Problem with locked Account in Active Directory

Hello,

I have a Problem authenticate users against active directory. We use LDAP to connect active directoy and the otppin is set to userstore. Normaly everything works fine and es expected. Only if the user provides a wrong password, the account get lock very fast because privacy idea tries to connect two times to AD

In the log:

[2020-04-02 13:35:08,098][55246][140400622737152][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:354] failed to check password for u’beceef53-46e8-4df3-b606-cb949458dcf7’/u’CN=Test User,OU=Test,OU=Accounts,OU=DUS,DC=CF,DC=de’: Exception(‘Wrong credentials’,)
[2020-04-02 13:35:08,107][55246][140400622737152][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:354] failed to check password for u’beceef53-46e8-4df3-b606-cb949458dcf7’/u’CN=Test User,OU=Test,OU=Accounts,OU=DUS,DC=CF,DC=de’: LDAPPasswordIsMandatoryError(‘password is mandatory in simple bind’,)

Can someone help?

My Version of privacyIDEA is 3.2.2.

Regards,
Markus

Hello @cuf
welcome to the community. I am looking forward to you getting a helpful member of the community.

This very much depends on your settings and setup.
Often RADIUS is a beast, since it does round robin an retries. Retries can be evil - like looking the account quickly.

Hi @cornelinux,

thank you for your quick answer. What I can’t understand is why the error on first attemp is
(‘Wrong credentials’,)
and on the second
LDAPPasswordIsMandatoryError(‘password is mandatory in simple bind’,)

Sounds that there two tries with ldap.

Regards,
Markus

This is all wild guessing here, since we do not know anything about your setup.

If the user had two tokens like one HOTP token and one SPASS token, and if the user would type in 123456.

Then privacyIDEA would check

  1. SPASS-Token -> PIN=123456, OTP=None
    -> auth against AD with 123456 => Fail

  2. HOTP-TOken -> PIN=None, OTP=123456
    -> auth against AD with None => password is mandatory.

But as I said, this is wild guessing.