<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div>Hey guys,</div><div><br></div><div>So I went to GitHub to compare both tags (4.4.4 vs 4.4.5) and I found the commit responsible for my issue:</div><div><div style="display: block;"><div style="-webkit-user-select: all; -webkit-user-drag: element; display: inline-block;" class="apple-rich-link" draggable="true" role="link" data-url="https://github.com/Evolveum/midpoint/commit/60e5d56b52b751406b1bdf7702483b0c600a5121#r130238442"><a style="border-radius:10px;font-family:-apple-system, Helvetica, Arial, sans-serif;display:block;-webkit-user-select:none;width:300px;user-select:none;-webkit-user-modify:read-only;user-modify:read-only;overflow:hidden;text-decoration:none;" class="lp-rich-link" rel="nofollow" href="https://github.com/Evolveum/midpoint/commit/60e5d56b52b751406b1bdf7702483b0c600a5121#r130238442" dir="ltr" role="button" draggable="false" width="300"><table style="table-layout:fixed;border-collapse:collapse;width:300px;background-color:#E5E6E9;font-family:-apple-system, Helvetica, Arial, sans-serif;" class="lp-rich-link-emailBaseTable" cellpadding="0" cellspacing="0" border="0" width="300"><tbody><tr><td vertical-align="center" align="center"><img style="width:300px;filter:brightness(0.97);height:150px;" width="300" height="150" draggable="false" class="lp-rich-link-mediaImage" alt="60e5d56b52b751406b1bdf7702483b0c600a5121.png" src="cid:60795072-B8B6-4493-BF2B-F6F350E16ED9"></td></tr><tr><td vertical-align="center"><table bgcolor="#E5E6E9" cellpadding="0" cellspacing="0" width="300" style="font-family:-apple-system, Helvetica, Arial, sans-serif;table-layout:fixed;background-color:rgba(229, 230, 233, 1);" class="lp-rich-link-captionBar"><tbody><tr><td style="padding:8px 0px 8px 0px;" class="lp-rich-link-captionBar-textStackItem"><div style="max-width:100%;margin:0px 16px 0px 16px;overflow:hidden;" class="lp-rich-link-captionBar-textStack"><div style="word-wrap:break-word;font-weight:500;font-size:12px;overflow:hidden;text-overflow:ellipsis;text-align:left;" class="lp-rich-link-captionBar-textStack-topCaption-leading"><a rel="nofollow" href="https://github.com/Evolveum/midpoint/commit/60e5d56b52b751406b1bdf7702483b0c600a5121#r130238442" style="text-decoration: none" draggable="false"><font color="#272727" style="color: rgba(0, 0, 0, 0.847059);">fix bugs from schrodinger ldap auth tests · Evolveum/midpoint@60e5d56</font></a></div><div style="word-wrap:break-word;font-weight:400;font-size:11px;overflow:hidden;text-overflow:ellipsis;text-align:left;" class="lp-rich-link-captionBar-textStack-bottomCaption-leading"><a rel="nofollow" href="https://github.com/Evolveum/midpoint/commit/60e5d56b52b751406b1bdf7702483b0c600a5121#r130238442" style="text-decoration: none" draggable="false"><font color="#808080" style="color: rgba(0, 0, 0, 0.498039);">github.com</font></a></div></div></td></tr></tbody></table></td></tr></tbody></table></a></div></div><div style="display: block;"><br></div><div style="display: block;">There is a validation of namingAttr value from the ldap module definition, if it is null then the exception is thrown.</div><div style="display: block;">However the attribute is not marked as mandatory, and was not needed before.</div><div style="display: block;">I added a comment to the commit line on GitHub.</div><div style="display: block;"><br></div><div style="display: block;">Setting namingAttr value to sAMAccoutName solved my issue.</div></div><div><br></div><div><br><blockquote type="cite"><div>Em 17 de out. de 2023, à(s) 17:01, Alcides Moraes <alcides.neto@gmail.com> escreveu:</div><br class="Apple-interchange-newline"><div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div>Hi list,</div><div><br></div><div>So I did a few more tests, I rolled back to 4.4.3 and configured authentication using security policy xml instead of spring security. It works!</div><div><br></div><div>So I tried upgrading to 4.4.4. It works as well.</div><div><br></div><div>Upgrading to 4.4.5 then breaks authentication.</div><div><br></div><div>I see that there are some updates about authentication in 4.4.5, but no action seems to be required to upgrade, right?