search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
12.89k stars 860 forks source link

LDAP outpost doesn't work with if user has TOTP #10571

Open ProjectPatatoe opened 2 months ago

ProjectPatatoe commented 2 months ago

Describe the bug A user that has TOTP configured is unable to login to a server that uses LDAP. Meanwhile, a user that doesn't have it enabled is ok. I've tried with Code-based MFA Support enabled or disabled with the provider with the same results.

To Reproduce Steps to reproduce the behavior:

  1. Have LDAP outpost
  2. User has TOTP configured
  3. Login with service that points to LDAP outpost
  4. attempt to login
  5. Incorrect password, regardless of using password;123456 or password
  6. Delete TOTP from account
  7. Login works.

Expected behavior Allow login for person with MFA configured use password;123456 OR Allow login for person with MFA configured use password

Logs

server-1      | {"auth_via": "unauthenticated", "domain_url": "my.home.server", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "my.home.server", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 43, "remote": "10.1.20.140", "request_id": "f5611a2d30d842e9b089f0cd8ddb86ec", "runtime": 562, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-07-22T05:02:29.243897", "user": "", "user_agent": "goauthentik.io/outpost/2024.6.0"}
server-1      | {"auth_via": "unauthenticated", "domain_url": "my.home.server", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "my.home.server", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 43, "remote": "10.1.20.140", "request_id": "34e6377ae61342dbba4277fcb41d1f68", "runtime": 23, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-07-22T05:02:29.284725", "user": "", "user_agent": "goauthentik.io/outpost/2024.6.0"}
server-1      | {"auth_via": "unauthenticated", "domain_url": "my.home.server", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "my.home.server", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 43, "remote": "10.1.20.140", "request_id": "054ec9a4f5a34f1c85cbf7c224993876", "runtime": 41, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-07-22T05:02:29.342090", "user": "", "user_agent": "goauthentik.io/outpost/2024.6.0"}
server-1      | {"auth_via": "unauthenticated", "backend": "authentik.core.auth.InbuiltBackend", "domain_url": "my.home.server", "event": "Successful authentication", "host": "my.home.server", "level": "info", "logger": "authentik.stages.password.stage", "pid": 43, "request_id": "4da657e171824ca188446824922467af", "schema_name": "public", "timestamp": "2024-07-22T05:02:29.569696", "user": "jellyfinapp"}
server-1      | {"auth_via": "unauthenticated", "domain_url": "my.home.server", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "my.home.server", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 43, "remote": "10.1.20.140", "request_id": "4da657e171824ca188446824922467af", "runtime": 213, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-07-22T05:02:29.572269", "user": "", "user_agent": "goauthentik.io/outpost/2024.6.0"}
server-1      | {"auth_via": "unauthenticated", "domain_url": "my.home.server", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "my.home.server", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 43, "remote": "10.1.20.140", "request_id": "3d3bd7d7360d40e79c6d9cf59df75e99", "runtime": 41, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-07-22T05:02:29.631253", "user": "", "user_agent": "goauthentik.io/outpost/2024.6.0"}
server-1      | {"action": "login", "auth_via": "unauthenticated", "client_ip": "10.1.20.140", "context": {"auth_method": "password", "auth_method_args": {}, "http_request": {"args": {"goauthentik.io/outpost/ldap": "true"}, "method": "GET", "path": "/api/v3/flows/executor/default-authentication-flow/", "user_agent": "goauthentik.io/outpost/2024.6.0"}}, "domain_url": "my.home.server", "event": "Created Event", "host": "my.home.server", "level": "info", "logger": "authentik.events.models", "pid": 43, "request_id": "31392d0ea66a485589113dc47825634d", "schema_name": "public", "timestamp": "2024-07-22T05:02:29.684584", "user": {"email": "jellyfinapp@home.server", "pk": 11, "username": "jellyfinapp"}}
