<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello Alcides,<br>
Thank you for email. It is my mistake. I fixed it in <a
moz-do-not-send="true"
href="https://github.com/Evolveum/midpoint/commit/30182adac0c044fb0d7392c0bf734c2d772c0077">30182adac0c044fb0d7392c0bf734c2d772c0077</a>.<br>
<br>
Best regards,<br>
L. Skublik.<br>
</p>
<div class="moz-cite-prefix">On 18. 10. 2023 0:04, Alcides Moraes
via midPoint wrote:<br>
</div>
<blockquote type="cite"
cite="mid:B98C71CD-6723-4BC1-9FB8-E6F9397B8223@gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div>Hey guys,</div>
<div><br>
</div>
<div>So I went to GitHub to compare both tags (4.4.4 vs 4.4.5) and
I found the commit responsible for my issue:</div>
<div>
<div style="display: block;">
<div
style="-webkit-user-select: all; -webkit-user-drag: element; display: inline-block;"
class="apple-rich-link" draggable="true" role="link"
data-url="https://github.com/Evolveum/midpoint/commit/60e5d56b52b751406b1bdf7702483b0c600a5121#r130238442"><a
style="border-radius:10px;font-family:-apple-system, Helvetica, Arial, sans-serif;display:block;-webkit-user-select:none;width:300px;user-select:none;-webkit-user-modify:read-only;user-modify:read-only;overflow:hidden;text-decoration:none;"
class="lp-rich-link" rel="nofollow"
href="https://github.com/Evolveum/midpoint/commit/60e5d56b52b751406b1bdf7702483b0c600a5121#r130238442"
dir="ltr" role="button" draggable="false" width="300"
moz-do-not-send="true">
<table
style="table-layout:fixed;border-collapse:collapse;width:300px;background-color:#E5E6E9;font-family:-apple-system, Helvetica, Arial, sans-serif;"
class="lp-rich-link-emailBaseTable" width="300"
cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td vertical-align="center" align="center"><img
style="width:300px;filter:brightness(0.97);height:150px;"
draggable="false"
class="lp-rich-link-mediaImage"
alt="60e5d56b52b751406b1bdf7702483b0c600a5121.png"
src="cid:part1.PqV54uK1.HRRHPVu0@evolveum.com"
width="300" height="150"></td>
</tr>
<tr>
<td vertical-align="center">
<table
style="font-family:-apple-system, Helvetica, Arial, sans-serif;table-layout:fixed;background-color:rgba(229, 230, 233, 1);"
class="lp-rich-link-captionBar" width="300"
cellspacing="0" cellpadding="0"
bgcolor="#E5E6E9">
<tbody>
<tr>
<td style="padding:8px 0px 8px 0px;"
class="lp-rich-link-captionBar-textStackItem">
<div
style="max-width:100%;margin:0px 16px 0px 16px;overflow:hidden;"
class="lp-rich-link-captionBar-textStack">
<div
style="word-wrap:break-word;font-weight:500;font-size:12px;overflow:hidden;text-overflow:ellipsis;text-align:left;"
class="lp-rich-link-captionBar-textStack-topCaption-leading"><a
rel="nofollow"
href="https://github.com/Evolveum/midpoint/commit/60e5d56b52b751406b1bdf7702483b0c600a5121#r130238442"
style="text-decoration: none"
draggable="false"
moz-do-not-send="true"><font
style="color: rgba(0, 0, 0, 0.847059);" color="#272727">fix bugs from
schrodinger ldap auth tests ·
Evolveum/midpoint@60e5d56</font></a></div>
<div
style="word-wrap:break-word;font-weight:400;font-size:11px;overflow:hidden;text-overflow:ellipsis;text-align:left;"
class="lp-rich-link-captionBar-textStack-bottomCaption-leading"><a
rel="nofollow"
href="https://github.com/Evolveum/midpoint/commit/60e5d56b52b751406b1bdf7702483b0c600a5121#r130238442"
style="text-decoration: none"
draggable="false"
moz-do-not-send="true"><font
style="color: rgba(0, 0, 0, 0.498039);" color="#808080">github.com</font></a></div>
</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</a></div>
</div>
<div style="display: block;"><br>
</div>
<div style="display: block;">There is a validation of namingAttr
value from the ldap module definition, if it is null then the
exception is thrown.</div>
<div style="display: block;">However the attribute is not marked
as mandatory, and was not needed before.</div>
<div style="display: block;">I added a comment to the commit
