<div dir="ltr"><div dir="ltr"><div dir="ltr">Hi Lukas<br><div><br></div><div>I made the changes suggested by you, but something is still wrong., after changes I lost dashboard console, I can not login in interface, I received "Internal Server Error 500", </div><div><br></div><div><br></div><div>Here is my new Flexible Auth Config:</div><div><br></div><div><div><securityPolicy xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>" xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>" xmlns:icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>" xmlns:org="<a href="http://midpoint.evolveum.com/xml/ns/public/common/org-3">http://midpoint.evolveum.com/xml/ns/public/common/org-3</a>" xmlns:q="<a href="http://prism.evolveum.com/xml/ns/public/query-3">http://prism.evolveum.com/xml/ns/public/query-3</a>" xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>" xmlns:t="<a href="http://prism.evolveum.com/xml/ns/public/types-3">http://prism.evolveum.com/xml/ns/public/types-3</a>" oid="00000000-0000-0000-0000-000000000120" version="1"></div><div> <name>Default Security Policy</name></div><div> <authentication></div><div> <modules></div><div> <loginForm id="1"></div><div> <name>internalLoginForm</name></div><div> <description>Internal username/password authentication, default user password, login form</description></div><div> </loginForm></div><div> <ldap id="23"></div><div> <name>ldapAuth</name></div><div> <host>ldaps://<a href="http://10.0.0.4:636/dc=xyz,dc=net">10.0.0.4:636/dc=xyz,dc=net</a></host></div><div> <userDn>CN=svc_midpoint,OU=Service,OU=Users,OU=CompanyA,OU=Holding,DC=xyz,DC=net</userDn></div><div> <userPassword></div><div> <t:cipherValue>XXXXX</t:cipherValue></div><div> </userPassword></div><div> <search></div><div> <pattern>(sAMAccountName={0})</pattern></div><div> <namingAttr>sAMAccountName</namingAttr></div><div> <subtree>true</subtree></div><div> </search></div><div> </ldap></div><div> </modules></div><div> <sequence id="1"></div><div> <name>admin-gui-default</name></div><div> <description></div><div> Default GUI authentication sequence.</div><div> We want to try company SSO, federation and internal. In that order.</div><div> Just one of then need to be successful to let user in.</div><div> </description></div><div> <channel></div><div> <channelId><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</a></channelId></div><div> <default>true</default></div><div> <urlSuffix>default</urlSuffix></div><div> </channel></div><div> </div><div> <module id="5"></div><div> <name>ldapAuth</name></div><div> <order>20</order></div><div> <necessity>sufficient</necessity></div><div> </module></div><div> </sequence></div><div> <sequence id="2"></div><div> <name>admin-gui-emergency</name></div><div> <description></div><div> Special GUI authentication sequence that is using just the internal user password.</div><div> It is used only in emergency. It allows to skip SAML authentication cycles, e.g. in case</div><div> that the SAML authentication is redirecting the browser incorrectly.</div><div> </description></div><div> <channel></div><div> <channelId><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</a></channelId></div><div> <default>false</default></div><div> <urlSuffix>emergency</urlSuffix></div><div> </channel></div><div> <requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType"></div><div> <!-- Superuser --></div><div> </requireAssignmentTarget></div><div> <module id="6"></div><div> <name>internalLoginForm</name></div><div> <order>30</order></div><div> <necessity>sufficient</necessity></div><div> </module></div><div> </sequence></div><div> <sequence id="7"></div><div> <name>actuator</name></div><div> <description></div><div> Authentication sequence for actuator.</div><div> </description></div><div> <channel></div><div> <channelId><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#actuator">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#actuator</a></channelId></div><div> <default>true</default></div><div> <urlSuffix>actuator-default</urlSuffix></div><div> </channel></div><div> <module id="8"></div><div> <name>internalBasic</name></div><div> <order>10</order></div><div> <necessity>sufficient</necessity></div><div> </module></div><div> </sequence></div><div> <ignoredLocalPath>/actuator</ignoredLocalPath></div><div> <ignoredLocalPath>/actuator/health</ignoredLocalPath></div><div> </authentication></div><div> <credentials></div><div> <password></div><div> <minOccurs>0</minOccurs></div><div> <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts></div><div> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration></div><div> <lockoutDuration>PT15M</lockoutDuration></div><div> <valuePolicyRef xmlns:tns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>" oid="00000000-0000-0000-0000-000000000003" relation="org:default" type="tns:ValuePolicyType"></div><div> <!-- Default Password Policy --></div><div> </valuePolicyRef></div><div> </password></div><div> </credentials></div><div></securityPolicy></div></div><div><br></div><div><br></div><div><br></div><div>Regards </div><div>Gus</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em qui., 17 de set. de 2020 às 07:33, Gus Lou <<a href="mailto:gugalou38@gmail.com">gugalou38@gmail.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Hi Lukas<br><div>Thank you very much</div><div>I will make this change and report the results here.<br></div><div>Regards</div><div>Gus</div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em qui., 17 de set. de 2020 às 02:36, Lukas Skublik via midPoint <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello Gus,<br>
