authentik icon indicating copy to clipboard operation
authentik copied to clipboard
verified publisher icon goauthentik

LDAP Invalid credentials (49) after update from 2024.6 to 2024.8

Open zeroward opened this issue 1 year ago • 1 comments

Describe the bug After updating from 2024.6 to 2024.8, my LDAP service account is no longer able to be accessed through any password given. This break occurred immediately after the update with no changes made to configuration.

To Reproduce Steps to reproduce the behavior:

  1. Follow LDAP provider tutorial
  2. Update from 2024.6 -> 2024.8
  3. ...
  4. Failure (Profit?)

Expected behavior

ldapsearch   -x   -H ldap://10.51.69.64:389  -D 'cn=ldapservice,ou=users,DC=ldap,DC=goauthentik,DC=io'   -w '<REDACTED>'   -b 'DC=ldap,DC=goauthentik,DC=io'   '(objectClass=user)'
# extended LDIF
#
# LDAPv3
# base <DC=ldap,DC=goauthentik,DC=io> with scope subtree
# filter: (objectClass=user)
# requesting: ALL
#

# ldapservice, users, ldap.goauthentik.io
dn: cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io
homeDirectory: /home/ldapservice
sn:
displayName:
mail:
cn: ldapservice
sAMAccountName: ldapservice
uid: aad512702bc868f678bd86beecc2553361f18fc2ebd6671475687e0ce925b7e3
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: user
objectClass: posixAccount
objectClass: goauthentik.io/ldap/user
uidNumber: 2019
gidNumber: 2019
ak-superuser: FALSE
ak-active: TRUE
name:

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Screenshots image image

Logs

server-1      | {"event": "Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fe1986e7dd0>: Failed to establish a new connection: [Errno 111] Connection refused')': /api/4504163677503489/envelope/", "level": "warning", "logger": "urllib3.connectionpool", "timestamp": 1726019872.4107819}
server-1      | {"event": "Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fe1986e7500>: Failed to establish a new connection: [Errno 111] Connection refused')': /api/4504163677503489/envelope/", "level": "warning", "logger": "urllib3.connectionpool", "timestamp": 1726019872.4133}
server-1      | {"event": "Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fe1987e7890>: Failed to establish a new connection: [Errno 111] Connection refused')': /api/4504163677503489/envelope/", "level": "warning", "logger": "urllib3.connectionpool", "timestamp": 1726019872.4157655}
server-1      | {"event":"hello'd","level":"trace","logger":"authentik.outpost.ak-api-controller","loop":"ws-health","timestamp":"2024-09-11T01:57:53Z"}
server-1      | {"cidr":"10.0.0.0/8","event":"Setting proxy headers","level":"trace","remoteAddr":"10.51.69.84","timestamp":"2024-09-11T01:57:59Z"}
server-1      | {"event": "tracing request to backend", "headers": {"Accept": ["application/json"],"Sentry-Trace": ["<REDACTED>"],"User-Agent": ["goauthentik.io/outpost/2024.6.4"],"X-Authentik-Outpost-Token": ["<REDACTED>"],"X-Authentik-Remote-Ip": ["192.168.3.149"],"X-Forwarded-For": ["10.51.69.64"],"X-Forwarded-Proto": ["https"],"X-Forwarded-Scheme": ["https"],"X-Real-Ip": ["10.51.69.64"]}, "level": "trace", "logger": "authentik.router", "timestamp": "2024-09-11T01:57:59Z", "url": "http://<REDACTED>/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue"}
server-1      | {"auth_via": "unauthenticated", "domain_url": "<REDACTED>", "event": "f(exec): No active Plan found, initiating planner", "flow_slug": "ldap-authentication-flow", "host": "<REDACTED>", "level": "debug", "logger": "authentik.flows.views.executor", "pid": 41, "request_id": "<REDACTED>", "schema_name": "public", "timestamp": "2024-09-11T01:57:59.477869"}
server-1      | {"auth_via": "unauthenticated", "domain_url": "<REDACTED>", "event": "f(plan): starting planning process", "flow_slug": "ldap-authentication-flow", "host": "<REDACTED>", "level": "debug", "logger": "authentik.flows.planner", "pid": 41, "request_id": "<REDACTED>", "schema_name": "public", "timestamp": "2024-09-11T01:57:59.478352"}
server-1      | {"auth_via": "unauthenticated", "domain_url": "<REDACTED>", "event": "f(plan): taking plan from cache", "flow_slug": "ldap-authentication-flow", "host": "<REDACTED>", "key": "<REDACTED>", "level": "debug", "logger": "authentik.flows.planner", "pid": 41, "request_id": "<REDACTED>", "schema_name": "public", "timestamp": "2024-09-11T01:57:59.482874"}
server-1      | {"auth_via": "unauthenticated", "binding": "<FlowStageBinding: Flow-stage binding #10 to <REDACTED>>", "domain_url": "<REDACTED>", "event": "f(plan_inst): stage has marker", "host": "<REDACTED>", "level": "debug", "logger": "authentik.flows.planner", "marker": "ReevaluateMarker(binding=<FlowStageBinding: Flow-stage binding #10 to <REDACTED>>)", "pid": 41, "request_id": "<REDACTED>", "schema_name": "public", "timestamp": "2024-09-11T01:57:59.483316"}
server-1      | {"auth_via": "unauthenticated", "binding": "<FlowStageBinding: Flow-stage binding #10 to <REDACTED>>", "domain_url": "<REDACTED>", "event": "f(plan_inst): running re-evaluation", "host": "<REDACTED>", "level": "debug", "logger": "authentik.flows.markers", "marker": "ReevaluateMarker", "pid": 41, "policy_binding": "<FlowStageBinding: Flow-stage binding #10 to <REDACTED>>", "request_id": "<REDACTED>", "schema_name": "public", "timestamp": "2024-09-11T01:57:59.483683"}
server-1      | {"auth_via": "unauthenticated", "current_stage": "<IdentificationStage: Stage ldap-identification-stage>", "domain_url": "<REDACTED>", "event": "f(exec): Current stage", "flow_slug": "ldap-authentication-flow", "host": "<REDACTED>", "level": "debug", "logger": "authentik.flows.views.executor", "pid": 41, "request_id": "<REDACTED>", "schema_name": "public", "timestamp": "2024-09-11T01:57:59.501386"}
server-1      | {"auth_via": "unauthenticated", "domain_url": "<REDACTED>", "event": "f(exec): Passing GET", "flow_slug": "ldap-authentication-flow", "host": "<REDACTED>", "level": "debug", "logger": "authentik.flows.views.executor", "pid": 41, "request_id": "<REDACTED>", "schema_name": "public", "stage": "<IdentificationStage: Stage ldap-identification-stage>", "timestamp": "2024-09-11T01:57:59.502718", "view_class": "authentik.stages.identification.stage.IdentificationStageView"}
server-1      | {"auth_via": "unauthenticated", "domain_url": "<REDACTED>", "event": "/api/v3/flows/executor/ldap-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "<REDACTED>", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 41, "remote": "192.168.3.149", "request_id": "<REDACTED>", "runtime": 730, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-09-11T01:58:00.947329", "user": "", "user_agent": "goauthentik.io/outpost/2024.6.4"}
server-1      | {"cidr":"127.0.0.0/8","event":"Setting proxy headers","level":"trace","remoteAddr":"127.0.0.1","timestamp":"2024-09-11T01:58:01Z"}
server-1      | {"event":"tracing request to backend","headers":{"User-Agent":["goauthentik.io/healthcheck"]},"level":"trace","logger":"authentik.router","timestamp":"2024-09-11T01:58:01Z","url":"http://<REDACTED>/-/health/live/"}
server-1      | {"event": "Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fe19035eae0>: Failed to establish a new connection: [Errno 111] Connection refused')': /api/4504163677503489/envelope/", "level": "warning", "logger": "urllib3.connectionpool", "timestamp": 1726019884.9620872}
server-1      | {"event": "Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fe1902b6a80>: Failed to establish a new connection: [Errno 111] Connection refused')': /api/4504163677503489/envelope/", "level": "warning", "logger": "urllib3.connectionpool", "timestamp": 1726019884.9646032}
server-1      | {"event": "Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fe1902b76b0>: Failed to establish a new connection: [Errno 111] Connection refused')': /api/4504163677503489/envelope/", "level": "warning", "logger": "urllib3.connectionpool", "timestamp": 1726019884.9669602}
server-1      | {"auth_via": "unauthenticated", "domain_url": "<REDACTED>", "event": "/-/health/live/", "host": "<REDACTED>:9000", "level": "info", "logger": "authentik.asgi", "method": "HEAD", "pid": 41, "remote": "127.0.0.1", "request_id": "<REDACTED>", "runtime": 18, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-09-11T01:58:01.882046", "user": "", "user_agent": "goauthentik.io/healthcheck"}

Version and Deployment (please complete the following information):

  • authentik version: 2024.8.1
  • Deployment: docker-compose

Additional context Add any other context about the problem here.

zeroward avatar Sep 11 '24 02:09 zeroward

Did you update your ldap outpost? If not, that happens.

samip5 avatar Sep 11 '24 09:09 samip5

@samip5 LDAP Outpost is reporting a version of 2024.8.1.

And as I write this, the issue is now fixed.. no idea what caused it. Closing this out though.

zeroward avatar Sep 11 '24 21:09 zeroward

Issue self-remediated, might've been related to a not up to date LDAP outpost, but I did not check the version prior to the self-remediation.

Thanks all!

zeroward avatar Sep 11 '24 21:09 zeroward