line on GitHub.</div>
<div style="display: block;"><br>
</div>
<div style="display: block;">Setting namingAttr value to
sAMAccoutName solved my issue.</div>
</div>
<div><br>
</div>
<div><br>
<blockquote type="cite">
<div>Em 17 de out. de 2023, à(s) 17:01, Alcides Moraes
<a class="moz-txt-link-rfc2396E" href="mailto:alcides.neto@gmail.com"><alcides.neto@gmail.com></a> escreveu:</div>
<br class="Apple-interchange-newline">
<div>
<meta http-equiv="content-type"
content="text/html; charset=UTF-8">
<div
style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">
<div>Hi list,</div>
<div><br>
</div>
<div>So I did a few more tests, I rolled back to 4.4.3 and
configured authentication using security policy xml
instead of spring security. It works!</div>
<div><br>
</div>
<div>So I tried upgrading to 4.4.4. It works as well.</div>
<div><br>
</div>
<div>Upgrading to 4.4.5 then breaks authentication.</div>
<div><br>
</div>
<div>I see that there are some updates about
authentication in 4.4.5, but no action seems to be
required to upgrade, right?</div>
<div>The most obvious seems to be this one: <a
href="https://docs.evolveum.com/midpoint/reference/security/advisories/015-disabled-users-able-to-log-in-with-ldap/"
style="font-size: 16px; box-sizing: border-box; color: rgb(47, 129, 212); text-decoration: none; background-color: rgb(255, 255, 255); font-family: Roboto, "Open Sans", -apple-system, system-ui, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-variant-ligatures: normal; orphans: 2; widows: 2;"
moz-do-not-send="true">Security Advisory: Disabled
Users able to log-in when LDAP authentication is
enabled</a></div>
<div>The LDAP and midpoint users I’m testing are both
enabled, so this shouldn’t affect me.</div>
<div><br>
<blockquote type="cite">
<div>Em 16 de out. de 2023, à(s) 21:03, Alcides Moraes
<a class="moz-txt-link-rfc2396E" href="mailto:alcides.neto@gmail.com"><alcides.neto@gmail.com></a> escreveu:</div>
<br class="Apple-interchange-newline">
<div>
<meta http-equiv="content-type"
content="text/html; charset=UTF-8">
<div
style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">Hello
list,
<div><br>
</div>
<div>I’m having some issues with ldap
authentication, hope someone can shed some light</div>
<div><br>
</div>
<div>After updating from 4.4.3 to 4.4.6, I could
not login to our test midpoint anymore using our
LDAP server.</div>
<div>I had to use the /auth/emergency to log in
using local administrator.</div>
<div><br>
</div>
<div>This is the log I was getting:</div>
<div><span
style="color: rgb(204, 204, 220); font-family: "Roboto Mono", monospace; font-variant-ligatures: normal; letter-spacing: 0.15px; orphans: 2; widows: 2; white-space: pre-wrap; background-color: rgb(39, 42, 48); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">2023-10-16T17:50:50.669 ERROR [com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider] (http-nio-8080-exec-10) Authentication (runtime) error: web.security.provider.invalid
org.springframework.security.authentication.AuthenticationServiceException: web.security.provider.invalid</span></div>
<div><br>
</div>
<div>We haven’t configured authentication using
security policy yet, we were using the old
spring security ldap configuration.</div>
<div><br>
</div>
<div>So I tried configuring our ldap using
security policy, since the spring security
configuration is not supported anymore.</div>
<div>It didn’t work either, here’s the log</div>
<div><span
style="color: rgb(204, 204, 220); font-family: "Roboto Mono", monospace; font-variant-ligatures: normal; letter-spacing: 0.15px; orphans: 2; widows: 2; white-space: pre-wrap; background-color: rgb(39, 42, 48); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">2023-10-16T20:41:38.107 ERROR [com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider] (http-nio-8080-exec-2) Authentication (runtime) error: Invalid username and/or password.
