[midPoint] Update from 4.4.3 to 4.4.6 breaking LDAP authentication

Alcides Moraes alcides.neto at gmail.com
Wed Oct 18 00:04:26 CEST 2023 

Hey guys,

So I went to GitHub to compare both tags (4.4.4 vs 4.4.5) and I found the commit responsible for my issue:
https://github.com/Evolveum/midpoint/commit/60e5d56b52b751406b1bdf7702483b0c600a5121#r130238442
fix bugs from schrodinger ldap auth tests · Evolveum/midpoint at 60e5d56
github.com

There is a validation of namingAttr value from the ldap module definition, if it is null then the exception is thrown.
However the attribute is not marked as mandatory, and was not needed before.
I added a comment to the commit line on GitHub.

Setting namingAttr value to sAMAccoutName solved my issue.


> Em 17 de out. de 2023, à(s) 17:01, Alcides Moraes <alcides.neto at gmail.com> escreveu:
> 
> Hi list,
> 
> So I did a few more tests, I rolled back to 4.4.3 and configured authentication using security policy xml instead of spring security. It works!
> 
> So I tried upgrading to 4.4.4. It works as well.
> 
> Upgrading to 4.4.5 then breaks authentication.
> 
> I see that there are some updates about authentication in 4.4.5, but no action seems to be required to upgrade, right?
> The most obvious seems to be this one: Security Advisory: Disabled Users able to log-in when LDAP authentication is enabled <https://docs.evolveum.com/midpoint/reference/security/advisories/015-disabled-users-able-to-log-in-with-ldap/>
> The LDAP and midpoint users I’m testing are both enabled, so this shouldn’t affect me.
> 
>> Em 16 de out. de 2023, à(s) 21:03, Alcides Moraes <alcides.neto at gmail.com> escreveu:
>> 
>> Hello list,
>> 
>> I’m having some issues with ldap authentication, hope someone can shed some light
>> 
>> After updating from 4.4.3 to 4.4.6, I could not login to our test midpoint anymore using our LDAP server.
>> I had to use the /auth/emergency to log in using local administrator.
>> 
>> This is the log I was getting:
>> 2023-10-16T17:50:50.669 ERROR [com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider] (http-nio-8080-exec-10) Authentication (runtime) error: web.security.provider.invalid
>> org.springframework.security.authentication.AuthenticationServiceException: web.security.provider.invalid
>> 
>> We haven’t configured authentication using security policy yet, we were using the old spring security ldap configuration.
>> 
>> So I tried configuring our ldap using security policy, since the spring security configuration is not supported anymore.
>> It didn’t work either, here’s the log
>> 2023-10-16T20:41:38.107 ERROR [com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider] (http-nio-8080-exec-2) Authentication (runtime) error: Invalid username and/or password.
>> org.springframework.security.authentication.BadCredentialsException: Invalid username and/or password.
>>>> Caused by: org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580]
>> 
>> I’m very sure the users and passwords for both bind user and the login form are correct. If I rollback everything it works again.
>> Emergency login using internal database still works.
>> Below is my authentication configuration, pretty simple. 
>> 
>> Thanks in advance for any help on this.
>> <authentication>
>>     <modules>
>>         <loginForm>
>>             <name>internalLoginForm</name>
>>             <description>Internal username/password authentication, default user password, login form</description>
>>         </loginForm>
>>         <httpBasic>
>>             <name>internalHttpBasic</name>
>>             <description>Http basic username/password authentication, default user password</description>
>>         </httpBasic>
>>         <ldap>
>>             <name>ldapAuth</name>
>>             <host>ldap://serverip:389/DC=midpointhml,DC=local</host>
>>             <userDn>CN=bind,OU=BIND,DC=midpointhml,DC=local</userDn>
>>             <userPassword>
>>                 <t:clearValue>testpassword</t:clearValue>
>>             </userPassword>
>>             <search>
>>                 <pattern>(sAMAccountName={0})</pattern>
>>                 <subtree>true</subtree>
>>             </search>
>>         </ldap>
>>     </modules>
>>     <sequence>
>>         <name>gui-ldap</name>
>>         <channel>
>>             <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
>>             <default>true</default>
>>             <urlSuffix>default</urlSuffix>
>>         </channel>
>>         <module>
>>             <name>ldapAuth</name>
>>             <order>30</order>
>>             <necessity>sufficient</necessity>
>>         </module>
>>     </sequence>
>>     <sequence>
>>         <name>admin-gui-emergency</name>
>>         <description>
>>             Special GUI authentication sequence that is using just the internal user password.
>>             It is used only in emergency.
>>         </description>
>>         <channel>
>>             <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
>>             <default>false</default>
>>             <urlSuffix>admin</urlSuffix>
>>         </channel>
>>         <requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType">
>>             <!-- Superuser -->
>>         </requireAssignmentTarget>
>>         <module>
>>             <name>internalLoginForm</name>
>>             <order>1</order>
>>             <necessity>sufficient</necessity>
>>         </module>
>>     </sequence>
>>     <sequence>
>>         <name>rest-basic</name>
>>         <channel>
>>             <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
>>             <default>true</default>
>>             <urlSuffix>default</urlSuffix>
>>         </channel>
>>         <module>
>>             <name>internalHttpBasic</name>
>>             <order>1</order>
>>             <necessity>sufficient</necessity>
>>         </module>
>>     </sequence>
>>     <ignoredLocalPath>/actuator</ignoredLocalPath>
>>     <ignoredLocalPath>/actuator/health</ignoredLocalPath>
>> </authentication>
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20231017/9ab7ef3d/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 60e5d56b52b751406b1bdf7702483b0c600a5121.png
Type: image/png
Size: 98701 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20231017/9ab7ef3d/attachment-0001.png>

More information about the midPoint mailing list