Why does LDAP authentication fail after upgrading from Artifactory Pro 6.23.7 to 7.12.6?

2
votes

We are currently running Artifactory Pro 6.23.7 in production using the Docker setup and would like to upgrade to Artifactory Pro 7.12.6. To test this I created a clone of the production VM and followed the upgrade instructions here. Artifactory starts successfully, but when trying to login with my LDAP user I get several errors in the logs such as

2021-01-20T10:34:25.910Z [jfac ] [INFO ] [25da744de0923216] [j.a.s.s.t.TokenServiceImpl:438] [27.0.0.1-8040-exec-3] - Deleted 1 tokens with user: 'sebastian.gerau' and scope 'authentication:remember-me'.
2021-01-20T10:34:26.311Z [jfrt ] [WARN ] [4fdb3eea5a082893] [o.a.s.l.LdapServiceImpl:232   ] [http-nio-8081-exec-9] - No search filter defined.
2021-01-20T10:34:26.312Z [jfrt ] [WARN ] [4fdb3eea5a082893] [o.a.s.l.LdapServiceImpl:138   ] [http-nio-8081-exec-9] - Cannot find user: 'sebastian.gerau', LDAP settings not valid
2021-01-20T10:34:26.306Z [jfrt ] [WARN ] [7853637b73ed5693] [o.a.s.l.LdapServiceImpl:232   ] [http-nio-8081-exec-8] - No search filter defined.
2021-01-20T10:34:26.317Z [jfrt ] [WARN ] [7853637b73ed5693] [o.a.s.l.LdapServiceImpl:138   ] [http-nio-8081-exec-8] - Cannot find user: 'sebastian.gerau', LDAP settings not valid
2021-01-20T10:34:26.319Z [jfrt ] [WARN ] [7853637b73ed5693] [o.a.s.l.LdapServiceImpl:232   ] [ttp-nio-8081-exec-10] - No search filter defined.
2021-01-20T10:34:26.322Z [jfrt ] [WARN ] [7853637b73ed5693] [o.a.s.l.LdapServiceImpl:138   ] [ttp-nio-8081-exec-10] - Cannot find user: 'sebastian.gerau', LDAP settings not valid
2021-01-20T10:34:26.337Z [jfrt ] [WARN ] [4fdb3eea5a082893] [o.a.s.l.LdapUtils:116         ] [http-nio-8081-exec-9] - Updating user: 'sebastian.gerau' after LDAP login authentication failure

I also see a popup with the message "This request is blocked due to recurrent login failures, please try again in # seconds."

It's possible to login using the local admin user. Doing so I was able to confirm that the LDAP configuration does indeed match that of the production system and that a LDAP connection test succeeds with the exact same user that failed during login.

The questions are:

  • Has anyone encountered the same or a similar issue when upgrading from 6.x to 7.x?
  • What could cause this behavior, i.e. the connection test succeeds but login fails - all with the same user?
  • What would cause these recurrent login failures?

I tried adding the search filter (mentioned in the log output), checked the LDAP logs (all looks good there), and even deleted and recreated the LDAP config from scratch. Nothing seems to change the behavior. Also, there is nothing in the service logs that would indicate a problem.

1
ldapupgradeartifactory

1 Answers

1
votes

I had the same problem with the OSS version. So I downloaded the source and found this snippet:

    private boolean validateLdapSettings(LdapSetting ldapSetting) {
        if (ldapSetting == null) {
            log.warn("No LDAP settings defined.");
            return false;
        }
        if (!ldapSetting.isEnabled()) {
            log.warn("LDAP settings not enabled.");
            return false;
        }
        if (ldapSetting.getSearch() == null || isBlank(ldapSetting.getSearch().getSearchFilter())) {
            log.warn("No search filter defined.");
            return false;
        }
        return true;
    }

Clearly the search filter is the culprit. It has apparently become non-optional. So I added the catch-all: (objectClass=*) as a search filter. And now another error turned up:

2021-02-01T10:14:33.583Z [jfrt ] [WARN ] [1543ce38d0eaacb5] [o.a.s.l.LdapServiceImpl:208   ] [http-nio-8081-exec-9] - Unexpected exception in LDAP query: for user: 'niklas' vid LDAP: [LDAP: error code 50 - Insufficient Access Rights]; nested exception is javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name '/'

This time I needed to check at the LDAP server end, and it seems the validation is done as a separate request with starting from the top level, where, true enough, the users don't have permission . So, add a base where they do, for me that was ou=accounts. A new error!

2021-02-01T10:29:02.963Z [jfrt ] [WARN ] [76943ac7c75c40f2] [o.a.s.l.LdapServiceImpl:208   ] [http-nio-8081-exec-6] - Unexpected exception in LDAP query: for user: 'niklas' vid LDAP: Incorrect result size: expected 1, actual 57

So the search filter must be limited to only find the user entry. so I changed it to be (uid={0}) TADA! Now it worked. Image of working search filter