RSA Identity Governance & Lifecycle authentication fails if the authentication sources uses Aveksa Data Collector (ADC) and the AccountSearchAttribute is different than the distinguishedName
Originally Published: 2017-01-24
Article Number
Applies To
RSA Version/Condition: 6.9.1 P16, 6.9.1 P17, 7.0.0 P04, 7.0.1
Issue
After upgrading to 6.9.1 P16, 6.9.1 P17, 7.0.0 P04 or 7.0.1, authentication fails with the following error, although the username and password used are correct:
Invalid Login credentials
This issue occurs if the authentication sources use Aveksa Data Collector (ADC) and the AccountSearchAttribute is different than the distinguishedName.
The error in the aveksaServer.log always says that the account is orphaned, even though the account is not orphaned and there are no duplicate accounts in the system.
09/23/2016 15:19:52.569 WARN (default task-56) [com.aveksa.gui.core.ACMLoginLogout] name is not in dn format javax.naming.InvalidNameException: Invalid name: jsmith at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:111) at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:70) at javax.naming.ldap.LdapName.parse(LdapName.java:789) at javax.naming.ldap.LdapName.<init>(LdapName.java:125) at com.aveksa.gui.core.ACMLoginLogout.getLoginUserIdForAccount(ACMLoginLogout.java:745) ... 09/23/2016 15:19:52.585 WARN (default task-29) [com.aveksa.gui.core.ACMLoginLogout] No User mapped to this account. Its an Orphaned Account
Cause
A defect introduced in the product in the affected versions causes the authentication to incorrectly attempt to map the Identity Governance & Lifecycle user to the AD account using the distinguishedName attribute. The distinguishedName collected for the ADC will not map with the authentication source's user account and will always fail. The Test Authentication does a simple bind with the AD server and searches for the user with the UserSearchAttribute. The user account mapping does not play a role here, hence it passes.
Resolution
Workaround
