PowerFlex 3.x Gateway LDAP Authentication Fails when Configured Search Filter Returns an LDAP Group Object

Summary: LDAP queries using the configured LDAP search filter return an LDAP group object.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

LDAP-based PowerFlex Gateway authentication fails.

Messages similar to the following appear in the Gateway's log file, scaleio-trace.log.
Note that the o.s.ldap.core.LdapTemplate - Authentication failed message shows the DN of an LDAP group, cn=pf_im_users,ou=Groups,dc=example,dc=com.

 2020-12-17 00:27:14,679 [https-jsse-nio-443-exec-6] DEBUG o.s.l.c.s.AbstractContextSource - Trying provider Urls: ldaps://10.0.0.10/ou=Groups,dc=example,dc=com
2020-12-17 00:27:14,679 [https-jsse-nio-443-exec-6] DEBUG c.e.s.s.w.s.ScaleIOSecurityUtils - ldapFilter: '(&(objectClass=posixGroup)(memberUid=smitheea)(cn=pf_im_users))'
2020-12-17 00:27:14,680 [https-jsse-nio-443-exec-6] DEBUG o.s.l.c.s.AbstractContextSource - Got Ldap context on server 'ldaps://10.0.0.10/ou=Groups,dc=example,dc=com'
2020-12-17 00:27:14,687 [https-jsse-nio-443-exec-6] INFO  o.s.ldap.core.LdapTemplate - Authentication failed for entry with DN 'cn=pf_im_users,ou=Groups,dc=example,dc=com'
org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
        at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:182) ~[spring-ldap-core-1.3.2.RELEASE.jar:1.3.2.RELEASE]
        at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:285) ~[spring-ldap-core-1.3.2.RELEASE.jar:1.3.2.RELEASE]
        at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:119) ~[spring-ldap-core-1.3.2.RELEASE.jar:1.3.2.RELEASE]
        at org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:110) ~[spring-ldap-core-1.3.2.RELEASE.jar:1.3.2.RELEASE]
        at org.springframework.ldap.core.LdapTemplate.authenticate(LdapTemplate.java:1494) [spring-ldap-core-1.3.2.RELEASE.jar:1.3.2.RELEASE]
        at org.springframework.ldap.core.LdapTemplate.authenticate(LdapTemplate.java:1385) [spring-ldap-core-1.3.2.RELEASE.jar:1.3.2.RELEASE]
        at com.emc.s3g.scaleio.web.security.ScaleIOSecurityUtils.authenticateUsingLdapServer(ScaleIOSecurityUtils.java:398) [classes/:na]
        at com.emc.s3g.scaleio.web.security.ScaleIOSecurityUtils.authentication(ScaleIOSecurityUtils.java:165) [classes/:na]
        at com.emc.s3g.scaleio.web.security.LocalAuthenticationProvider.authenticate(LocalAuthenticationProvider.java:27) [classes/:na]
        (...)
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source) ~[na:1.8.0_121]
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) ~[na:1.8.0_121]
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) ~[na:1.8.0_121]
        (...)
2020-12-17 00:27:14,687 [https-jsse-nio-443-exec-6] ERROR c.e.s.s.w.s.ScaleIOSecurityUtils - User smitheea was not found in group pf_im_users
2020-12-17 00:27:14,687 [https-jsse-nio-443-exec-6] ERROR c.e.s.s.w.s.ScaleIOSecurityUtils - LDAP authentication failed - LDAP filter was '(&(objectClass=posixGroup)(memberUid=smitheea)(cn=pf_im_users))'
2020-12-17 00:27:14,687 [https-jsse-nio-443-exec-6] DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Access denied. Check the LDAP configuration.

Scenario
LDAP queries using the configured LDAP search filter return an LDAP group object.

Impact
LDAP-based Gateway authentication fails.

Cause

During login attempts, the Gateway constructs an LDAP search filter using the configured search filter pattern, configured group name, and the username specified during the login attempt.
The Gateway then queries the LDAP server using the constructed search filter.
The DN of the object returned by the query is used for authentication along with the password specified during the login attempt.

If the LDAP object returned by the filter is not the user object for which the password was provided, login fails.

Resolution

Configure Gateway LDAP authentication using a filter that returns a user object.
It may be necessary to add a group membership attribute to LDAP user objects if one does not already exist. Common group membership attributes are memberOf and isMemberOf.

If the LDAP schema cannot accommodate a group membership attribute for user objects, use non-LDAP-based (local) Gateway authentication.

Impacted Versions

PowerFlex Gateway 3.x

Fixed in Version

TBD

Products

PowerFlex rack, VxFlex Ready Nodes, PowerFlex custom node, PowerFlex appliance R650, PowerFlex appliance R6525, PowerFlex appliance R660, PowerFlex appliance R6625, Powerflex appliance R750, PowerFlex appliance R760, PowerFlex appliance R7625 , PowerFlex appliance R640, PowerFlex appliance R740XD, PowerFlex appliance R7525, PowerFlex appliance R840 ...
Article Properties
Article Number: 000193332
Article Type: Solution
Last Modified: 16 Apr 2025
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.