Summary
You observe that sometimes some users are not able to log in to the EUQ, getting invalid credentials error messages. However, after trying multiple times the user may be able to log in.
The following messages show up in the imssuieuq debug logs (located under /opt/trend/imss/log/) for the failed login attempts:
2021/06/04 10:06:35 GMT+02:00 [23814:2658048880] [DIAGNOSTIC]User test_user login
2021/06/04 10:06:35 GMT+02:00 [23814:2658048880] [DEBUG]UserDAO::loginName2UserName base dn=DC=mydomain,DC=local, login name=test_user
2021/06/04 10:06:35 GMT+02:00 [23814:2658048880] [DIAGNOSTIC]UserDAO::loginName2UserName domain=, account=test_user
2021/06/04 10:06:35 GMT+02:00 [23814:2658048880] [DEBUG]UserDAO::getAllUserNameByAccount account=test_user
2021/06/04 10:06:35 GMT+02:00 [23814:2658048880] [DIAGNOSTIC]filter: (&(|(objectClass=user)(objectCategory=person))(sAMAccountName=test_user)), attribute name:userPrincipalName
2021/06/04 10:06:35 GMT+02:00 [23814:2658048880] [DEBUG]TmLDAPConnection::search Base DN: DC=mydomain,DC=local, scope: 2, filter: (&(|(objectClass=user)(objectCategory=person))(sAMAccountName=test_user)), connection state:5
2021/06/04 10:06:35 GMT+02:00 [23814:2658048880] [DIAGNOSTIC]Can't get user name from login name test_user
2021/06/04 10:06:35 GMT+02:00 [23814:2658048880] [DIAGNOSTIC]User test_user ldap authentication failed.
2021/06/04 10:06:35 GMT+02:00 [23814:2658048880] [DETAIL]LDAP authentication test_user failed, unknown error.
You have an Active Directory (AD) environment with multiple Organization Units (OU) separated with Access Control Lists.
This issue occurs due to IMSVA making bindings to the LDAP server with different users and re-using them to perform LDAP searches. For example, after a successful login from a user in the EUQ, IMSVA may re-use the same binding to search for the next user trying to log in to the EUQ. If the user used to perform the binding does not have access rights to the OU of the new user trying to authenticate to the EUQ, then the LDAP server will return no results and the authentication will fail.
To solve this issue, install
IMSVA 9.1 Hotfix Build 2081. With this hotfix, the IMSVA LDAP connection will be disconnected after authentication, and a new LDAP connection will be established for the next user.
