[midPoint] Update from 4.4.3 to 4.4.6 breaking LDAP authentication

Alcides Moraes alcides.neto at gmail.com
Wed Oct 18 22:32:05 CEST 2023 

Great! Glad I could help.

> Em 18 de out. de 2023, à(s) 12:18, Lukas Skublik via midPoint <midpoint at lists.evolveum.com> escreveu:
> 
> Hello Alcides,
> Thank you for email. It is my mistake. I fixed it in 30182adac0c044fb0d7392c0bf734c2d772c0077 <https://github.com/Evolveum/midpoint/commit/30182adac0c044fb0d7392c0bf734c2d772c0077>.
> 
> Best regards,
> L. Skublik.
> 
> On 18. 10. 2023 0:04, Alcides Moraes via midPoint wrote:
>> Hey guys,
>> 
>> So I went to GitHub to compare both tags (4.4.4 vs 4.4.5) and I found the commit responsible for my issue:
>> https://github.com/Evolveum/midpoint/commit/60e5d56b52b751406b1bdf7702483b0c600a5121#r130238442
>> 
>> There is a validation of namingAttr value from the ldap module definition, if it is null then the exception is thrown.
>> However the attribute is not marked as mandatory, and was not needed before.
>> I added a comment to the commit line on GitHub.
>> 
>> Setting namingAttr value to sAMAccoutName solved my issue.
>> 
>> 
>>> Em 17 de out. de 2023, à(s) 17:01, Alcides Moraes <alcides.neto at gmail.com> <mailto:alcides.neto at gmail.com> escreveu:
>>> 
>>> Hi list,
>>> 
>>> So I did a few more tests, I rolled back to 4.4.3 and configured authentication using security policy xml instead of spring security. It works!
>>> 
>>> So I tried upgrading to 4.4.4. It works as well.
>>> 
>>> Upgrading to 4.4.5 then breaks authentication.
>>> 
>>> I see that there are some updates about authentication in 4.4.5, but no action seems to be required to upgrade, right?
>>> The most obvious seems to be this one: Security Advisory: Disabled Users able to log-in when LDAP authentication is enabled <https://docs.evolveum.com/midpoint/reference/security/advisories/015-disabled-users-able-to-log-in-with-ldap/>
>>> The LDAP and midpoint users I’m testing are both enabled, so this shouldn’t affect me.
>>> 
>>>> Em 16 de out. de 2023, à(s) 21:03, Alcides Moraes <alcides.neto at gmail.com> <mailto:alcides.neto at gmail.com> escreveu:
>>>> 
>>>> Hello list,
>>>> 
>>>> I’m having some issues with ldap authentication, hope someone can shed some light
>>>> 
>>>> After updating from 4.4.3 to 4.4.6, I could not login to our test midpoint anymore using our LDAP server.
>>>> I had to use the /auth/emergency to log in using local administrator.
>>>> 
>>>> This is the log I was getting:
>>>> 2023-10-16T17:50:50.669 ERROR [com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider] (http-nio-8080-exec-10) Authentication (runtime) error: web.security.provider.invalid
>>>> org.springframework.security.authentication.AuthenticationServiceException: web.security.provider.invalid
>>>> 
>>>> We haven’t configured authentication using security policy yet, we were using the old spring security ldap configuration.
>>>> 
>>>> So I tried configuring our ldap using security policy, since the spring security configuration is not supported anymore.
>>>> It didn’t work either, here’s the log
>>>> 2023-10-16T20:41:38.107 ERROR [com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider] (http-nio-8080-exec-2) Authentication (runtime) error: Invalid username and/or password.
>>>> org.springframework.security.authentication.BadCredentialsException: Invalid username and/or password.
>>>>>>>> Caused by: org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580]
>>>> 
>>>> I’m very sure the users and passwords for both bind user and the login form are correct. If I rollback everything it works again.
>>>> Emergency login using internal database still works.
>>>> Below is my authentication configuration, pretty simple. 
>>>> 
>>>> Thanks in advance for any help on this.
>>>> <authentication>
>>>>     <modules>
>>>>         <loginForm>
>>>>             <name>internalLoginForm</name>
>>>>             <description>Internal username/password authentication, default user password, login form</description>
>>>>         </loginForm>
>>>>         <httpBasic>
>>>>             <name>internalHttpBasic</name>
>>>>             <description>Http basic username/password authentication, default user password</description>
>>>>         </httpBasic>
>>>>         <ldap>
>>>>             <name>ldapAuth</name>
>>>>             <host>ldap://serverip:389/DC=midpointhml,DC=local</host>
>>>>             <userDn>CN=bind,OU=BIND,DC=midpointhml,DC=local</userDn>
>>>>             <userPassword>
>>>>                 <t:clearValue>testpassword</t:clearValue>
>>>>             </userPassword>
>>>>             <search>
>>>>                 <pattern>(sAMAccountName={0})</pattern>
>>>>                 <subtree>true</subtree>
>>>>             </search>
>>>>         </ldap>
>>>>     </modules>
>>>>     <sequence>
>>>>         <name>gui-ldap</name>
>>>>         <channel>
>>>>             <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
>>>>             <default>true</default>
>>>>             <urlSuffix>default</urlSuffix>
>>>>         </channel>
>>>>         <module>
>>>>             <name>ldapAuth</name>
>>>>             <order>30</order>
>>>>             <necessity>sufficient</necessity>
>>>>         </module>
>>>>     </sequence>
>>>>     <sequence>
>>>>         <name>admin-gui-emergency</name>
>>>>         <description>
>>>>             Special GUI authentication sequence that is using just the internal user password.
>>>>             It is used only in emergency.
>>>>         </description>
>>>>         <channel>
>>>>             <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
>>>>             <default>false</default>
>>>>             <urlSuffix>admin</urlSuffix>
>>>>         </channel>
>>>>         <requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType">
>>>>             <!-- Superuser -->
>>>>         </requireAssignmentTarget>
>>>>         <module>
>>>>             <name>internalLoginForm</name>
>>>>             <order>1</order>
>>>>             <necessity>sufficient</necessity>
>>>>         </module>
>>>>     </sequence>
>>>>     <sequence>
>>>>         <name>rest-basic</name>
>>>>         <channel>
>>>>             <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
>>>>             <default>true</default>
>>>>             <urlSuffix>default</urlSuffix>
>>>>         </channel>
>>>>         <module>
>>>>             <name>internalHttpBasic</name>
>>>>             <order>1</order>
>>>>             <necessity>sufficient</necessity>
>>>>         </module>
>>>>     </sequence>
>>>>     <ignoredLocalPath>/actuator</ignoredLocalPath>
>>>>     <ignoredLocalPath>/actuator/health</ignoredLocalPath>
>>>> </authentication>
>>>> 
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> https://lists.evolveum.com/mailman/listinfo/midpoint
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20231018/da68eadf/attachment-0001.htm>

More information about the midPoint mailing list