</div><div>The most obvious seems to be this one: <a href="https://docs.evolveum.com/midpoint/reference/security/advisories/015-disabled-users-able-to-log-in-with-ldap/" style="font-size: 16px; box-sizing: border-box; color: rgb(47, 129, 212); text-decoration: none; background-color: rgb(255, 255, 255); font-family: Roboto, "Open Sans", -apple-system, system-ui, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-variant-ligatures: normal; orphans: 2; widows: 2;">Security Advisory: Disabled Users able to log-in when LDAP authentication is enabled</a></div><div>The LDAP and midpoint users I’m testing are both enabled, so this shouldn’t affect me.</div><div><br><blockquote type="cite"><div>Em 16 de out. de 2023, à(s) 21:03, Alcides Moraes <alcides.neto@gmail.com> escreveu:</div><br class="Apple-interchange-newline"><div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">Hello list,<div><br></div><div>I’m having some issues with ldap authentication, hope someone can shed some light</div><div><br></div><div>After updating from 4.4.3 to 4.4.6, I could not login to our test midpoint anymore using our LDAP server.</div><div>I had to use the /auth/emergency to log in using local administrator.</div><div><br></div><div>This is the log I was getting:</div><div><span style="color: rgb(204, 204, 220); font-family: "Roboto Mono", monospace; font-variant-ligatures: normal; letter-spacing: 0.15px; orphans: 2; widows: 2; white-space: pre-wrap; background-color: rgb(39, 42, 48); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">2023-10-16T17:50:50.669 ERROR [com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider] (http-nio-8080-exec-10) Authentication (runtime) error: web.security.provider.invalid
org.springframework.security.authentication.AuthenticationServiceException: web.security.provider.invalid</span></div><div><br></div><div>We haven’t configured authentication using security policy yet, we were using the old spring security ldap configuration.</div><div><br></div><div>So I tried configuring our ldap using security policy, since the spring security configuration is not supported anymore.</div><div>It didn’t work either, here’s the log</div><div><span style="color: rgb(204, 204, 220); font-family: "Roboto Mono", monospace; font-variant-ligatures: normal; letter-spacing: 0.15px; orphans: 2; widows: 2; white-space: pre-wrap; background-color: rgb(39, 42, 48); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">2023-10-16T20:41:38.107 ERROR [com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider] (http-nio-8080-exec-2) Authentication (runtime) error: Invalid username and/or password.
org.springframework.security.authentication.BadCredentialsException: Invalid username and/or password.</span></div><div><span style="color: rgb(204, 204, 220); font-family: "Roboto Mono", monospace; font-variant-ligatures: normal; letter-spacing: 0.15px; orphans: 2; widows: 2; white-space: pre-wrap; background-color: rgb(39, 42, 48); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">…</span></div><div><span style="color: rgb(204, 204, 220); font-family: "Roboto Mono", monospace; font-variant-ligatures: normal; letter-spacing: 0.15px; orphans: 2; widows: 2; white-space: pre-wrap; background-color: rgb(39, 42, 48); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"><span style="font-variant-ligatures: normal; letter-spacing: 0.15px; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">Caused by: org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580]</span></span></div><div><br></div><div>I’m very sure the users and passwords for both bind user and the login form are correct. If I rollback everything it works again.</div><div>Emergency login using internal database still works.</div><div>Below is my authentication configuration, pretty simple. </div><div><br></div><div>Thanks in advance for any help on this.</div><div><div style="background-color: rgb(43, 43, 43); color: rgb(169, 183, 198);"><pre style="font-family: "Fira Code", monospace;"><span style="color: rgb(84, 168, 87);"><authentication><br></span><span style="color: rgb(84, 168, 87);"> </span><span style="color: rgb(53, 159, 244);"><modules><br></span><span style="color: rgb(53, 159, 244);"> </span><span style="color: rgb(110, 126, 217);"><loginForm><br></span><span style="color: rgb(110, 126, 217);"> </span><span style="color: rgb(23, 147, 135);"><name></span>internalLoginForm<span style="color: rgb(23, 147, 135);"></name><br></span><span style="color: rgb(23, 147, 135);"> <description></span>Internal username/password authentication, default user password, login form<span style="color: rgb(23, 147, 