Comments (2)
calbrecht
commented on June 27, 2024
@d-schiffner @BeryJu could it be that this comparison
needs the same refactoring as that comparison which was added in #6096Although i do not speak go, i can see that there is a change of behavior which i can imagine to cause the caching of an assumably (by interpreting the behavior without understanding) broken session. Are you able to see the point?
from authentik.
calbrecht
commented on June 27, 2024
While this was happening for a dovecot service user and therefore affecting all users wanting to authenticate their Mailclient, it now happened for a specific human user again.
On the mailer server:
Jun 07 11:34:46 mailer dovecot[3423100]: imap-login: Disconnected: Connection closed (auth failed, 3 attempts in 15 secs): user=<redacted>, method=PLAIN, rip=redacted, lip=redacted, TLS, session=<redacted>
On authentik server:
Jun 07 11:34:31 authentik ldap[479322]: {"attributes":["mail"],"baseDN":"ou=users,dc=goauthentik,dc=io","bindDN":"cn=service,ou=users,dc=goauthentik,dc=io","client":"redacted","event":"Search request","filter":"(&(objectClass=inetOrgPerson)(!(goauthentikio-user-service-account=true))(!(cn=redacted))(mail=redacted))","level":"info","requestId":"c6b5810c-bc60-4350-ace8-37db980102fb","scope":"Whole Subtree","timestamp":"2024-06-07T11:34:31Z","took-ms":3}
Jun 07 11:34:31 authentik server[1810923]: {"auth_via": "unauthenticated", "domain_url": "redacted", "event": "/api/v3/flows/executor/no-mfa-authentication-flow/?query=goauthentik.io%252Foutpost%252Fldap%3Dtrue", "host": "redacted", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 1810923, "remote": "redacted", "request_id": "c0ff07646d3b493b839658311946f513", "runtime": 133, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-06-07T11:34:31.987917", "user": "", "user_agent": "goauthentik.io/outpost/2024.4.2"}
Jun 07 11:34:31 authentik server[1810923]: {"event": "Error while closing socket [Errno 9] Bad file descriptor", "level": "info", "logger": "gunicorn.error", "timestamp": 1717760071.9952555}
Jun 07 11:34:31 authentik server[479321]: {"error":"read unix @->/tmp/authentik-core.sock: read: connection reset by peer","event":"failed to proxy to backend","level":"warning","logger":"authentik.router","timestamp":"2024-06-07T11:34:31Z"}
Jun 07 11:34:31 authentik server[479321]: {"error":"websocket: close 1012","event":"ws read error","level":"warning","logger":"authentik.outpost.ak-api-controller","loop":"ws-handler","timestamp":"2024-06-07T11:34:31Z"}
Jun 07 11:34:31 authentik ldap[479322]: {"error":"websocket: close 1012","event":"ws read error","level":"warning","logger":"authentik.outpost.ak-api-controller","loop":"ws-handler","timestamp":"2024-06-07T11:34:31Z"}
Jun 07 11:34:32 authentik ldap[479322]: {"bindDN":"cn=redacted,ou=users,dc=goauthentik,dc=io","client":"redacted","error":"failed to submit challenge 502 Bad Gateway","event":"failed to execute flow","level":"warning","requestId":"eaa4bc9b-24cf-4726-816d-a6a1eae2558a","timestamp":"2024-06-07T11:34:31Z"}
Jun 07 11:34:32 authentik ldap[479322]: {"bindDN":"cn=redacted,ou=users,dc=goauthentik,dc=io","client":"redacted","event":"Bind request","level":"info","requestId":"eaa4bc9b-24cf-4726-816d-a6a1eae2558a","timestamp":"2024-06-07T11:34:31Z","took-ms":178}
Followed by authenticated from session
Jun 07 11:34:38 authentik ldap[479322]: {"attributes":["mail"],"baseDN":"ou=users,dc=goauthentik,dc=io","bindDN":"cn=service,ou=users,dc=goauthentik,dc=io","client":"redacted","event":"Search request","filter":"(&(objectClass=inetOrgPerson)(!(goauthentikio-user-service-account=true))(!(cn=redacted))(mail=redacted))","level":"info","requestId":"b179953b-a46c-40c6-af84-efeaf84986e0","scope":"Whole Subtree","timestamp":"2024-06-07T11:34:38Z","took-ms":3}
Jun 07 11:34:38 authentik ldap[479322]: {"bindDN":"cn=redacted,ou=users,dc=goauthentik,dc=io","event":"authenticated from session","level":"info","logger":"authentik.outpost.ldap.binder.session","timestamp":"2024-06-07T11:34:38Z"}
Jun 07 11:34:38 authentik ldap[479322]: {"bindDN":"cn=redacted,ou=users,dc=goauthentik,dc=io","client":"redacted","event":"Bind request","level":"info","requestId":"b5528cb6-91ab-4b67-aa7f-d79f47f0fa34","timestamp":"2024-06-07T11:34:38Z","took-ms":0}
Jun 07 11:34:44 authentik ldap[479322]: {"attributes":["mail"],"baseDN":"ou=users,dc=goauthentik,dc=io","bindDN":"cn=service,ou=users,dc=goauthentik,dc=io","client":"redacted","event":"Search request","filter":"(&(objectClass=inetOrgPerson)(!(goauthentikio-user-service-account=true))(!(cn=redacted))(mail=redacted))","level":"info","requestId":"46eeae49-265e-401b-a1b1-75b48634bde3","scope":"Whole Subtree","timestamp":"2024-06-07T11:34:44Z","took-ms":3}
Jun 07 11:34:44 authentik ldap[479322]: {"bindDN":"cn=redacted,ou=users,dc=goauthentik,dc=io","event":"authenticated from session","level":"info","logger":"authentik.outpost.ldap.binder.session","timestamp":"2024-06-07T11:34:44Z"}
Jun 07 11:34:44 authentik ldap[479322]: {"bindDN":"cn=redacted,ou=users,dc=goauthentik,dc=io","client":"redacted","event":"Bind request","level":"info","requestId":"06bddd3f-46b3-406c-8ffd-ed9b33d431d8","timestamp":"2024-06-07T11:34:44Z","took-ms":0}
from authentik.
Related Issues (20)
- Nginx proxy managers/nginx configuration given by authentik does not work HOT 5
- Update check fails HOT 1
- AzureAD OAuth Source - Profile URL Reset HOT 2
- Authentik Workers are now have an unexpectedly high memory footprint HOT 1
- ldap duplicate key value
- Schedule custom actions
- docs: Update Gitea Service index.md
- Proxy Outpost no longer works after changing server URL
- application/o/authorize endpoint missing CORS headers HOT 1
- Bug Report: "Not you?" Button Cancels Authentication Flow for Applications HOT 3
- Authentik Does Not Respect User Lock Status from Fusion Directory
- Injecting `prompt=` URL parameters into OAuth source (social login / federated) authorization endpoint request
- authentik/ADFS: Authentication failed: Could not retrieve profile.
- Healthcheck endpoints returning 404 HOT 1
- Add Worker Healthcheck endpoint
- AUTHENTIK_LOG_LEVEL is not respected HOT 4
- Missing custom scopes in JWT (M2M) HOT 3
- Error sending recovery link via Mail von Display Name has "," in it HOT 1
- Error During Example Enrollment Flow
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authentik.