Problem
When a user tries to login with saml, he gets the following error-message:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /usr/share/simplesamlphp/www/module.php:180 (N/A)
Caused by: Exception: Error authenticating using search username & password.
Backtrace:
4 /usr/share/simplesamlphp/modules/ldap/lib/ConfigHelper.php:196 (sspmod_ldap_ConfigHelper::login)
3 /usr/share/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php:57 (sspmod_uldap_Auth_Source_uLDAP::login)
2 /usr/share/simplesamlphp/modules/core/lib/Auth/UserPassBase.php:253 (sspmod_core_Auth_UserPassBase::handleLogin)
1 /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:67 (require)
0 /usr/share/simplesamlphp/www/module.php:137 (N/A)
Investigation and Solution
Check if the Password for the idp-user is still the same as in ldap:
root@server:~# ldapsearch -LLL -x -ZZ -p7389 \
-h $'(hostname -f)' \
-D uid=sys-idp-user,cn=users,$(ucr get ldap/base) \
-w $(cat /etc/idp-ldap-user.secret) uid=sys-idp-user uid
ldap_bind: Invalid credentials (49)
As we can see, the password for the idp-user needs to be rewritten into ldap so it’s the same as in the password file /etc/idp-ldap-user.secret:
root@server:~# udm users/ldap modify \
--set password=$(cat /etc/idp-ldap-user.secret) \
--set overridePWHistory=1 \
--set overridePWLength=1 \
--dn uid=sys-idp-user,cn=users,$(ucr get ldap/base)
Object modified: uid=sys-idp-user,cn=users,dc=paedml-linux,dc=lokal
Now check again if the idp-user is able to login:
root@server:~# ldapsearch -LLL -x -ZZ -p7389 \
-h $'(hostname -f)' \
-D uid=sys-idp-user,cn=users,$(ucr get ldap/base) \
-w $(cat /etc/idp-ldap-user.secret) uid=sys-idp-user uid
dn: uid=sys-idp-user,cn=users,dc=paedml-linux,dc=lokal
uid: sys-idp-user