authentication check when multiple users are found for authentication

Document ID : KB000045405
Last Modified Date : 14/02/2018
Show Technical Document Details

Symptoms:

When multiple users exist with same UID, either or both users get locked out unexpectedly.

 

Environment:  

 

LDAP user directory has following users.

CN=user1,ou=People,dc=sso,dc=lab     Password: 1234

CN=user1,CN=Users,dc=sso,dc=lab      Password: abcd

 

When user1 login with password that does not match either users, both users "Failed Login Attempts Counter" are increased.

 

Cause:

It is by design. This is a special condition and a condition to avoid if possible.

When Policy Server searches for a user, it uses the query defined in the userstore definition.

In the above sample, it will search (cn=user1)

This will return 2 userDNs.

CN=user1,ou=People,dc=sso,dc=lab

CN=user1,CN=Users,dc=sso,dc=lab

 

Policy Server will attempt to BIND using the first userDN with the password entered in the login page.

If the BIND is successful, then it will not try the next userDN.

So, no one's "Failed Login Attempt Counter" will be increased.

 

If first userDN fails to BIND, that user's "Failed Login Attempt Counter" will be increased and the next userDN will be tried.

If the second userDN successfully BIND, then the second user will not have the counter increased.

 

If the second userDN also fails to BIND, then both users would have "Failed Login Attempt Counter" increased.

 

Workaround:

You must ensure only 1 user is returned from the user search query.

If UID is not enough, you can add additional user attribute to help search only 1 user.

 

Additional Information: 

https://communities.ca.com/people/SungHoon_Kim/blog/2016/08/03/authentication-behavior-when-multiple-users-have-same-uid

https://communities.ca.com/people/SungHoon_Kim/blog/2016/01/29/configuring-an-all-in-one-vm-image-part-4