[midPoint] Update from 4.4.3 to 4.4.6 breaking LDAP authentication

Lukas Skublik lukas.skublik at evolveum.com
Wed Oct 18 17:18:40 CEST 2023 

Hello Alcides,
Thank you for email. It is my mistake. I fixed it in 
30182adac0c044fb0d7392c0bf734c2d772c0077 
<https://github.com/Evolveum/midpoint/commit/30182adac0c044fb0d7392c0bf734c2d772c0077>.

Best regards,
L. Skublik.

On 18. 10. 2023 0:04, Alcides Moraes via midPoint wrote:
> Hey guys,
>
> So I went to GitHub to compare both tags (4.4.4 vs 4.4.5) and I found 
> the commit responsible for my issue:
> 60e5d56b52b751406b1bdf7702483b0c600a5121.png
> fix bugs from schrodinger ldap auth tests · Evolveum/midpoint at 60e5d56 
> <https://github.com/Evolveum/midpoint/commit/60e5d56b52b751406b1bdf7702483b0c600a5121#r130238442>
> github.com 
> <https://github.com/Evolveum/midpoint/commit/60e5d56b52b751406b1bdf7702483b0c600a5121#r130238442>
>
> <https://github.com/Evolveum/midpoint/commit/60e5d56b52b751406b1bdf7702483b0c600a5121#r130238442>
>
> There is a validation of namingAttr value from the ldap module 
> definition, if it is null then the exception is thrown.
> However the attribute is not marked as mandatory, and was not needed 
> before.
> I added a comment to the commit line on GitHub.
>
> Setting namingAttr value to sAMAccoutName solved my issue.
>
>
>> Em 17 de out. de 2023, à(s) 17:01, Alcides Moraes 
>> <alcides.neto at gmail.com> escreveu:
>>
>> Hi list,
>>
>> So I did a few more tests, I rolled back to 4.4.3 and configured 
>> authentication using security policy xml instead of spring security. 
>> It works!
>>
>> So I tried upgrading to 4.4.4. It works as well.
>>
>> Upgrading to 4.4.5 then breaks authentication.
>>
>> I see that there are some updates about authentication in 4.4.5, but 
>> no action seems to be required to upgrade, right?
>> The most obvious seems to be this one: Security Advisory: Disabled 
>> Users able to log-in when LDAP authentication is enabled 
>> <https://docs.evolveum.com/midpoint/reference/security/advisories/015-disabled-users-able-to-log-in-with-ldap/>
>> The LDAP and midpoint users I’m testing are both enabled, so this 
>> shouldn’t affect me.
>>
>>> Em 16 de out. de 2023, à(s) 21:03, Alcides Moraes 
>>> <alcides.neto at gmail.com> escreveu:
>>>
>>> Hello list,
>>>
>>> I’m having some issues with ldap authentication, hope someone can 
>>> shed some light
>>>
>>> After updating from 4.4.3 to 4.4.6, I could not login to our test 
>>> midpoint anymore using our LDAP server.
>>> I had to use the /auth/emergency to log in using local administrator.
>>>
>>> This is the log I was getting:
>>> 2023-10-16T17:50:50.669 ERROR 
>>> [com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider] 
>>> (http-nio-8080-exec-10) Authentication (runtime) error: 
>>> web.security.provider.invalid 
>>> org.springframework.security.authentication.AuthenticationServiceException: 
>>> web.security.provider.invalid
>>>
>>> We haven’t configured authentication using security policy yet, we 
>>> were using the old spring security ldap configuration.
>>>
>>> So I tried configuring our ldap using security policy, since the 
>>> spring security configuration is not supported anymore.
>>> It didn’t work either, here’s the log
>>> 2023-10-16T20:41:38.107 ERROR 
>>> [com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider] 
>>> (http-nio-8080-exec-2) Authentication (runtime) error: Invalid 
>>> username and/or password. 
>>> org.springframework.security.authentication.BadCredentialsException: 
>>> Invalid username and/or password.
>>>>>> Caused by: 
>>> org.springframework.security.authentication.InternalAuthenticationServiceException: 
>>> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: 
>>> AcceptSecurityContext error, data 52e, v2580]; nested exception is 
>>> javax.naming.AuthenticationException: [LDAP: error code 49 - 
>>> 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext 
>>> error, data 52e, v2580]
>>>
>>> I’m very sure the users and passwords for both bind user and the 
>>> login form are correct. If I rollback everything it works again.
>>> Emergency login using internal database still works.
>>> Below is my authentication configuration, pretty simple.
>>>
>>> Thanks in advance for any help on this.
>>> <authentication> <modules> <loginForm> <name>internalLoginForm</name> <description>Internal username/password authentication, default user password, login form</description> </loginForm> <httpBasic> <name>internalHttpBasic</name> <description>Http basic username/password authentication, default user password</description> </httpBasic> <ldap> <name>ldapAuth</name> <host>ldap://serverip:389/DC=midpointhml,DC=local</host> 
>>> <userDn>CN=bind,OU=BIND,DC=midpointhml,DC=local</userDn> <userPassword> <t:clearValue>testpassword</t:clearValue> </userPassword> <search> <pattern>(sAMAccountName={0})</pattern> <subtree>true</subtree> </search> </ldap> </modules> <sequence> <name>gui-ldap</name> <channel> 
>>> <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId> 
>>> <default>true</default> <urlSuffix>default</urlSuffix> </channel> <module> <name>ldapAuth</name> <order>30</order> <necessity>sufficient</necessity> </module> </sequence> <sequence> <name>admin-gui-emergency</name> <description> Special GUI authentication sequence that is using just the internal user password.
>>>              It is used only in emergency.
>>>          </description> <channel> 
>>> <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId> 
>>> <default>false</default> <urlSuffix>admin</urlSuffix> </channel> <requireAssignmentTarget 
>>> oid="00000000-0000-0000-0000-000000000004" relation="org:default" 
>>> type="c:RoleType"> <!-- Superuser --> </requireAssignmentTarget> 
>>> <module> <name>internalLoginForm</name> <order>1</order> <necessity>sufficient</necessity> </module> </sequence> <sequence> <name>rest-basic</name> <channel> 
>>> <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId> 
>>> <default>true</default> <urlSuffix>default</urlSuffix> </channel> <module> <name>internalHttpBasic</name> <order>1</order> <necessity>sufficient</necessity> </module> </sequence> <ignoredLocalPath>/actuator</ignoredLocalPath> <ignoredLocalPath>/actuator/health</ignoredLocalPath> </authentication>
>>>
>>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20231018/aeef8651/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 60e5d56b52b751406b1bdf7702483b0c600a5121.png
Type: image/png
Size: 98701 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20231018/aeef8651/attachment-0001.png>

More information about the midPoint mailing list