[midPoint] Active Directory - Flexible Authentication

Gus Lou gugalou38 at gmail.com
Tue Oct 6 01:16:29 CEST 2020


Hi Lukas

I made the changes suggested by you, but something is still wrong., after
changes I lost dashboard console, I can not login in interface, I received
"Internal Server Error 500",


Here is my new Flexible Auth Config:

<securityPolicy xmlns="
http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="
http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="
http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="
http://prism.evolveum.com/xml/ns/public/types-3"
oid="00000000-0000-0000-0000-000000000120" version="1">
    <name>Default Security Policy</name>
    <authentication>
        <modules>
            <loginForm id="1">
                <name>internalLoginForm</name>
                <description>Internal username/password authentication,
default user password, login form</description>
            </loginForm>
            <ldap id="23">
                <name>ldapAuth</name>
                <host>ldaps://10.0.0.4:636/dc=xyz,dc=net</host>

<userDn>CN=svc_midpoint,OU=Service,OU=Users,OU=CompanyA,OU=Holding,DC=xyz,DC=net</userDn>
                <userPassword>
                            <t:cipherValue>XXXXX</t:cipherValue>
                </userPassword>
                <search>
                    <pattern>(sAMAccountName={0})</pattern>
                    <namingAttr>sAMAccountName</namingAttr>
                    <subtree>true</subtree>
                </search>
            </ldap>
        </modules>
        <sequence id="1">
            <name>admin-gui-default</name>
            <description>
                Default GUI authentication sequence.
                We want to try company SSO, federation and internal. In
that order.
                Just one of then need to be successful to let user in.
            </description>
            <channel>
                <channelId>
http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
                <default>true</default>
                <urlSuffix>default</urlSuffix>
            </channel>

            <module id="5">
                <name>ldapAuth</name>
                <order>20</order>
                <necessity>sufficient</necessity>
            </module>
        </sequence>
        <sequence id="2">
            <name>admin-gui-emergency</name>
            <description>
                Special GUI authentication sequence that is using just the
internal user password.
                It is used only in emergency. It allows to skip SAML
authentication cycles, e.g. in case
                that the SAML authentication is redirecting the browser
incorrectly.
            </description>
            <channel>
                <channelId>
http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
                <default>false</default>
                <urlSuffix>emergency</urlSuffix>
            </channel>
            <requireAssignmentTarget
oid="00000000-0000-0000-0000-000000000004" relation="org:default"
type="c:RoleType">
                <!-- Superuser -->
            </requireAssignmentTarget>
            <module id="6">
                <name>internalLoginForm</name>
                <order>30</order>
                <necessity>sufficient</necessity>
            </module>
        </sequence>
        <sequence id="7">
            <name>actuator</name>
            <description>
                Authentication sequence for actuator.
            </description>
            <channel>
                <channelId>
http://midpoint.evolveum.com/xml/ns/public/model/channels-3#actuator
</channelId>
                <default>true</default>
                <urlSuffix>actuator-default</urlSuffix>
            </channel>
            <module id="8">
                <name>internalBasic</name>
                <order>10</order>
                <necessity>sufficient</necessity>
            </module>
        </sequence>
        <ignoredLocalPath>/actuator</ignoredLocalPath>
        <ignoredLocalPath>/actuator/health</ignoredLocalPath>
    </authentication>
    <credentials>
        <password>
            <minOccurs>0</minOccurs>
            <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>

<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
            <lockoutDuration>PT15M</lockoutDuration>
            <valuePolicyRef xmlns:tns="
http://midpoint.evolveum.com/xml/ns/public/common/common-3"
oid="00000000-0000-0000-0000-000000000003" relation="org:default"
type="tns:ValuePolicyType">
                <!-- Default Password Policy -->
            </valuePolicyRef>
        </password>
    </credentials>
</securityPolicy>



Regards
Gus








Em qui., 17 de set. de 2020 às 07:33, Gus Lou <gugalou38 at gmail.com>
escreveu:

