[midPoint] Active Directory - Flexible Authentication

Lukas Skublik lukas.skublik at evolveum.com
Thu Sep 17 07:36:44 CEST 2020 

Hello Gus,
when you want use only ldap module, you need remove module 
'internalLoginForm' from sequence 'admin-gui-default'. Or when you want 
use both then change order for one module. Same order is supported only 
for httpModules and for channels of rest and actuator.

Best regards,
Lukas Skublik

On 15. 9. 2020 2:48, Gus Lou via midPoint wrote:
> Hi Guys
> Has anyone successfully used the Flexible Authentication option with 
> Active Directory?
> I did the configuration following the wiki guidelines:
> https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration
> I created a test user in Active Directory and the same user in MP and 
> granted the End User role.
> After the settings I tried to authenticate at the midpoint with the 
> test user, but I get an error message on the interface Invalid 
> username and / or password
> I have already verified the test user's credentials and they are 
> correct, as well as the credentials to bind to Active Directory.
>
> *My  Flexible Authentication Config:*
> <ldap id="23">
> <name>ldapAuth</name>
> <host>ldap://192.168.0.32:636 <http://192.168.0.32:636></host>
> <userDn>CN=svc_midpoint,OU=Users_SVC,DC=xyz,DC=net</userDn>
> <userPassword>
>   <t:encryptedData>
> <t:encryptionMethod>
>           
> <t:algorithm>http://www.w3.org/2001/04/xmlenc#aes256-cbc</t:algorithm>
> </t:encryptionMethod>
>       <t:keyInfo>
> <t:keyName>XXXXXXXXXXXXXXXXXXXXXXXXXXX</t:keyName>
>       </t:keyInfo>
>       <t:cipherData>
> <t:cipherValue>XXXXXXXXXXXXXXXXXXXXXXXXXX</t:cipherValue>
>       </t:cipherData>
>   </t:encryptedData>
> </userPassword>
> </ldap>
>
> *Sequence*
> <sequence id="1">
> <name>admin-gui-default</name>
> <description>
> Default GUI authentication sequence.
>                 We want to try company SSO, federation and internal. 
> In that order.
>                 Just one of then need to be successful to let user in.
> </description>
> <channel>
> <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
> <default>true</default>
> <urlSuffix>default</urlSuffix>
> </channel>
> <module id="4">
> <name>internalLoginForm</name>
> <order>20</order>
> <necessity>sufficient</necessity>
> </module>
> <module id="5">
> <name>ldapAuth</name>
> <order>20</order>
> <necessity>sufficient</necessity>
> </module>
> </sequence>
>
> *My Midpoint.log*
> 2020-09-15 00:27:26,175 [MODEL] [http-nio-127.0.0.1-8080-exec-1] INFO 
> (com.evolveum.midpoint.web.security.provider.PasswordProvider): 
> Authentication failed for test.user: web.security.provider.invalid
> 2020-09-15 00:27:26,175 [MODEL] [http-nio-127.0.0.1-8080-exec-1] ERROR 
> (com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider): 
> Authentication (runtime) error: web.security.provider.invalid
> org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: 
> web.security.provider.invalid
>       at 
> com.evolveum.midpoint.model.impl.security.AuthenticationEvaluatorImpl.checkCredentials(AuthenticationEvaluatorImpl.java:191)
>       at 
> com.evolveum.midpoint.model.impl.security.AuthenticationEvaluatorImpl.authenticate(AuthenticationEvaluatorImpl.java:107)
>       at 
> com.evolveum.midpoint.web.security.provider.PasswordProvider.internalAuthentication(PasswordProvider.java:70)
>       at 
> com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:87)
>       at 
> com.evolveum.midpoint.web.security.MidpointProviderManager.authenticate(MidpointProviderManager.java:58)
>       at 
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:200)
>       at 
> com.evolveum.midpoint.web.security.filter.MidpointUsernamePasswordAuthenticationFilter.attemptAuthentication(MidpointUsernamePasswordAuthenticationFilter.java:71)
>       at 
> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
>       at 
> com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:289)
>       at 
> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
>       at 
> com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:289)
>       at 
> com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter.doFilterInternal(RedirectForLoginPagesWithAuthenticationFilter.java:39)
>
> Regards
>
> Gus
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200917/569084d4/attachment.htm>

More information about the midPoint mailing list