Notifications

16 views

Description

Whenever the LDAP is down then instance will displaying a hyper link to request for a temporal password in the login screen, upon request instance will send an email to the user with a temporal password, but this feature was not working though the LDAP server was not reachable.

An LDAP property is available to send a one-time password to a user if the user is unable to log in because the LDAP server is down. You can also configure another property to control how long the password is valid, but in certain cases onetime password email is not getting triggered though the LDAP server is not reachable.

Below is the property which will trigger this functionality and it is there in instance by default. 

glide.ldap.onetime.password.enabled


Release or Environment

All Versions

Cause

Below is the flow to trigger one-time password when the LDAP server is down:

 As per the OOB script logic, user should click on "generateLDAPOneTimePasswordInfoMsg" from the login screen inorder to get a onetime password email.

 

  1. Validate the system properties set for the feature "Send a one-time password when the LDAP server is down" and are they set to active.
    glide.ldap.onetime.password.enabled
    glide.authenticate.onetime.password.validity
    2. Validate the notification configured for the Onetime password and it is set to active.
    Notification name : OneTimePasswordEmailNotification
    3. Validate the records created under security_nonce table, verify does the record exists with context "LDAPAuth" if the record is not created in security_nonce table then notification will not      trigger
    4. Validate does the event password.onetime is getting generated or not in the sysevent table.
    Verify does the below script includes are set to active or not.
    GlideOneTimePasswordGenerator
    LDAPOneTimePasswordGenerator

Resolution

As per the OOB script logic, request for onetime password hyper link will only be populated to user when below conditions are met.

  1. LDAP server should fail with a valid error message , it should not fail with Credentials invalid error message.
    2. User Record should have valid DN and it should route to the same LDAP server which is getting "timedout".
    3. Below error message should populate in error messages when user tries to login.
    "No user information found in ldap for test@xyz.com"
    No DN returned for test@xyz.com
    LDAP: connect timed out

Article Information

Last Updated:2020-03-29 01:13:30
Published:2020-03-05