"No matching rule for subject ..." after updating Authelia to v4.37.3

[GeoCookie]

Version

v4.37.3

Deployment Method

Docker

Reverse Proxy

SWAG

Reverse Proxy Version

2.0.0

Description

Hi there,

With the 4.37.3 update, my Authelia is broken. I can no longer access any of my resources. In the logs it says that Authelia can't find any matching rules (see below).

I reverted to Authelia 4.37.2 and restored the Docker volume from backup (due to storage schema migration) and everything works again.

I haven't seen anything in the changelog that can explain that.

Reproduction

Connect to my primary URL
Authenticate on Authelia webpage
Get a HTTP/401 error code

Expectations

No response

Configuration (Authelia)

###############################################################
#                   Authelia configuration                    #
###############################################################

#Full example here : https://github.com/authelia/authelia/blob/master/config.template.yml

## Server
server:
  path: authelia
  host: 0.0.0.0
  port: 9091

## Root CA import
certificates_directory: /run/secrets

## Log
log:
  level: debug
  file_path: /config/log/authelia.log

## JWT Token
#jwt_secret: définit via Docker Secret

## Default redirection URL
default_redirection_url: https://heimdall.mydomain.duckdns.org

##Theme
theme: auto

## TOTP Configuration
totp:
  issuer: authelia.com

# Duo Push API
duo_api:
  hostname: api-f3e07657.duosecurity.com
  integration_key: xxxxxxxxxxxxxxxxxxx
  #secret_key: définit via Docker Secret

## Authentication Backend Provider Configuration
authentication_backend:
  password_reset:
    disable: true

  ldap:
    # Define default attributes
    implementation: activedirectory

    url: ldap://ldap.mydomain.lan
    start_tls: true
    tls:
      skip_verify: false

    base_dn: dc=mydomain,dc=lan
    additional_users_dn: OU=Users,OU=Accounts
    users_filter: (&({username_attribute}={input})(sAMAccountType=805306368)(memberOf=CN=Authelia Users,OU=Authelia,OU=Groups,DC=mydomain,DC=lan))
    additional_groups_dn: OU=Authelia,OU=Groups

    user: "CN=Authelia,OU=Services,OU=Accounts,DC=mydomain,DC=lan"
    #password: définit via Docker Secret

## Access Control Configuration
access_control:
  default_policy: deny

  rules:
    #Standard Users
    - domain:
        - heimdall.mydomain.duckdns.org
        - emby.mydomain.duckdns.org
        - dsfile.mydomain.duckdns.org
      subject:
        - "group:Authelia Users"
      policy: one_factor
    #Power Users
    - domain:
        - sonarr.mydomain.duckdns.org
        - radarr.mydomain.duckdns.org
        - bazarr.mydomain.duckdns.org
        - qbittorrent.mydomain.duckdns.org
        - recalbox.mydomain.duckdns.org
        - prowlarr.mydomain.duckdns.org
      subject:
        - "group:Authelia Power Users"
      policy: one_factor
    #Admin Users (from Yuna)
    - domain:
        - "*.mydomain.duckdns.org"
      subject:
        - "group:Authelia Admin Users"
      policy: one_factor
      networks:
        - 192.168.10.201/32
    #Admin Users
    - domain:
        - "*.mydomain.duckdns.org"
      subject:
        - "group:Authelia Admin Users"
      policy: two_factor

## Session Provider Configuration
session:
  name: authelia_session
  domain: mydomain.duckdns.org
  #secret: définit via Docker Secret
  expiration: 8h
  inactivity: 30m
  remember_me_duration: -1

  ## Redis Provider
  redis:
    host: redis
    port: 6379

## Regulation Configuration
regulation:
  max_retries: 0

## Storage Provider Configuration
storage:
  #encryption_key: définit via Docker Secret
  local:
    path: /config/db.sqlite3

## Notification Provider
notifier:
  filesystem:
     filename: /config/notification.txt

Logs (Authelia)