135);"></description><br></span><span style="color: rgb(23, 147, 135);"> </span><span style="color: rgb(110, 126, 217);"></loginForm><br></span><span style="color: rgb(110, 126, 217);"> <httpBasic><br></span><span style="color: rgb(110, 126, 217);"> </span><span style="color: rgb(23, 147, 135);"><name></span>internalHttpBasic<span style="color: rgb(23, 147, 135);"></name><br></span><span style="color: rgb(23, 147, 135);"> <description></span>Http basic username/password authentication, default user password<span style="color: rgb(23, 147, 135);"></description><br></span><span style="color: rgb(23, 147, 135);"> </span><span style="color: rgb(110, 126, 217);"></httpBasic><br></span><span style="color: rgb(110, 126, 217);"> <ldap><br></span><span style="color: rgb(110, 126, 217);"> </span><span style="color: rgb(23, 147, 135);"><name></span>ldapAuth<span style="color: rgb(23, 147, 135);"></name><br></span><span style="color: rgb(23, 147, 135);"> <host></span>ldap://serverip:389/DC=midpointhml,DC=local<span style="color: rgb(23, 147, 135);"></host><br></span><span style="color: rgb(23, 147, 135);"> <userDn></span>CN=bind,OU=BIND,DC=midpointhml,DC=local<span style="color: rgb(23, 147, 135);"></userDn><br></span><span style="color: rgb(23, 147, 135);"> <userPassword><br></span><span style="color: rgb(23, 147, 135);"> </span><span style="color: rgb(232, 186, 54);"><</span><span style="color: rgb(152, 118, 170);">t</span><span style="color: rgb(232, 191, 106);">:clearValue</span><span style="color: rgb(232, 186, 54);">></span>testpassword<span style="color: rgb(232, 186, 54);"></</span><span style="color: rgb(152, 118, 170);">t</span><span style="color: rgb(232, 191, 106);">:clearValue</span><span style="color: rgb(232, 186, 54);">><br></span><span style="color: rgb(232, 186, 54);"> </span><span style="color: rgb(23, 147, 135);"></userPassword><br></span><span style="color: rgb(23, 147, 135);"> <search><br></span><span style="color: rgb(23, 147, 135);"> </span><span style="color: rgb(232, 186, 54);"><pattern></span>(sAMAccountName={0})<span style="color: rgb(232, 186, 54);"></pattern><br></span><span style="color: rgb(232, 186, 54);"> <subtree></span>true<span style="color: rgb(232, 186, 54);"></subtree><br></span><span style="color: rgb(232, 186, 54);"> </span><span style="color: rgb(23, 147, 135);"></search><br></span><span style="color: rgb(23, 147, 135);"> </span><span style="color: rgb(110, 126, 217);"></ldap><br></span><span style="color: rgb(110, 126, 217);"> </span><span style="color: rgb(53, 159, 244);"></modules><br></span><span style="color: rgb(53, 159, 244);"> <sequence><br></span><span style="color: rgb(53, 159, 244);"> </span><span style="color: rgb(110, 126, 217);"><name></span>gui-ldap<span style="color: rgb(110, 126, 217);"></name><br></span><span style="color: rgb(110, 126, 217);"> <channel><br></span><span style="color: rgb(110, 126, 217);"> </span><span style="color: rgb(23, 147, 135);"><channelId></span>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user<span style="color: rgb(23, 147, 135);"></channelId><br></span><span style="color: rgb(23, 147, 135);"> <default></span>true<span style="color: rgb(23, 147, 135);"></default><br></span><span style="color: rgb(23, 147, 135);"> <urlSuffix></span>default<span style="color: rgb(23, 147, 135);"></urlSuffix><br></span><span style="color: rgb(23, 147, 135);"> </span><span style="color: rgb(110, 126, 217);"></channel><br></span><span style="color: rgb(110, 126, 217);"> <module><br></span><span style="color: rgb(110, 126, 217);"> </span><span style="color: rgb(23, 147, 135);"><name></span>ldapAuth<span style="color: rgb(23, 147, 135);"></name><br></span><span style="color: rgb(23, 147, 135);"> <order></span>30<span style="color: rgb(23, 147, 135);"></order><br></span><span style="color: rgb(23, 147, 135);"> <necessity></span>sufficient<span style="color: rgb(23, 147, 135);"></necessity><br></span><span style="color: rgb(23, 147, 135);"> </span><span style="color: rgb(110, 126, 217);"></module><br></span><span style="color: rgb(110, 126, 217);"> </span><span style="color: rgb(53, 159, 244);"></sequence><br></span><span style="color: rgb(53, 159, 244);"> <sequence><br></span><span style="color: rgb(53, 159, 244);"> </span><span style="color: rgb(110, 126, 217);"><name></span>admin-gui-emergency<span style="color: rgb(110, 126, 217);"></name><br></span><span style="color: rgb(110, 126, 217);"> <description><br></span><span style="color: rgb(110, 126, 217);"> </span>Special GUI authentication sequence that is using just the internal user password.