server-1      | {"auth_via": "unauthenticated", "domain_url": "my.home.server", "event": "Task published", "host": "my.home.server", "level": "info", "logger": "authentik.root.celery", "pid": 43, "request_id": "31392d0ea66a485589113dc47825634d", "schema_name": "public", "task_id": "b64501e80a82497fb51d0ab680bd608f", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2024-07-22T05:02:29.700622"}
worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 492031, "schema_name": "public", "task_id": "b64501e8-0a82-497f-b51d-0ab680bd608f", "task_name": "event_notification_handler", "timestamp": "2024-07-22T05:02:29.701967"}
worker-1      | {"domain_url": null, "event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 492031, "schema_name": "public", "task_id": "2db85d90bde54527b7748531c45ff6ef", "task_name": "authentik.events.tasks.event_trigger_handler", "timestamp": "2024-07-22T05:02:29.714096"}
worker-1      | {"domain_url": null, "event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 492031, "schema_name": "public", "task_id": "9844f2bdbc1744eb934e026494b855ad", "task_name": "authentik.events.tasks.event_trigger_handler", "timestamp": "2024-07-22T05:02:29.715624"}
worker-1      | {"domain_url": null, "event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 492031, "schema_name": "public", "task_id": "87d275ecd27947a7836407cef9a8f66b", "task_name": "authentik.events.tasks.event_trigger_handler", "timestamp": "2024-07-22T05:02:29.716431"}
worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 492031, "schema_name": "public", "state": "SUCCESS", "task_id": "b64501e80a82497fb51d0ab680bd608f", "task_name": "event_notification_handler", "timestamp": "2024-07-22T05:02:29.716936"}
server-1      | {"auth_via": "unauthenticated", "domain_url": "my.home.server", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "my.home.server", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 43, "remote": "10.1.20.140", "request_id": "31392d0ea66a485589113dc47825634d", "runtime": 69, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-07-22T05:02:29.716932", "user": "jellyfinapp", "user_agent": "goauthentik.io/outpost/2024.6.0"}
server-1      | {"auth_via": "session", "domain_url": "my.home.server", "event": "/api/v3/core/applications/jellyfin/check_access/", "host": "my.home.server", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 43, "remote": "10.1.20.140", "request_id": "4a92d2b7b1a545c1b927d119a316bf67", "runtime": 27, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-07-22T05:02:29.762097", "user": "jellyfinapp", "user_agent": "goauthentik.io/outpost/2024.6.0"}
server-1      | {"auth_via": "session", "domain_url": "my.home.server", "event": "/api/v3/core/users/me/", "host": "my.home.server", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 43, "remote": "10.1.20.140", "request_id": "f37a5140758e4b54b309fc6e5cadf5e4", "runtime": 27, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-07-22T05:02:29.807323", "user": "jellyfinapp", "user_agent": "goauthentik.io/outpost/2024.6.0"}
server-1      | {"auth_via": "api_token", "domain_url": "my.home.server", "event": "/api/v3/core/groups/?include_users=true&page=1&page_size=100", "host": "my.home.server", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 43, "remote": "10.1.20.1", "request_id": "75aa7e5802dc4da1afd45065e2725679", "runtime": 49, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-07-22T05:02:29.876368", "user": "ak-outpost-73541c6297204681826e5f33b35d24ad", "user_agent": "goauthentik.io/outpost/2024.6.0"}
worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 492031, "schema_name": "public", "task_id": "2db85d90-bde5-4527-b774-8531c45ff6ef", "task_name": "event_trigger_handler", "timestamp": "2024-07-22T05:02:29.883045"}
server-1      | {"auth_via": "api_token", "domain_url": "my.home.server", "event": "/api/v3/core/users/?groups_by_name=jellyfin-users&include_groups=true&page=1&page_size=100", "host": "my.home.server", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 42, "remote": "10.1.20.1", "request_id": "9b777111181c46b483a56a7a842015e6", "runtime": 79, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-07-22T05:02:29.908569", "user": "ak-outpost-73541c6297204681826e5f33b35d24ad", "user_agent": "goauthentik.io/outpost/2024.6.0"}
worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 492031, "schema_name": "public", "state": "SUCCESS", "task_id": "2db85d90bde54527b7748531c45ff6ef", "task_name": "event_trigger_handler", "timestamp": "2024-07-22T05:02:29.910172"}
worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 492031, "schema_name": "public", "task_id": "9844f2bd-bc17-44eb-934e-026494b855ad", "task_name": "event_trigger_handler", "timestamp": "2024-07-22T05:02:29.912250"}
worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 492097, "schema_name": "public", "task_id": "87d275ec-d279-47a7-8364-07cef9a8f66b", "task_name": "event_trigger_handler", "timestamp": "2024-07-22T05:02:29.916993"}
worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 492031, "schema_name": "public", "state": "SUCCESS", "task_id": "9844f2bdbc1744eb934e026494b855ad", "task_name": "event_trigger_handler", "timestamp": "2024-07-22T05:02:29.938581"}
worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 492097, "schema_name": "public", "state": "SUCCESS", "task_id": "87d275ecd27947a7836407cef9a8f66b", "task_name": "event_trigger_handler", "timestamp": "2024-07-22T05:02:29.957259"}
server-1      | {"auth_via": "unauthenticated", "domain_url": "my.home.server", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "my.home.server", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 42, "remote": "10.1.20.140", "request_id": "d57e5475650e4931ba6fc1a377a93469", "runtime": 561, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-07-22T05:02:30.503557", "user": "", "user_agent": "goauthentik.io/outpost/2024.6.0"}
server-1      | {"auth_via": "unauthenticated", "domain_url": "my.home.server", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "my.home.server", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 42, "remote": "10.1.20.140", "request_id": "cf2479531e0e403899e5c42f3ab45c6a", "runtime": 20, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-07-22T05:02:30.541212", "user": "", "user_agent": "goauthentik.io/outpost/2024.6.0"}
server-1      | {"auth_via": "unauthenticated", "domain_url": "my.home.server", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "my.home.server", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 42, "remote": "10.1.20.140", "request_id": "f9b6d17a245d4f21b95b7569232f9acd", "runtime": 40, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-07-22T05:02:30.598070", "user": "", "user_agent": "goauthentik.io/outpost/2024.6.0"}
server-1      | {"action": "login_failed", "auth_via": "unauthenticated", "client_ip": "10.1.20.140", "context": {"http_request": {"args": {"goauthentik.io/outpost/ldap": "true"}, "method": "POST", "path": "/api/v3/flows/executor/default-authentication-flow/", "user_agent": "goauthentik.io/outpost/2024.6.0"}, "password": "********************", "stage": {"app": "authentik_stages_password", "model_name": "passwordstage", "name": "default-authentication-password", "pk": "7f4dfa5dd6854746af92a706d3bbed10"}, "username": "testuser"}, "domain_url": "my.home.server", "event": "Created Event", "host": "my.home.server", "level": "info", "logger": "authentik.events.models", "pid": 42, "request_id": "e819123a3f214cdbb899107d779f2f1d", "schema_name": "public", "timestamp": "2024-07-22T05:02:30.833783", "user": {"email": "", "is_anonymous": true, "pk": 1, "username": "AnonymousUser"}}
server-1      | {"auth_via": "unauthenticated", "domain_url": "my.home.server", "event": "Task published", "host": "my.home.server", "level": "info", "logger": "authentik.root.celery", "pid": 42, "request_id": "e819123a3f214cdbb899107d779f2f1d", "schema_name": "public", "task_id": "95f8210c0be142efada63acd2a036291", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2024-07-22T05:02:30.848809"}
worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 492097, "schema_name": "public", "task_id": "95f8210c-0be1-42ef-ada6-3acd2a036291", "task_name": "event_notification_handler", "timestamp": "2024-07-22T05:02:30.850448"}