org.springframework.security.authentication.BadCredentialsException: Invalid username and/or password.</span></div>
<div><span
style="color: rgb(204, 204, 220); font-family: "Roboto Mono", monospace; font-variant-ligatures: normal; letter-spacing: 0.15px; orphans: 2; widows: 2; white-space: pre-wrap; background-color: rgb(39, 42, 48); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">…</span></div>
<div><span
style="color: rgb(204, 204, 220); font-family: "Roboto Mono", monospace; font-variant-ligatures: normal; letter-spacing: 0.15px; orphans: 2; widows: 2; white-space: pre-wrap; background-color: rgb(39, 42, 48); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"><span
style="font-variant-ligatures: normal; letter-spacing: 0.15px; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">Caused by: org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580]</span></span></div>
<div><br>
</div>
<div>I’m very sure the users and passwords for
both bind user and the login form are correct.
If I rollback everything it works again.</div>
<div>Emergency login using internal database still
works.</div>
<div>Below is my authentication configuration,
pretty simple. </div>
<div><br>
</div>
<div>Thanks in advance for any help on this.</div>
<div>
<div
style="background-color: rgb(43, 43, 43); color: rgb(169, 183, 198);">
<pre
style="font-family: "Fira Code", monospace;"><span
style="color: rgb(84, 168, 87);"><authentication>
</span><span style="color: rgb(84, 168, 87);"> </span><span
style="color: rgb(53, 159, 244);"><modules>
</span><span style="color: rgb(53, 159, 244);"> </span><span
style="color: rgb(110, 126, 217);"><loginForm>
</span><span style="color: rgb(110, 126, 217);"> </span><span
style="color: rgb(23, 147, 135);"><name></span>internalLoginForm<span
style="color: rgb(23, 147, 135);"></name>
</span><span style="color: rgb(23, 147, 135);"> <description></span>Internal username/password authentication, default user password, login form<span
style="color: rgb(23, 147, 135);"></description>
</span><span style="color: rgb(23, 147, 135);"> </span><span
style="color: rgb(110, 126, 217);"></loginForm>
</span><span style="color: rgb(110, 126, 217);"> <httpBasic>
</span><span style="color: rgb(110, 126, 217);"> </span><span
style="color: rgb(23, 147, 135);"><name></span>internalHttpBasic<span
style="color: rgb(23, 147, 135);"></name>
</span><span style="color: rgb(23, 147, 135);"> <description></span>Http basic username/password authentication, default user password<span
style="color: rgb(23, 147, 135);"></description>
</span><span style="color: rgb(23, 147, 135);"> </span><span
style="color: rgb(110, 126, 217);"></httpBasic>
</span><span style="color: rgb(110, 126, 217);"> <ldap>
</span><span style="color: rgb(110, 126, 217);"> </span><span
style="color: rgb(23, 147, 135);"><name></span>ldapAuth<span
style="color: rgb(23, 147, 135);"></name>
</span><span style="color: rgb(23, 147, 135);"> <host></span><a class="moz-txt-link-freetext" href="ldap://serverip:389/DC=midpointhml,DC=local">ldap://serverip:389/DC=midpointhml,DC=local</a><span
style="color: rgb(23, 147, 135);"></host>
</span><span style="color: rgb(23, 147, 135);"> <userDn></span>CN=bind,OU=BIND,DC=midpointhml,DC=local<span
style="color: rgb(23, 147, 135);"></userDn>
</span><span style="color: rgb(23, 147, 135);"> <userPassword>