time="2022-12-09T02:00:45+01:00" level=info msg="Storage schema is being checked for updates"
time="2022-12-09T02:00:45+01:00" level=info msg="Storage schema migration from 6 to 7 is being attempted"
time="2022-12-09T02:00:45+01:00" level=debug msg="Storage schema migrated from version 6 to 7"
time="2022-12-09T02:00:45+01:00" level=info msg="Storage schema migration from 6 to 7 is complete"
time="2022-12-09T02:00:45+01:00" level=debug msg="LDAP Supported OIDs. Control Types: 1.2.840.113556.1.4.319, 1.2.840.113556.1.4.801, 1.2.840.113556.1.4.473, 1.2.840.113556.1.4.528, 1.2.840.113556.1.4.417, 1.2.840.113556.1.4.619, 1.2.840.113556.1.4.841, 1.2.840.113556.1.4.529, 1.2.840.113556.1.4.805, 1.2.840.113556.1.4.521, 1.2.840.113556.1.4.970, 1.2.840.113556.1.4.1338, 1.2.840.113556.1.4.474, 1.2.840.113556.1.4.1339, 1.2.840.113556.1.4.1340, 1.2.840.113556.1.4.1413, 2.16.840.1.113730.3.4.9, 2.16.840.1.113730.3.4.10, 1.2.840.113556.1.4.1504, 1.2.840.113556.1.4.1852, 1.2.840.113556.1.4.802, 1.2.840.113556.1.4.1907, 1.2.840.113556.1.4.1948, 1.2.840.113556.1.4.1974, 1.2.840.113556.1.4.1341, 1.2.840.113556.1.4.2026, 1.2.840.113556.1.4.2064, 1.2.840.113556.1.4.2065, 1.2.840.113556.1.4.2066, 1.2.840.113556.1.4.2090, 1.2.840.113556.1.4.2205, 1.2.840.113556.1.4.2204, 1.2.840.113556.1.4.2206, 1.2.840.113556.1.4.2211, 1.2.840.113556.1.4.2239, 1.2.840.113556.1.4.2255, 1.2.840.113556.1.4.2256, 1.2.840.113556.1.4.2309, 1.2.840.113556.1.4.2330, 1.2.840.113556.1.4.2354. Extensions: 1.3.6.1.4.1.1466.20037, 1.3.6.1.4.1.1466.101.119.1, 1.2.840.113556.1.4.1781, 1.3.6.1.4.1.4203.1.11.3, 1.2.840.113556.1.4.2212"
time="2022-12-09T02:00:50+01:00" level=warning msg="Could not read from the NTP server socket to validate the system time is properly synchronized: read udp 172.18.0.7:52915->162.159.200.1:123: i/o timeout"
time="2022-12-09T02:00:50+01:00" level=info msg="Initializing server for non-TLS connections on '[::]:9091' path '/' and '/authelia'"
time="2022-12-09T09:50:17+01:00" level=debug msg="Check authorization of subject username= groups= ip=10.11.12.10 and object https://heimdall.mydomain.duckdns.org/ (method GET)."
time="2022-12-09T09:50:17+01:00" level=info msg="Access to https://heimdall.mydomain.duckdns.org/ (method GET) is not authorized to user <anonymous>, responding with status code 401" method=GET path=/api/verify remote_ip=10.11.12.10
time="2022-12-09T09:50:34+01:00" level=debug msg="Mark 1FA authentication attempt made by user 'myname-admin'" method=POST path=/api/firstfactor remote_ip=10.11.12.10
time="2022-12-09T09:50:34+01:00" level=debug msg="Successful 1FA authentication attempt made by user 'myname-admin'" method=POST path=/api/firstfactor remote_ip=10.11.12.10
time="2022-12-09T09:50:34+01:00" level=debug msg="Check authorization of subject username=myname-admin groups= ip=10.11.12.10 and object https://heimdall.mydomain.duckdns.org/ (method )."
time="2022-12-09T09:50:34+01:00" level=debug msg="No matching rule for subject username=myname-admin groups= ip=10.11.12.10 and url https://heimdall.mydomain.duckdns.org/ (method ) applying default policy"
time="2022-12-09T09:50:34+01:00" level=debug msg="Required level for the URL https://heimdall.mydomain.duckdns.org/ is 3" method=POST path=/api/firstfactor remote_ip=10.11.12.10
time="2022-12-09T09:50:34+01:00" level=debug msg="Redirection URL https://heimdall.mydomain.duckdns.org/ is safe" method=POST path=/api/firstfactor remote_ip=10.11.12.10
time="2022-12-09T09:50:35+01:00" level=debug msg="Check authorization of subject username=myname-admin groups= ip=10.11.12.10 and object https://heimdall.mydomain.duckdns.org/ (method GET)."
time="2022-12-09T09:50:35+01:00" level=debug msg="No matching rule for subject username=myname-admin groups= ip=10.11.12.10 and url https://heimdall.mydomain.duckdns.org/ (method GET) applying default policy"
time="2022-12-09T09:50:35+01:00" level=info msg="Access to https://heimdall.mydomain.duckdns.org/ is forbidden to user myname-admin" method=GET path=/api/verify remote_ip=10.11.12.10

Logs (Proxy / Application)

No response

Documentation

No response

Pre-Submission Checklist

• I agree to follow the Code of Conduct
• This is a bug report and not a support request
• I have read the security policy and this bug report is not a security issue or security related issue
• I have either included the complete configuration file or I am sure it's unrelated to the configuration
• I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide
• I have checked for related proxy or application logs and included them if available
• I have checked for related issues and checked the documentation

[GeoCookie]

I read again the logs. Authelia is not able the get my account groups
username=myname-admin groups= <<null>>
Since my access policies are based on groups, it is normal that none of them are matching. I will continue my researches

[james-d-elliott]

Looks like the groups filter factorization may have got you, try with the following:

## Authentication Backend Provider Configuration
authentication_backend:
  password_reset:
    disable: true

  ldap:
    # Define default attributes
    implementation: activedirectory

    url: ldap://ldap.mydomain.lan
    start_tls: true
    tls:
      skip_verify: false

    base_dn: dc=mydomain,dc=lan
    additional_users_dn: OU=Users,OU=Accounts
    users_filter: (&({username_attribute}={input})(sAMAccountType=805306368)(memberOf=CN=Authelia Users,OU=Authelia,OU=Groups,DC=mydomain,DC=lan))
    additional_groups_dn: OU=Authelia,OU=Groups
    groups_filter: (&(member={dn})(objectClass=group))
    user: "CN=Authelia,OU=Services,OU=Accounts,DC=mydomain,DC=lan"

[james-d-elliott]

Also could you show the objectClass, group scope, and group type of the affected groups? Also the type of LDAP backend? Is it Microsoft AD or Samba AD?

[GeoCookie]

Hey @james-d-elliott
I added the line groups_filter:xxx in my configuration file and it's working ! For my understanding, the fact that this missing line broke Authelia is related to the last update ?

For your question, I use Active Directory as backend and my group is a security local group.

Thank you for your ultra quick solution ! :)

[james-d-elliott]

I added the line groups_filter:xxx in my configuration file and it's working ! For my understanding, the fact that this missing line broke Authelia is related to the last update ?

It is, but I tested it locally so it's strange it didn't work for you. I adjusted the filter to the recommended filter by Microsoft. I'll double check this.. it might be the fact it's a domain local group.

[GeoCookie]

Feel free to reach me if you need me to run some tests.

[james-d-elliott]

See the adjusted default in #4569