search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.51k stars 902 forks source link

LDAP Outpost: Unable to change password via LDAP #2112

Open samip5 opened 2 years ago

samip5 commented 2 years ago

Describe the bug I'm not sure if this is a bug or a feature, but I'm unable to change password via LDAP when used with Authelia.

To Reproduce Steps to reproduce the behavior:

  1. Deploy LDAP outpost
  2. Deploy Authelia with LDAP
  3. Try to change password via Authelia
  4. Have it fail.

Expected behavior I would have expected it to let me change my password.

Logs Authelia:

time="2022-01-19T23:06:25Z" level=error msg="unable to update password. Cause: LDAP Result Code 50 \"Insufficient Access Rights\": Insufficient Access Rights" method=POST path=/api/reset-password remote_ip="2001:67c:1104:<snip>" stack="github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:60          (*AutheliaCtx).Error\ngithub.com/authelia/authelia/v4/internal/handlers/handler_reset_password_step2.go:38 ResetPasswordPost\ngithub.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:51          AutheliaMiddleware.func1.1\ngithub.com/fasthttp/router@v1.4.4/router.go:414                                      (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14               LogRequestMiddleware.func1\ngithub.com/valyala/fasthttp@v1.31.0/server.go:2278                                   (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.31.0/workerpool.go:223                                (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.31.0/workerpool.go:195                                (*workerPool).getCh.func1\nruntime/asm_arm64.s:1133

LDAP outpost:

{"bindDN":"cn=akadmin,dc=ldap,dc=skylab,dc=fi","client":"10.0.105.15","component":"ak-stage-identification","event":"Got challenge","flow":"default-authentication-flow","level":"debug","requestId":"ed9e111b-20df-492b-a59a-00bdd865ef9b","timestamp":"2022-01-19T23:14:48Z","type":"native"}
{"bindDN":"cn=akadmin,dc=ldap,dc=skylab,dc=fi","client":"10.0.105.15","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"ed9e111b-20df-492b-a59a-00bdd865ef9b","timestamp":"2022-01-19T23:14:49Z","type":"native"}
{"bindDN":"cn=akadmin,dc=ldap,dc=skylab,dc=fi","client":"10.0.105.15","component":"ak-stage-password","event":"Got challenge","flow":"default-authentication-flow","level":"debug","requestId":"ed9e111b-20df-492b-a59a-00bdd865ef9b","timestamp":"2022-01-19T23:14:49Z","type":"native"}
{"bindDN":"cn=akadmin,dc=ldap,dc=skylab,dc=fi","client":"10.0.105.15","component":"xak-flow-redirect","event":"Got response","flow":"default-authentication-flow","level":"debug","requestId":"ed9e111b-20df-492b-a59a-00bdd865ef9b","timestamp":"2022-01-19T23:14:50Z","type":"redirect"}
{"bindDN":"cn=akadmin,dc=ldap,dc=skylab,dc=fi","client":"10.0.105.15","event":"User has access","flow":"default-authentication-flow","level":"debug","requestId":"ed9e111b-20df-492b-a59a-00bdd865ef9b","timestamp":"2022-01-19T23:14:50Z"}
{"bindDN":"cn=akadmin,dc=ldap,dc=skylab,dc=fi","client":"10.0.105.15","event":"User has access","level":"info","requestId":"ed9e111b-20df-492b-a59a-00bdd865ef9b","timestamp":"2022-01-19T23:14:50Z"}
{"bindDN":"cn=akadmin,dc=ldap,dc=skylab,dc=fi","client":"10.0.105.15","event":"Allowed access to search","group":"authentik Admins","level":"info","requestId":"ed9e111b-20df-492b-a59a-00bdd865ef9b","timestamp":"2022-01-19T23:14:50Z"}
{"bindDN":"cn=akadmin,dc=ldap,dc=skylab,dc=fi","client":"10.0.105.15","event":"Bind request","level":"info","requestId":"ed9e111b-20df-492b-a59a-00bdd865ef9b","timestamp":"2022-01-19T23:14:50Z","took-ms":2248}
{"baseDN":"ou=users,dc=ldap,dc=skylab,dc=fi","bindDN":"cn=akadmin,dc=ldap,dc=skylab,dc=fi","client":"10.0.105.15","event":"Search request","filter":"(\u0026(cn=sm))","level":"info","requestId":"18eb95d3-3ebf-4178-9008-2452bc24f000","scope":"Whole Subtree","timestamp":"2022-01-19T23:14:50Z","took-ms":0}

Version and Deployment (please complete the following information):

Additional context

Authelia's config can be found here: https://github.com/samip5/k8s-cluster/blob/62ff8515c4866f2ce56b916238729d969afdefc7/cluster/apps/security/authelia_fi/helm-release.yaml#L112-L123

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

samip5 commented 2 years ago

No stale

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.