</span><span style="color: rgb(23, 147, 135);"> </span><span
style="color: rgb(232, 186, 54);"><</span><span
style="color: rgb(152, 118, 170);">t</span><span
style="color: rgb(232, 191, 106);">:clearValue</span><span
style="color: rgb(232, 186, 54);">></span>testpassword<span
style="color: rgb(232, 186, 54);"></</span><span
style="color: rgb(152, 118, 170);">t</span><span
style="color: rgb(232, 191, 106);">:clearValue</span><span
style="color: rgb(232, 186, 54);">>
</span><span style="color: rgb(232, 186, 54);"> </span><span
style="color: rgb(23, 147, 135);"></userPassword>
</span><span style="color: rgb(23, 147, 135);"> <search>
</span><span style="color: rgb(23, 147, 135);"> </span><span
style="color: rgb(232, 186, 54);"><pattern></span>(sAMAccountName={0})<span
style="color: rgb(232, 186, 54);"></pattern>
</span><span style="color: rgb(232, 186, 54);"> <subtree></span>true<span
style="color: rgb(232, 186, 54);"></subtree>
</span><span style="color: rgb(232, 186, 54);"> </span><span
style="color: rgb(23, 147, 135);"></search>
</span><span style="color: rgb(23, 147, 135);"> </span><span
style="color: rgb(110, 126, 217);"></ldap>
</span><span style="color: rgb(110, 126, 217);"> </span><span
style="color: rgb(53, 159, 244);"></modules>
</span><span style="color: rgb(53, 159, 244);"> <sequence>
</span><span style="color: rgb(53, 159, 244);"> </span><span
style="color: rgb(110, 126, 217);"><name></span>gui-ldap<span
style="color: rgb(110, 126, 217);"></name>
</span><span style="color: rgb(110, 126, 217);"> <channel>
</span><span style="color: rgb(110, 126, 217);"> </span><span
style="color: rgb(23, 147, 135);"><channelId></span><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user">http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</a><span
style="color: rgb(23, 147, 135);"></channelId>
</span><span style="color: rgb(23, 147, 135);"> <default></span>true<span
style="color: rgb(23, 147, 135);"></default>
</span><span style="color: rgb(23, 147, 135);"> <urlSuffix></span>default<span
style="color: rgb(23, 147, 135);"></urlSuffix>
</span><span style="color: rgb(23, 147, 135);"> </span><span
style="color: rgb(110, 126, 217);"></channel>
</span><span style="color: rgb(110, 126, 217);"> <module>
</span><span style="color: rgb(110, 126, 217);"> </span><span
style="color: rgb(23, 147, 135);"><name></span>ldapAuth<span
style="color: rgb(23, 147, 135);"></name>
</span><span style="color: rgb(23, 147, 135);"> <order></span>30<span
style="color: rgb(23, 147, 135);"></order>
</span><span style="color: rgb(23, 147, 135);"> <necessity></span>sufficient<span
style="color: rgb(23, 147, 135);"></necessity>
</span><span style="color: rgb(23, 147, 135);"> </span><span
style="color: rgb(110, 126, 217);"></module>
</span><span style="color: rgb(110, 126, 217);"> </span><span
style="color: rgb(53, 159, 244);"></sequence>
</span><span style="color: rgb(53, 159, 244);"> <sequence>
</span><span style="color: rgb(53, 159, 244);"> </span><span
style="color: rgb(110, 126, 217);"><name></span>admin-gui-emergency<span
style="color: rgb(110, 126, 217);"></name>
</span><span style="color: rgb(110, 126, 217);"> <description>
</span><span style="color: rgb(110, 126, 217);"> </span>Special GUI authentication sequence that is using just the internal user password.
It is used only in emergency.
