OpenEdge authentication gateway(OEAG) fails to authenticate through _oslocal if user account is stored locally in /etc/passwd

« Go Back

Information

Title	OpenEdge authentication gateway(OEAG) fails to authenticate through _oslocal if user account is stored locally in /etc/passwd

URL Name	openedge-authentication-gateway-oeag-fails-to-authenticate-through-oslocal-if-user-account-is-stored-locally-in-etc-passwd

Article Number	000195919

Environment	Product: OpenEdge Version: All supported versions OS: All supported Unix like platforms Other: OEAG

Question/Problem Description

OpenEdge authentication gateway(OEAG) fails to authenticate through _oslocal if user account is stored locally in /etc/passwd, /etc/security/passwd or /etc/shadow
OEAG cannot authenticate local user accounts
OEAG with _oslocal as authprovider fails to authenticate local user accounts

Steps to Reproduce

Clarifying Information

1. OEAG domain uses _oslocal as authprovider
2. User accounts are stored locally on server user credential related files.

Error Message	stsclientutil errors: error: stsclientutil: authenticate error: error= 5 (http error) detail= 400 () error: stsclientutil: sts service error: error= (error_code:2) error: stsclientutil: sts service error: error_description= (Bad Credentials) Authentication failed. Reason = User authentication failed Debug error details: IN getUserGroups <username> 512 IN validate_account <username> xxxxxx NULL IN testUserPasswordForNull <username> xxxxxx IN validatePassword <username> xxxxxx NULL IN isGeneratedPassword = xxxxxxxx IN validateUserPassword <username> xxxxxx Calling getpwnam() Calling getspnam() Shadow Password was NULL Return status of validate_account = 0

Error Message

stsclientutil errors:
error: stsclientutil: authenticate error: error= 5 (http error) detail= 400 ()
error: stsclientutil: sts service error: error= (error_code:2)
error: stsclientutil: sts service error: error_description= (Bad Credentials)
Authentication failed. Reason = User authentication failed

Debug error details:
IN getUserGroups <username> 512
IN validate_account <username> xxxxxx NULL
IN testUserPasswordForNull <username> xxxxxx
IN validatePassword <username> xxxxxx NULL
IN isGeneratedPassword = xxxxxxxx
IN validateUserPassword <username> xxxxxx
Calling getpwnam()
Calling getspnam()
Shadow Password was NULL
Return status of validate_account = 0

Defect Number

Enhancement Number

Cause

This is expected behavior.
OEAG is not started as root therefore it does not have access to the local user credentials for OSlocal authentication
And OEAG blocks root from starting OEAG.specifically configured not to run as root in the server.xml.

Using root to start OEAG requires turning the listener off: 'tcman feature SecurityListener=off'
Otherwise: OEAG must run as a privileged account when using the oslocal authentication provider. iow: OEAG has to be running as an account that has read file-system access to restricted OS files in /etc/security/*

Resolution

If local user authentication is needed, the credential related files need to have read privilege open.
If not then below options will not work:
stsclientuil -cmd authenticate
4GL client connects to DB with -U and -P

As alternative below options still works:
stsclientutil -cmd exchange
4GL client connects to DB with -OSUser -domain

Workaround

Notes

Keyword Phrase

Last Modified Date	6/10/2021 11:19 PM