Why does Ldap login time out when MFA verification is implemented on IDP?

Subject

Ldap login timed out when MFA verification is implemented on IDP

Description

When Multi-Factor-Authentication verification is implemented on LDAP IDP, the LDAP login will time out with message “invalid username or password” if user did not verify with their MFA in time. By default, they may only have a few second to do this.

This is because when login is triggered, Artifactory tries to authenticate with LDAP server first, but LDAP server got the request but is not returning it until MFA verification happens. The MFA is implemented on IDP and Artifactory will not be able to tell a difference. Due to this the LDAP login times out because Artifactory thinks LDAP is not reachable and authenticates it against internal realm, resulting in “invalid username or password” error.

Resolution

To resolve this issue, Artifactory needs to have a longer time out setting that waits for LDAP response. This can be changed by editing the file "artifactory.system.properties" under $ARTIFACTORY_HOME/etc/ folder and adding the below property to change the time out:

artifactory.security.ldap.connect.timeoutMillis=10000 ( the default value is 10 sec)

We will need to increase this to an reasonable value so that user have enough time to verify with MFA. This change will require a restart of the Artifactory server to take effect.