when you want use only ldap module, you need remove module
'internalLoginForm' from sequence 'admin-gui-default'. Or when you
want use both then change order for one module. Same order is
supported only for httpModules and for channels of rest and
actuator.<br>
<br>
Best regards,<br>
Lukas Skublik<br>
<br>
</p>
<div>On 15. 9. 2020 2:48, Gus Lou via
midPoint wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><font size="1" face="arial,
sans-serif">Hi Guys<br>
</font>
<div><font size="1" face="arial, sans-serif">Has
anyone successfully used the Flexible
Authentication option with Active Directory?<br>
</font></div>
<div>
<div><font size="1" face="arial, sans-serif">I
did the configuration following the wiki
guidelines:</font></div>
<div><font size="1" face="arial, sans-serif"><a href="https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration" target="_blank">https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration</a></font></div>
</div>
<div>
<div><font size="1" face="arial, sans-serif">I
created a test user in Active Directory
and the same user in MP and granted the
End User role.</font></div>
<div><font size="1" face="arial, sans-serif">After
the settings I tried to authenticate at
the midpoint with the test user, but I get
an error message on the interface Invalid
username and / or password</font></div>
<div><font size="1" face="arial, sans-serif">I
have already verified the test user's
credentials and they are correct, as well
as the credentials to bind to Active
Directory.</font></div>
</div>
<div><font size="1" face="arial, sans-serif"><br>
</font></div>
<div><font size="1" face="arial, sans-serif"><b>My Flexible
Authentication Config:</b></font></div>
<div>
<div style="margin:0px;padding:0px 0px 20px;width:1119.2px">
<div>
<div id="gmail-m_7945819835762697992gmail-m_-1922088185811323126gmail-:wg" style="margin:8px 0px 0px;padding:0px">
<div id="gmail-m_7945819835762697992gmail-m_-1922088185811323126gmail-:wh">
<div dir="ltr">
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif"><ldap id="23"></font>
<div><font size="1" face="arial,
sans-serif">
<name>ldapAuth</name></font></div>
<div><font size="1" face="arial,
sans-serif">
<host><a>ldap://</a><a href="http://192.168.0.32:636" target="_blank">192.168.0.32:636</a></host></font></div>
<div><font size="1" face="arial,
sans-serif">
<userDn>CN=svc_midpoint,OU=Users_SVC,DC=xyz,DC=net</userDn></font></div>
<div><font size="1" face="arial,
sans-serif">
<userPassword></font></div>
<div><font size="1" face="arial,
sans-serif">
<t:encryptedData></font></div>
<div><font size="1" face="arial,
sans-serif">
<t:encryptionMethod></font></div>
<div><font size="1" face="arial,
sans-serif">
<t:algorithm><a href="http://www.w3.org/2001/04/xmlenc#aes256-cbc" target="_blank">http://www.w3.org/2001/04/xmlenc#aes256-cbc</a></t:algorithm></font></div>
<div><font size="1" face="arial,
sans-serif">
</t:encryptionMethod></font></div>
<div><font size="1" face="arial,
sans-serif">
<t:keyInfo></font></div>
<div><font size="1" face="arial,
sans-serif">
<t:keyName>XXXXXXXXXXXXXXXXXXXXXXXXXXX</t:keyName></font></div>
<div><font size="1" face="arial,
sans-serif">
</t:keyInfo></font></div>
<div><font size="1" face="arial,
sans-serif">
<t:cipherData></font></div>
<div><font size="1" face="arial,
sans-serif">
<t:cipherValue>XXXXXXXXXXXXXXXXXXXXXXXXXX</t:cipherValue></font></div>
<div><font size="1" face="arial,
sans-serif">
</t:cipherData></font></div>
<div><font size="1" face="arial,
sans-serif">
</t:encryptedData></font></div>
<div><font size="1" face="arial,
sans-serif">
</userPassword></font></div>
<font size="1" face="arial,
sans-serif">
</ldap></font></div>
<div dir="ltr"><font size="1" face="arial, sans-serif"><br>
</font></div>
<font size="1" face="arial,
sans-serif"><b>Sequence</b></font></div>
<div dir="ltr"><span style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif"><sequence
id="1"></font></span>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
<name>admin-gui-default</name></font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
<description></font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
Default GUI authentication
sequence.</font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif"> We
want to try company SSO,
federation and internal. In that
order.</font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif"> Just
one of then need to be