server-1      | {"auth_via": "unauthenticated", "domain_url": "my.home.server", "event": "Invalid credentials", "host": "my.home.server", "level": "info", "logger": "authentik.flows.stage", "pid": 42, "request_id": "e819123a3f214cdbb899107d779f2f1d", "schema_name": "public", "stage": "default-authentication-password", "stage_view": "authentik.stages.password.stage.PasswordStageView", "timestamp": "2024-07-22T05:02:30.852916"}
server-1      | {"auth_via": "unauthenticated", "domain_url": "my.home.server", "event": "/api/v3/flows/executor/default-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "my.home.server", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 42, "remote": "10.1.20.140", "request_id": "e819123a3f214cdbb899107d779f2f1d", "runtime": 242, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-07-22T05:02:30.857486", "user": "", "user_agent": "goauthentik.io/outpost/2024.6.0"}
worker-1      | {"domain_url": null, "event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 492097, "schema_name": "public", "task_id": "3211be60ba344060b43c2d12628a6972", "task_name": "authentik.events.tasks.event_trigger_handler", "timestamp": "2024-07-22T05:02:30.867902"}
worker-1      | {"domain_url": null, "event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 492097, "schema_name": "public", "task_id": "297ad98ebec14aa1a6defa6c2b1e8a46", "task_name": "authentik.events.tasks.event_trigger_handler", "timestamp": "2024-07-22T05:02:30.868640"}
worker-1      | {"domain_url": null, "event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 492097, "schema_name": "public", "task_id": "fc225ea9accc4fb8b48539c6a0ee5645", "task_name": "authentik.events.tasks.event_trigger_handler", "timestamp": "2024-07-22T05:02:30.869146"}
worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 492097, "schema_name": "public", "state": "SUCCESS", "task_id": "95f8210c0be142efada63acd2a036291", "task_name": "event_notification_handler", "timestamp": "2024-07-22T05:02:30.869604"}
worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 492031, "schema_name": "public", "task_id": "3211be60-ba34-4060-b43c-2d12628a6972", "task_name": "event_trigger_handler", "timestamp": "2024-07-22T05:02:30.870041"}
worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 492097, "schema_name": "public", "task_id": "297ad98e-bec1-4aa1-a6de-fa6c2b1e8a46", "task_name": "event_trigger_handler", "timestamp": "2024-07-22T05:02:30.871362"}
worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 492097, "schema_name": "public", "state": "SUCCESS", "task_id": "297ad98ebec14aa1a6defa6c2b1e8a46", "task_name": "event_trigger_handler", "timestamp": "2024-07-22T05:02:30.896241"}
worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 492031, "schema_name": "public", "state": "SUCCESS", "task_id": "3211be60ba344060b43c2d12628a6972", "task_name": "event_trigger_handler", "timestamp": "2024-07-22T05:02:30.897908"}
worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 492097, "schema_name": "public", "task_id": "fc225ea9-accc-4fb8-b485-39c6a0ee5645", "task_name": "event_trigger_handler", "timestamp": "2024-07-22T05:02:30.898187"}
worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 492097, "schema_name": "public", "state": "SUCCESS", "task_id": "fc225ea9accc4fb8b48539c6a0ee5645", "task_name": "event_trigger_handler", "timestamp": "2024-07-22T05:02:30.927156"}

Log of the service (jellyfin)

[2024-07-22 05:02:30.861 +00:00] [ERR] Failed to Connect or Bind to server as user "cn=testuser,ou=users,ou=jellyfin,dc=home,dc=server"
LdapException: Invalid Credentials (49) Invalid Credentials
LdapException: Matched DN: 
[2024-07-22 05:02:30.864 +00:00] [INF] Authentication request for "testuser" has been denied (IP: "10.1.20.1").
[2024-07-22 05:02:30.866 +00:00] [ERR] Error processing request: "Invalid username or password entered". URL "POST" "/Users/authenticatebyname".

Version and Deployment (please complete the following information):

DirgoSalga commented 1 month ago

I have a similar issue using LDAP to authenticate to Jellyfin.

My user with MFA cannot autenticate. Other users that have not set up MFA (TOTP) have no trouble authenticating.

ProjectPatatoe commented 1 week ago

Still a problem authentik: 2024.8.1 ldap outpost: 2024.8.1