<div dir="ltr"><div dir="ltr"><div dir="ltr">Hi Lucas<br><div><br></div><div><div>I removed the settings suggested by you and now I can authenticate to the MP with the Active Directory account and password.</div><div>Thank you very much.</div></div><div><br></div><div>My Final <b>"Default Security Policy"</b> with Flexible Authentication Active Directory Implementation:</div><div><br></div><div><pre style="white-space:pre-wrap;color:rgb(0,0,0)"><securityPolicy
xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" style="font-family:Arial,Helvetica,sans-serif">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a><font face="Arial, Helvetica, sans-serif">"
</font>xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" style="font-family:Arial,Helvetica,sans-serif">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a><font face="Arial, Helvetica, sans-serif">"
</font>xmlns:icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" style="font-family:Arial,Helvetica,sans-serif">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a><font face="Arial, Helvetica, sans-serif">"
</font>xmlns:org="<a href="http://midpoint.evolveum.com/xml/ns/public/common/org-3" style="font-family:Arial,Helvetica,sans-serif">http://midpoint.evolveum.com/xml/ns/public/common/org-3</a><font face="Arial, Helvetica, sans-serif">"
</font>xmlns:q="<a href="http://prism.evolveum.com/xml/ns/public/query-3" style="font-family:Arial,Helvetica,sans-serif">http://prism.evolveum.com/xml/ns/public/query-3</a><font face="Arial, Helvetica, sans-serif">"
</font>xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" style="font-family:Arial,Helvetica,sans-serif">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a><font face="Arial, Helvetica, sans-serif">"
</font>xmlns:t="<a href="http://prism.evolveum.com/xml/ns/public/types-3" style="font-family:Arial,Helvetica,sans-serif">http://prism.evolveum.com/xml/ns/public/types-3</a><span style="font-family:Arial,Helvetica,sans-serif">" </span><span style="font-family:Arial,Helvetica,sans-serif">oid="00000000-0000-0000-0000-000000000120" version="1"></span></pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)"> <name>Default Security Policy</name>
<authentication>
<modules>
<loginForm id="1">
<name>internalLoginForm</name>
<description>Internal username/password authentication, default user password, login form</description>
</loginForm>
<ldap id="23">
<name>ldapAuth</name>
<host><a>ldaps://10.0.0.4:636/dc=xyz,dc=net</host</a>>
<userDn>CN=svc_midpoint,OU=Service,OU=Users,OU=CompanyA,OU=Holding,DC=xyz,DC=net</userDn>
<userPassword>
<t:cipherValue>XXXXX</t:cipherValue>
</userPassword>
<search>
<pattern>(sAMAccountName={0})</pattern>
<namingAttr>sAMAccountName</namingAttr>
<subtree>true</subtree>
</search>
</ldap>
</modules>
<sequence id="1">
<name>admin-gui-default</name>
<description>
Default GUI authentication sequence.
We want to try company SSO, federation and internal. In that order.
Just one of then need to be successful to let user in.
</description>
<channel>
<channelId><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user%3C/channelId">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId</a>>
<default>true</default>
<urlSuffix>default</urlSuffix>
</channel>
<module id="5">
<name>ldapAuth</name>
<order>20</order>
<necessity>sufficient</necessity>
</module>
</sequence>
<sequence id="2">
<name>admin-gui-emergency</name>
<description>
Special GUI authentication sequence that is using just the internal user password.
It is used only in emergency. It allows to skip SAML authentication cycles, e.g. in case
that the SAML authentication is redirecting the browser incorrectly.
</description>
<channel>
<channelId><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user%3C/channelId">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId</a>>
<default>false</default>
<urlSuffix>emergency</urlSuffix>
</channel>
<requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType">
<!-- Superuser -->
</requireAssignmentTarget>
<module id="6">
<name>internalLoginForm</name>
<order>30</order>
<necessity>sufficient</necessity>
</module>
</sequence>
<ignoredLocalPath>/actuator</ignoredLocalPath>
<ignoredLocalPath>/actuator/health</ignoredLocalPath>
</authentication>
<credentials>
<password>
<minOccurs>0</minOccurs>
<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
<lockoutDuration>PT15M</lockoutDuration>
<valuePolicyRef xmlns:tns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>" oid="00000000-0000-0000-0000-000000000003" relation="org:default" type="tns:ValuePolicyType">
<!-- Default Password Policy -->
</valuePolicyRef>
</password>
</credentials>
</securityPolicy></pre></div><div><br></div><div>Regards</div><div><br></div><div>Gus</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em ter., 6 de out. de 2020 às 03:50, Lukas Skublik via midPoint <<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello Gus,<br>
please remove sequence with id="7" and id="8" or add module for <br>
'internalBasic' to securityPolicy->authentication->modules, because <br>
module with name 'internalBasic' miss in your configuration.<br>
<br>
Best regards,<br>
Lukas Skublik<br>
<br>
On 6. 10. 2020 1:16, Gus Lou via midPoint wrote:<br>
> Hello Gus,<br>
> when you want use only ldap module, you need remove module <br>
> 'internalLoginForm' from sequence 'admin-gui-default'. Or when you <br>
> want use both then change order for one module. Same order is <br>
> supported only for httpModules and for channels of rest and actuator.<br>
><br>
> Best regards,<br>
> Lukas Skublik<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>