successful to let user in.</font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
</description></font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
<channel></font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
<channelId><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</a></channelId></font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
<default>true</default></font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
<urlSuffix>default</urlSuffix></font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
</channel></font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
<module id="4"></font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
<name>internalLoginForm</name></font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
<order>20</order></font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
<necessity>sufficient</necessity></font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
</module></font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
<module id="5"></font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
<name>ldapAuth</name></font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
<order>20</order></font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
<necessity>sufficient</necessity></font></div>
<div style="color:rgb(0,0,0)"><font size="1" face="arial,
sans-serif">
</module></font></div>
<font size="1" face="arial,
sans-serif"><span style="color:rgb(0,0,0)">
</sequence></span></font></div>
<div dir="ltr"><font size="1" face="arial, sans-serif"><font color="#000000"><br>
</font></font></div>
<div dir="ltr">
<div><b>My Midpoint.log</b></div>
<div><span style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">2020-09-15
00:27:26,175 [MODEL]
[http-nio-127.0.0.1-8080-exec-</span><span style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">1]
INFO (com.evolveum.midpoint.web.</span><span style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">security.provider.</span><span style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">PasswordProvider):
Authentication failed for
test.user:
web.security.provider.invalid</span>
<div style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">2020-09-15
00:27:26,175 [MODEL]
[http-nio-127.0.0.1-8080-exec-1]
ERROR
(com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider):
Authentication (runtime) error:
web.security.provider.invalid</div>
<div style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:
web.security.provider.invalid</div>
<div style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">
at
com.evolveum.midpoint.model.impl.security.AuthenticationEvaluatorImpl.checkCredentials(AuthenticationEvaluatorImpl.java:191)</div>
<div style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">
at
com.evolveum.midpoint.model.impl.security.AuthenticationEvaluatorImpl.authenticate(AuthenticationEvaluatorImpl.java:107)</div>
<div style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">
at
com.evolveum.midpoint.web.security.provider.PasswordProvider.internalAuthentication(PasswordProvider.java:70)</div>
<div style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">
at
com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:87)</div>
<div style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">
at
com.evolveum.midpoint.web.security.MidpointProviderManager.authenticate(MidpointProviderManager.java:58)</div>
<div style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:200)</div>
<div style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">
at
com.evolveum.midpoint.web.security.filter.MidpointUsernamePasswordAuthenticationFilter.attemptAuthentication(MidpointUsernamePasswordAuthenticationFilter.java:71)</div>
<div style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)</div>
<div style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">
at
com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:289)</div>
<div style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">
at
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)</div>
<div style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">
at
com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:289)</div>
<div style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">
at
com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter.doFilterInternal(RedirectForLoginPagesWithAuthenticationFilter.java:39)</div>
</div>
<font style="font-size:medium;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif" size="1" face="Arial" color="Gray"><br>
</font></div>
<div><font style="font-size:medium;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif" size="1" face="Arial" color="Gray">Regards</font></div>
<div><font style="font-size:medium;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif" size="1" face="Arial" color="Gray"><br>
</font></div>
<div><font style="font-size:medium;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif" size="1" face="Arial" color="Gray">Gus</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>
</blockquote></div>