[midPoint] Update from 4.4.3 to 4.4.6 breaking LDAP authentication

Alcides Moraes alcides.neto at gmail.com
Tue Oct 17 22:01:15 CEST 2023 

Hi list,

So I did a few more tests, I rolled back to 4.4.3 and configured authentication using security policy xml instead of spring security. It works!

So I tried upgrading to 4.4.4. It works as well.

Upgrading to 4.4.5 then breaks authentication.

I see that there are some updates about authentication in 4.4.5, but no action seems to be required to upgrade, right?
The most obvious seems to be this one: Security Advisory: Disabled Users able to log-in when LDAP authentication is enabled <https://docs.evolveum.com/midpoint/reference/security/advisories/015-disabled-users-able-to-log-in-with-ldap/>
The LDAP and midpoint users I’m testing are both enabled, so this shouldn’t affect me.

> Em 16 de out. de 2023, à(s) 21:03, Alcides Moraes <alcides.neto at gmail.com> escreveu:
> 
> Hello list,
> 
> I’m having some issues with ldap authentication, hope someone can shed some light
> 
> After updating from 4.4.3 to 4.4.6, I could not login to our test midpoint anymore using our LDAP server.
> I had to use the /auth/emergency to log in using local administrator.
> 
> This is the log I was getting:
> 2023-10-16T17:50:50.669 ERROR [com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider] (http-nio-8080-exec-10) Authentication (runtime) error: web.security.provider.invalid
> org.springframework.security.authentication.AuthenticationServiceException: web.security.provider.invalid
> 
> We haven’t configured authentication using security policy yet, we were using the old spring security ldap configuration.
> 
> So I tried configuring our ldap using security policy, since the spring security configuration is not supported anymore.
> It didn’t work either, here’s the log
> 2023-10-16T20:41:38.107 ERROR [com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider] (http-nio-8080-exec-2) Authentication (runtime) error: Invalid username and/or password.
> org.springframework.security.authentication.BadCredentialsException: Invalid username and/or password.
>> Caused by: org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580]
> 
> I’m very sure the users and passwords for both bind user and the login form are correct. If I rollback everything it works again.
> Emergency login using internal database still works.
> Below is my authentication configuration, pretty simple. 
> 
> Thanks in advance for any help on this.
> <authentication>
>     <modules>
>         <loginForm>
>             <name>internalLoginForm</name>
>             <description>Internal username/password authentication, default user password, login form</description>
>         </loginForm>
>         <httpBasic>
>             <name>internalHttpBasic</name>
>             <description>Http basic username/password authentication, default user password</description>
>         </httpBasic>
>         <ldap>
>             <name>ldapAuth</name>
>             <host>ldap://serverip:389/DC=midpointhml,DC=local</host>
>             <userDn>CN=bind,OU=BIND,DC=midpointhml,DC=local</userDn>
>             <userPassword>
>                 <t:clearValue>testpassword</t:clearValue>
>             </userPassword>
>             <search>
>                 <pattern>(sAMAccountName={0})</pattern>
>                 <subtree>true</subtree>
>             </search>
>         </ldap>
>     </modules>
>     <sequence>
>         <name>gui-ldap</name>
>         <channel>
>             <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
>             <default>true</default>
>             <urlSuffix>default</urlSuffix>
>         </channel>
>         <module>
>             <name>ldapAuth</name>
>             <order>30</order>
>             <necessity>sufficient</necessity>
>         </module>
>     </sequence>
>     <sequence>
>         <name>admin-gui-emergency</name>
>         <description>
>             Special GUI authentication sequence that is using just the internal user password.
>             It is used only in emergency.
>         </description>
>         <channel>
>             <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
>             <default>false</default>
>             <urlSuffix>admin</urlSuffix>
>         </channel>
>         <requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType">
>             <!-- Superuser -->
>         </requireAssignmentTarget>
>         <module>
>             <name>internalLoginForm</name>
>             <order>1</order>
>             <necessity>sufficient</necessity>
>         </module>
>     </sequence>
>     <sequence>
>         <name>rest-basic</name>
>         <channel>
>             <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
>             <default>true</default>
>             <urlSuffix>default</urlSuffix>
>         </channel>
>         <module>
>             <name>internalHttpBasic</name>
>             <order>1</order>
>             <necessity>sufficient</necessity>
>         </module>
>     </sequence>
>     <ignoredLocalPath>/actuator</ignoredLocalPath>
>     <ignoredLocalPath>/actuator/health</ignoredLocalPath>
> </authentication>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20231017/a548f0f5/attachment-0001.htm>

More information about the midPoint mailing list