Ldap user login fails with error when trying to access SSP UI
search cancel

Ldap user login fails with error when trying to access SSP UI

book

Article ID: 398118

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention VMware vDefend Firewall

Issue/Introduction

You see this error on SSP UI when trying to login as LDAP user "The username/password combination is incorrect or the account specified has been locked."

Environment

SSP 5.0.0

Cause

  • A LDAP user with userPrincpialName [email protected] with mail [email protected] and another LDAP user with userPrincpialName [email protected] with mail [email protected] is present in LDAP server. If user aduser tries to login to SSP with [email protected], the login fails.

  • You see two users have same mail attribute. The filter configured in SSP used for search of user during login was incorrectly using mail attribute which is not a unique identifier.
  • Login to SSPI as root and run below commands

k get pods -n nsxi-platform | grep authelia

k logs <authelia-pod-name from previous step> -n nsxi-platform -c authelia-ldap 

  • Authelia pod logs will show below error,

time="2025-05-12T18:51:33Z" level=error msg="Unsuccessful 1FA authentication attempt by user '[email protected]'" error="cannot find user DN of user '[email protected]'. Cause: LDAP Result Code 4 \"Size Limit Exceeded\": "

k get pods -n nsxi-platform | grep cluster-api

k logs <cluster-api-pod-name from previous step> -n nsxi-platform -c cluster-api

  • cluster-api pod logs will show below pod logs will show below similar entries,

2025-05-12T18:12:30.670360028+00:00 stdout F DN: CN=aduser,OU=Administrative,OU=Users,OU=Accounts,DC=example,DC=com
2025-05-12T18:12:30.670360028+00:00 stdout F cn: [aduser]
2025-05-12T18:12:30.670360028+00:00 stdout F sAMAccountName: [aduser]
2025-05-12T18:12:30.670360028+00:00 stdout F userPrincipalName: [[email protected]]
2025-05-12T18:12:30.670360028+00:00 stdout F mail: [[email protected]]

2025-05-12T18:53:17.245213967+00:00 stdout F DN: CN=aduser10,OU=Contractor,OU=Users,OU=Accounts,DC=example,DC=com
2025-05-12T18:53:17.245677429+00:00 stdout F cn: [aduser10]
2025-05-12T18:53:17.245708108+00:00 stdout F sAMAccountName: [aduser10]
2025-05-12T18:53:17.245720111+00:00 stdout F userPrincipalName: [[email protected]]
2025-05-12T18:53:17.245730651+00:00 stdout F mail: [[email protected]]

Resolution

  • There is no resolution for this issue as of now.

Workaround

OR

  • login using local user.

Note : This issue is fixed in SSP 5.1

 

Powered by Wolken Software