LDAP authentication fails after upgrade to 10.2

Document ID : KB000095645
Last Modified Date : 14/05/2018
Show Technical Document Details
Issue:
After upgrading from DevTest 9.0 to 10.2, LDAP authentication is no longer working. 
When trying to login on the Portal or Workstation, the following error is shown in the registry.log:
org.springframework.security.authentication.BadCredentialsException: Bad credentials

The acl.log does not show any errors and the last entry is: 
DEBUG com.ca.dts.security.authentication.internal.DevTestLdapAuthenticationProvider - Invoking LDAP authentication for user 'testuser'
DEBUG org.springframework.ldap.core.support.AbstractContextSource - Got Ldap context on server 'ldap://<<LDAPSERVERHOST>>:389'

The following authentication-providers.xml was used:

<?xml version="1.0" encoding="UTF-8" ?>
<authentication-providers>
    <authentication-provider
                name="COMPANY"
                autoAddUsers="true"
                authenticateOnly="true"
                enabled="true"
                type="LDAP"
                defaultRole="SV Power"
                rejectUnmappedUsers="false">
        <url>ldap://<<LDAPSERVERHOST>>:389</url>
        <user-dn>cn=<<Username>>,ou=Net Accounts,DC=au,DC=companynet,DC=com</user-dn>
        <user-dn-pattern>DC=au,DC=companynet,DC=com,ou=Net Accounts,cn={0}</user-dn-pattern>
        <user-password>{cry}...</user-password>
        <user-search-base>DC=au,DC=companynet,DC=com</user-search-base>
        <user-search-filter>(&amp;(objectClass=user)(sAMAccountName={0}))</user-search-filter>
        <group-search-base>ou=groups,DC=au,DC=companynet,DC=com</group-search-base>
        <group-search-filter>(member={0})</group-search-filter>
    </authentication-provider>

    <authentication-provider
                name="DevTest ACL Database"
                type="Embedded"
                enabled="true"/>
    </authentication-providers>
 
Resolution:
The sAMAccountName in the user search filter indicates that authentication provider is Active Directory.
So this change was made in authentication-providers.xml: 
type="ActiveDirectory" 


The pattern in user-dn-pattern should match the user-dn and should have the most restrictive filter first.
So this change was made in authentication-providers.xml: 
<user-dn-pattern>cn={0},ou=Net Accounts,DC=au,DC=companynet,DC=com</user-dn-pattern> 


After making these 2 changes, and stopping and starting the registry, the user authentication was working correctly.