc=beasys,dc=com>
<Debug> <SecurityDebug>
<authentication failed 49>
Back to top
|