Troubleshooting Tridion Access Management
This section explains ways to resolve problems with Tridion Access Management and applications secured through it.
More than one matching user found for LDAP
With LDAP authentication, it is possible to have multiple entries for a user in the Directory Service where each is under a different Domain Name. When using an LDAP identity provider (IdP) with for LDAP with Access Management, such a situation will generate the following error message for the user when they try to log in to the secured application:
|Error|Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware|
An unhandled exception has occurred while executing the request.
Tridion.AccessManagement.IdentityProviders.Exceptions.MultipleLdapEntryException:
More than one matching user found. Please contact a System Administrator.
When a user has this error, you can check the log files for the following warning message, which will show the multiple DNs:
Tridion.AccessManagement.IdentityProviders.Ldap.LdapService|
Following DNs were matched running query 'uid=bbunny':
uid=BBunny,OU=Rabbits,OU=People,O=tridion,
uid=BBunny,CN=Child2,CN=Child1,OU=NevisTest,OU=People,O=tridion,
uid=BBunny,CN=Child1,OU=NevisTest,OU=People,O=tridion
Tridion.AccessManagement.IdentityProviders.Exceptions.MultipleLdapEntryException:
More than one matching user found. Please contact a System Administrator.
To fix this issue, you can do one of the following:
- Clean up the LDAP Directory Service to ensure each user entry is unique.
- Update the user filter criteria in your Access Management settings for the LDAP IdP.
Firewall blocks Access Management
Some firewall applications include configurable rules for the following types of security exploits, which when enabled, block Access Management:
- User agent header rules block requests that do not include a user agent header. This rule is not security related, but typically is used for statistical analysis, such as to track which browsers and clients use a certain web service.
- Local File Inclusion (LFI) rules inspect for the presence of Local File Inclusion (LFI) exploits in query arguments, and look for things like path traversal attempts (such as ../../).
- Remote File Inclusion (RFI) rules inspect the values of query parameters and block requests that they interpret to be RFI (Remote File Inclusion) exploits (patterns such as ://).
Among such firewall applications to have such rules is the AWS firewall (WAF), which enables these rules by default.
When using a firewall that has any of these rules, you need to disable them in the firewall application for Access Management. It is important to note that disabling these checks has no impact on the security of Access Management. In the case of the LFI and RFI rules, the URLs that Access Management passes are for redirection purposes only, and thus the Access Management application itself is not vulnerable to the LFI and FI exploits.