> Hi Lukas
> Thank you very much
> I will make this change and report the results here.
> Regards
> Gus
>
>
> Em qui., 17 de set. de 2020 às 02:36, Lukas Skublik via midPoint <
> midpoint at lists.evolveum.com> escreveu:
>
>> Hello Gus,
>> when you want use only ldap module, you need remove module
>> 'internalLoginForm' from sequence 'admin-gui-default'. Or when you want use
>> both then change order for one module. Same order is supported only for
>> httpModules and for channels of rest and actuator.
>>
>> Best regards,
>> Lukas Skublik
>>
>> On 15. 9. 2020 2:48, Gus Lou via midPoint wrote:
>>
>> Hi Guys
>> Has anyone successfully used the Flexible Authentication option with
>> Active Directory?
>> I did the configuration following the wiki guidelines:
>>
>> https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration
>> I created a test user in Active Directory and the same user in MP and
>> granted the End User role.
>> After the settings I tried to authenticate at the midpoint with the test
>> user, but I get an error message on the interface Invalid username and / or
>> password
>> I have already verified the test user's credentials and they are correct,
>> as well as the credentials to bind to Active Directory.
>>
>> *My  Flexible Authentication Config:*
>> <ldap id="23">
>>                 <name>ldapAuth</name>
>>                 <host>ldap://192.168.0.32:636</host>
>>
>> <userDn>CN=svc_midpoint,OU=Users_SVC,DC=xyz,DC=net</userDn>
>>                 <userPassword>
>>                     <t:encryptedData>
>>                         <t:encryptionMethod>
>>                             <t:algorithm>
>> http://www.w3.org/2001/04/xmlenc#aes256-cbc</t:algorithm>
>>                         </t:encryptionMethod>
>>                         <t:keyInfo>
>>
>> <t:keyName>XXXXXXXXXXXXXXXXXXXXXXXXXXX</t:keyName>
>>                         </t:keyInfo>
>>                         <t:cipherData>
>>
>> <t:cipherValue>XXXXXXXXXXXXXXXXXXXXXXXXXX</t:cipherValue>
>>                         </t:cipherData>
>>                     </t:encryptedData>
>>                 </userPassword>
>>             </ldap>
>>
>> *Sequence*
>> <sequence id="1">
>>             <name>admin-gui-default</name>
>>             <description>
>>                 Default GUI authentication sequence.
>>                 We want to try company SSO, federation and internal. In
>> that order.
>>                 Just one of then need to be successful to let user in.
>>             </description>
>>             <channel>
>>                 <channelId>
>> http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user
>> </channelId>
>>                 <default>true</default>
>>                 <urlSuffix>default</urlSuffix>
>>             </channel>
>>             <module id="4">
>>                 <name>internalLoginForm</name>
>>                 <order>20</order>
>>                 <necessity>sufficient</necessity>
>>             </module>
>>             <module id="5">
>>                 <name>ldapAuth</name>
>>                 <order>20</order>
>>                 <necessity>sufficient</necessity>
>>             </module>
>>         </sequence>
>>
>> *My Midpoint.log*
>> 2020-09-15 00:27:26,175 [MODEL] [http-nio-127.0.0.1-8080-exec-1] INFO
>> (com.evolveum.midpoint.web.security.provider.PasswordProvider):
>> Authentication failed for test.user: web.security.provider.invalid
>> 2020-09-15 00:27:26,175 [MODEL] [http-nio-127.0.0.1-8080-exec-1] ERROR
>> (com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider):
>> Authentication (runtime) error: web.security.provider.invalid
>> org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:
>> web.security.provider.invalid
>>         at
>> com.evolveum.midpoint.model.impl.security.AuthenticationEvaluatorImpl.checkCredentials(AuthenticationEvaluatorImpl.java:191)
>>         at
>> com.evolveum.midpoint.model.impl.security.AuthenticationEvaluatorImpl.authenticate(AuthenticationEvaluatorImpl.java:107)
>>         at
>> com.evolveum.midpoint.web.security.provider.PasswordProvider.internalAuthentication(PasswordProvider.java:70)
>>         at
>> com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:87)
>>         at
>> com.evolveum.midpoint.web.security.MidpointProviderManager.authenticate(MidpointProviderManager.java:58)
>>         at
>> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:200)
>>         at
>> com.evolveum.midpoint.web.security.filter.MidpointUsernamePasswordAuthenticationFilter.attemptAuthentication(MidpointUsernamePasswordAuthenticationFilter.java:71)
>>         at
>> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
>>         at
>> com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:289)
>>         at
>> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
>>         at
>> com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:289)
>>         at
>> com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter.doFilterInternal(RedirectForLoginPagesWithAuthenticationFilter.java:39)
>>
>> Regards
>>
>> Gus
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20201005/10b6db1a/attachment.htm>


More information about the midPoint mailing list