<br> It is used only in emergency.<br> <span style="color: rgb(110, 126, 217);"></description><br></span><span style="color: rgb(110, 126, 217);"> <channel><br></span><span style="color: rgb(110, 126, 217);"> </span><span style="color: rgb(23, 147, 135);"><channelId></span>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user<span style="color: rgb(23, 147, 135);"></channelId><br></span><span style="color: rgb(23, 147, 135);"> <default></span>false<span style="color: rgb(23, 147, 135);"></default><br></span><span style="color: rgb(23, 147, 135);"> <urlSuffix></span>admin<span style="color: rgb(23, 147, 135);"></urlSuffix><br></span><span style="color: rgb(23, 147, 135);"> </span><span style="color: rgb(110, 126, 217);"></channel><br></span><span style="color: rgb(110, 126, 217);"> <requireAssignmentTarget </span><span style="color: rgb(186, 186, 186);">oid</span><span style="color: rgb(106, 135, 89);">="00000000-0000-0000-0000-000000000004" </span><span style="color: rgb(186, 186, 186);">relation</span><span style="color: rgb(106, 135, 89);">="org:default" </span><span style="color: rgb(186, 186, 186);">type</span><span style="color: rgb(106, 135, 89);">="c:RoleType"</span><span style="color: rgb(110, 126, 217);">><br></span><span style="color: rgb(110, 126, 217);"> </span><span style="color: rgb(128, 128, 128);"><!-- Superuser --><br></span><span style="color: rgb(128, 128, 128);"> </span><span style="color: rgb(110, 126, 217);"></requireAssignmentTarget><br></span><span style="color: rgb(110, 126, 217);"> <module><br></span><span style="color: rgb(110, 126, 217);"> </span><span style="color: rgb(23, 147, 135);"><name></span>internalLoginForm<span style="color: rgb(23, 147, 135);"></name><br></span><span style="color: rgb(23, 147, 135);"> <order></span>1<span style="color: rgb(23, 147, 135);"></order><br></span><span style="color: rgb(23, 147, 135);"> <necessity></span>sufficient<span style="color: rgb(23, 147, 135);"></necessity><br></span><span style="color: rgb(23, 147, 135);"> </span><span style="color: rgb(110, 126, 217);"></module><br></span><span style="color: rgb(110, 126, 217);"> </span><span style="color: rgb(53, 159, 244);"></sequence><br></span><span style="color: rgb(53, 159, 244);"> <sequence><br></span><span style="color: rgb(53, 159, 244);"> </span><span style="color: rgb(110, 126, 217);"><name></span>rest-basic<span style="color: rgb(110, 126, 217);"></name><br></span><span style="color: rgb(110, 126, 217);"> <channel><br></span><span style="color: rgb(110, 126, 217);"> </span><span style="color: rgb(23, 147, 135);"><channelId></span>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest<span style="color: rgb(23, 147, 135);"></channelId><br></span><span style="color: rgb(23, 147, 135);"> <default></span>true<span style="color: rgb(23, 147, 135);"></default><br></span><span style="color: rgb(23, 147, 135);"> <urlSuffix></span>default<span style="color: rgb(23, 147, 135);"></urlSuffix><br></span><span style="color: rgb(23, 147, 135);"> </span><span style="color: rgb(110, 126, 217);"></channel><br></span><span style="color: rgb(110, 126, 217);"> <module><br></span><span style="color: rgb(110, 126, 217);"> </span><span style="color: rgb(23, 147, 135);"><name></span>internalHttpBasic<span style="color: rgb(23, 147, 135);"></name><br></span><span style="color: rgb(23, 147, 135);"> <order></span>1<span style="color: rgb(23, 147, 135);"></order><br></span><span style="color: rgb(23, 147, 135);"> <necessity></span>sufficient<span style="color: rgb(23, 147, 135);"></necessity><br></span><span style="color: rgb(23, 147, 135);"> </span><span style="color: rgb(110, 126, 217);"></module><br></span><span style="color: rgb(110, 126, 217);"> </span><span style="color: rgb(53, 159, 244);"></sequence><br></span><span style="color: rgb(53, 159, 244);"> <ignoredLocalPath></span>/actuator<span style="color: rgb(53, 159, 244);"></ignoredLocalPath><br></span><span style="color: rgb(53, 159, 244);"> <ignoredLocalPath></span>/actuator/health<span style="color: rgb(53, 159, 244);"></ignoredLocalPath><br></span><span style="color: rgb(84, 168, 87);"></authentication></span></pre></div></div><div><br></div></div></div></blockquote></div><br></div></div></blockquote></div><br></body></html>