06-13-2019 09:24 AM
Username in AD > 20 characters. Login fails with "Invalid login."
Audit log shows:
2019-06-10 12:01:00 BST mytwentyonecharusrnme LOGIN_DENIED to=AdminConnector ip=10.11.12.13 info=Admin has no enabled groups apparently_via=GUI:
Long story is that a user account created with a name more than 20 characters long, in AD, has its sAMAccountName LDAP field truncated to the first twenty characters. The InfoBlox appliance will make an LDAP Bind with the username fine, but when it looks up group membership, it takes the username as a Filter on, you guessed it, sAMAccountName, so you get Zero Results for groups this user is a member of, because there is no user with sAMAccountName=mytwentyonecharusrnme
The user you want to lookup groups for has the unfortunately truncated sAMAccountName=mytwentyonecharusrnm
InfoBlox lies, because it doesn't know any better. Don't suppose you could update this LDAP filter to use the 'name' field, or maybe the prefix to @ on the 'userPrincipalName'
This took me packet captures, Wireshark merges of pcap files and Apache Directory Studio to solve. Also a whole working day. Hope I can save someone else the hassle
06-17-2019 08:58 AM
I cannot imagine requiring a user to enter a more than 20-character username every time they need to access some system. I'd suggest shortening the user's username.
Submit this as a bug to support as I imagine it may not be an issue that occurs that often and Infoblox may not have been asked to look into this issue.
I'm not sure why you say they lie. You're just running into a technical issue. To say someone lies usually means they intended to mislead you.
06-20-2019 01:47 AM - edited 06-20-2019 01:48 AM
> I cannot imagine requiring a user to enter a more than 20-character username every time they need to
> access some system. I'd suggest shortening the user's username.
I think that's quite presumptious. I have worked with many customers, some of which have had quite arcane/extreme security policies. You cannot predict what daft policy a security department is going to dream up next, if that means 20+ character user names, and if the underlying authentication service supports it, then the product needs to be able to support this.
I agree, get it logged as a bug, but if Infoblox product management take the same attitude then be prepared for a long wait!
PCN (UK) Ltd
All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE