[midPoint] Update from 4.4.3 to 4.4.6 breaking LDAP authentication

Alcides Moraes alcides.neto at gmail.com
Tue Oct 17 02:03:34 CEST 2023 

Hello list,

I’m having some issues with ldap authentication, hope someone can shed some light

After updating from 4.4.3 to 4.4.6, I could not login to our test midpoint anymore using our LDAP server.
I had to use the /auth/emergency to log in using local administrator.

This is the log I was getting:
2023-10-16T17:50:50.669 ERROR [com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider] (http-nio-8080-exec-10) Authentication (runtime) error: web.security.provider.invalid
org.springframework.security.authentication.AuthenticationServiceException: web.security.provider.invalid

We haven’t configured authentication using security policy yet, we were using the old spring security ldap configuration.

So I tried configuring our ldap using security policy, since the spring security configuration is not supported anymore.
It didn’t work either, here’s the log
2023-10-16T20:41:38.107 ERROR [com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider] (http-nio-8080-exec-2) Authentication (runtime) error: Invalid username and/or password.
org.springframework.security.authentication.BadCredentialsException: Invalid username and/or password.
…
Caused by: org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580]

I’m very sure the users and passwords for both bind user and the login form are correct. If I rollback everything it works again.
Emergency login using internal database still works.
Below is my authentication configuration, pretty simple. 

Thanks in advance for any help on this.
<authentication>
    <modules>
        <loginForm>
            <name>internalLoginForm</name>
            <description>Internal username/password authentication, default user password, login form</description>
        </loginForm>
        <httpBasic>
            <name>internalHttpBasic</name>
            <description>Http basic username/password authentication, default user password</description>
        </httpBasic>
        <ldap>
            <name>ldapAuth</name>
            <host>ldap://serverip:389/DC=midpointhml,DC=local</host>
            <userDn>CN=bind,OU=BIND,DC=midpointhml,DC=local</userDn>
            <userPassword>
                <t:clearValue>testpassword</t:clearValue>
            </userPassword>
            <search>
                <pattern>(sAMAccountName={0})</pattern>
                <subtree>true</subtree>
            </search>
        </ldap>
    </modules>
    <sequence>
        <name>gui-ldap</name>
        <channel>
            <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
            <default>true</default>
            <urlSuffix>default</urlSuffix>
        </channel>
        <module>
            <name>ldapAuth</name>
            <order>30</order>
            <necessity>sufficient</necessity>
        </module>
    </sequence>
    <sequence>
        <name>admin-gui-emergency</name>
        <description>
            Special GUI authentication sequence that is using just the internal user password.
            It is used only in emergency.
        </description>
        <channel>
            <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
            <default>false</default>
            <urlSuffix>admin</urlSuffix>
        </channel>
        <requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType">
            <!-- Superuser -->
        </requireAssignmentTarget>
        <module>
            <name>internalLoginForm</name>
            <order>1</order>
            <necessity>sufficient</necessity>
        </module>
    </sequence>
    <sequence>
        <name>rest-basic</name>
        <channel>
            <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
            <default>true</default>
            <urlSuffix>default</urlSuffix>
        </channel>
        <module>
            <name>internalHttpBasic</name>
            <order>1</order>
            <necessity>sufficient</necessity>
        </module>
    </sequence>
    <ignoredLocalPath>/actuator</ignoredLocalPath>
    <ignoredLocalPath>/actuator/health</ignoredLocalPath>
</authentication>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20231016/f73f8a8f/attachment-0001.htm>

More information about the midPoint mailing list