<span style="color: rgb(110, 126, 217);"></description>
</span><span style="color: rgb(110, 126, 217);"> <channel>
</span><span style="color: rgb(110, 126, 217);"> </span><span
style="color: rgb(23, 147, 135);"><channelId></span><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user">http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</a><span
style="color: rgb(23, 147, 135);"></channelId>
</span><span style="color: rgb(23, 147, 135);"> <default></span>false<span
style="color: rgb(23, 147, 135);"></default>
</span><span style="color: rgb(23, 147, 135);"> <urlSuffix></span>admin<span
style="color: rgb(23, 147, 135);"></urlSuffix>
</span><span style="color: rgb(23, 147, 135);"> </span><span
style="color: rgb(110, 126, 217);"></channel>
</span><span style="color: rgb(110, 126, 217);"> <requireAssignmentTarget </span><span
style="color: rgb(186, 186, 186);">oid</span><span
style="color: rgb(106, 135, 89);">="00000000-0000-0000-0000-000000000004" </span><span
style="color: rgb(186, 186, 186);">relation</span><span
style="color: rgb(106, 135, 89);">="org:default" </span><span
style="color: rgb(186, 186, 186);">type</span><span
style="color: rgb(106, 135, 89);">="c:RoleType"</span><span
style="color: rgb(110, 126, 217);">>
</span><span style="color: rgb(110, 126, 217);"> </span><span
style="color: rgb(128, 128, 128);"><!-- Superuser -->
</span><span style="color: rgb(128, 128, 128);"> </span><span
style="color: rgb(110, 126, 217);"></requireAssignmentTarget>
</span><span style="color: rgb(110, 126, 217);"> <module>
</span><span style="color: rgb(110, 126, 217);"> </span><span
style="color: rgb(23, 147, 135);"><name></span>internalLoginForm<span
style="color: rgb(23, 147, 135);"></name>
</span><span style="color: rgb(23, 147, 135);"> <order></span>1<span
style="color: rgb(23, 147, 135);"></order>
</span><span style="color: rgb(23, 147, 135);"> <necessity></span>sufficient<span
style="color: rgb(23, 147, 135);"></necessity>
</span><span style="color: rgb(23, 147, 135);"> </span><span
style="color: rgb(110, 126, 217);"></module>
</span><span style="color: rgb(110, 126, 217);"> </span><span
style="color: rgb(53, 159, 244);"></sequence>
</span><span style="color: rgb(53, 159, 244);"> <sequence>
</span><span style="color: rgb(53, 159, 244);"> </span><span
style="color: rgb(110, 126, 217);"><name></span>rest-basic<span
style="color: rgb(110, 126, 217);"></name>
</span><span style="color: rgb(110, 126, 217);"> <channel>
</span><span style="color: rgb(110, 126, 217);"> </span><span
style="color: rgb(23, 147, 135);"><channelId></span><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest">http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</a><span
style="color: rgb(23, 147, 135);"></channelId>
</span><span style="color: rgb(23, 147, 135);"> <default></span>true<span
style="color: rgb(23, 147, 135);"></default>
</span><span style="color: rgb(23, 147, 135);"> <urlSuffix></span>default<span
style="color: rgb(23, 147, 135);"></urlSuffix>
</span><span style="color: rgb(23, 147, 135);"> </span><span
style="color: rgb(110, 126, 217);"></channel>
</span><span style="color: rgb(110, 126, 217);"> <module>
</span><span style="color: rgb(110, 126, 217);"> </span><span
style="color: rgb(23, 147, 135);"><name></span>internalHttpBasic<span
style="color: rgb(23, 147, 135);"></name>
</span><span style="color: rgb(23, 147, 135);"> <order></span>1<span
style="color: rgb(23, 147, 135);"></order>
</span><span style="color: rgb(23, 147, 135);"> <necessity></span>sufficient<span
style="color: rgb(23, 147, 135);"></necessity>
</span><span style="color: rgb(23, 147, 135);"> </span><span
style="color: rgb(110, 126, 217);"></module>
</span><span style="color: rgb(110, 126, 217);"> </span><span
style="color: rgb(53, 159, 244);"></sequence>
</span><span style="color: rgb(53, 159, 244);"> <ignoredLocalPath></span>/actuator<span
style="color: rgb(53, 159, 244);"></ignoredLocalPath>
</span><span style="color: rgb(53, 159, 244);"> <ignoredLocalPath></span>/actuator/health<span
style="color: rgb(53, 159, 244);"></ignoredLocalPath>
</span><span style="color: rgb(84, 168, 87);"></authentication></span></pre>
</div>
</div>
<div><br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body>
</html>