1. 首頁
  2. 問答
  3. WSO2 Identity Server - Active Directory集成 - 更改密碼問題

WSO2 Identity Server - Active Directory集成 - 更改密碼問題

2017-08-19 40 views
0

因此,我一直在使用最新版本的WSO2 IS(5.3.0)進行一些測試,只是在我的筆記本電腦上本地運行。WSO2 Identity Server - Active Directory集成 - 更改密碼問題

我已經設置了AD集成,並使用Delegated Control設置LDAP綁定帳戶用戶來重置特定OU上的密碼及其中的對象。同一個LDAP綁定帳戶也被配置爲INTERNAL/admin帳戶。

當上述特定OU中的兩個用戶中的任何一個登錄時,他們可以更改其密碼。我使用的管理員帳戶可以找到它們,但不能更改他們的密碼(在AD術語中,「RESET PASSWORD」,儘管它應該可以)

這是我的user-mgt.xml(I' VE刪除被註釋掉大塊):

<UserManager> 
    <Realm> 
     <Configuration> 
     <AddAdmin>true</AddAdmin> 
      <AdminRole>admin</AdminRole> 
      <AdminUser> 
       <UserName>ADMIN</UserName> 
       <Password>PASSWORD</Password> 
      </AdminUser> 
      <EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root --> 
      <Property name="isCascadeDeleteEnabled">false</Property> 
<!-- <Property name="initializeNewClaimManager">true</Property> --> 
      <Property name="dataSource">jdbc/WSO2CarbonDB</Property> 
     </Configuration> 

     <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager"> 
      <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property> 
      <!-- <Property name="AnonymousBind">false</Property> --> 
      <Property name="BackLinksEnabled">true</Property> 
      <Property name="ConnectionName">CN=ADMIN,OU=DEPARTMENT,OU=USERS,DC=EXAMPLE,DC=COM</Property> 
      <Property name="ConnectionPassword">PASSWORD</Property> 
      <!-- <Property name="ConnectionPoolingEnabled">false</Property> --> 
      <Property name="ConnectionURL">LDAPS://DC.EXAMPLE.COM:636</Property> 
      <Property name="defaultRealmName">EXAMPLE.COM</Property> 
      <Property name="DisplayNameAttribute">sAMAccountName</Property> 
      <Property name="EmptyRolesAllowed">true</Property> 
      <Property name="GroupEntryObjectClass">group</Property> 
      <Property name="GroupNameAttribute">cn</Property> 
      <Property name="GroupNameListFilter">(objectcategory=group)</Property> 
      <Property name="GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property> 
      <Property name="GroupSearchBase">OU=EXAMPLE GROUPS,DC=EXAMPLE,DC=COM</Property> 
      <Property name="isADLDSRole">false</Property> 
      <Property name="IsBulkImportSupported">false</Property> 
      <Property name="kdcEnabled">false</Property> 
      <Property name="LDAPConnectionTimeout">5000</Property> 
      <Property name="MaxRoleNameListLength">100</Property> 
      <Property name="MaxUserNameListLength">100</Property> 
      <!-- <Property name="MemberOfAttribute">memberOf</Property> --> 
      <Property name="MembershipAttribute">member</Property> 
      <Property name="MultiAttributeSeparator">,</Property> 
      <Property name="PasswordHashMethod">PLAIN_TEXT</Property> 
      <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property> 
      <!-- <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property> --> 
      <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property> 
      <Property name="ReadGroups">true</Property> 
      <Property name="ReadTimeout"/> 
      <Property name="Referral">follow</Property> 
      <Property name="RetryAttempts"/> 
      <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property> 
      <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property> 
      <Property name="SCIMEnabled">false</Property> 
      <!-- <Property name="userAccountControl">512</Property> --> 
      <Property name="userAccountControl">66048</Property> 
      <Property name="UserEntryObjectClass">user</Property> 
      <Property name="UserNameAttribute">sAMAccountName</Property> 
      <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property> 
      <!-- <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property> --> 
      <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property> 
      <Property name="UserNameListFilter">(objectClass=user)</Property> 
      <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(sAMAccountName=?))</Property> 
      <Property name="UserRolesCacheEnabled">true</Property> 
      <Property name="UserSearchBase">OU=EXAMPLE Users,DC=EXAMPLE,DC=COM</Property> 
      <Property name="WriteGroups">false</Property> 
     </UserStoreManager> 

     <AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager"> 
      <Property name="AdminRoleManagementPermissions">/permission</Property> 
      <Property name="AuthorizationCacheEnabled">true</Property> 
      <Property name="GetAllRolesOfUserEnabled">true</Property> 
     </AuthorizationManager> 
    </Realm> 
</UserManager>

這是我的調試:

[2017-08-18 17:00:02,466] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache miss for username : ADMIN resource /permission/admin/manage/identity/usermgt/update action : ui.execute 
[2017-08-18 17:00:02,467] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Allowed roles for the ResourceID: /permission/admin/manage/identity/usermgt/update Action: ui.execute 
[2017-08-18 17:00:02,467] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - role: INTERNAL/admin 
[2017-08-18 17:00:02,467] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Roles which have permission for resource : /permission/admin/manage/identity/usermgt/update action : ui.execute 
[2017-08-18 17:00:02,467] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Role : INTERNAL/admin 
[2017-08-18 17:00:02,467] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - ADMIN user has permitted resource : /permission/admin/manage/identity/usermgt/update, action :ui.execute 
[2017-08-18 17:00:02,468] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache miss for username : username01 resource /permission action : ui.execute 
[2017-08-18 17:00:02,468] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Allowed roles for the ResourceID: /permission Action: ui.execute 
[2017-08-18 17:00:02,468] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - role: INTERNAL/admin 
[2017-08-18 17:00:02,468] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Roles which have permission for resource : /permission action : ui.execute 
[2017-08-18 17:00:02,469] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Role : INTERNAL/admin 
[2017-08-18 17:00:02,469] DEBUG {org.wso2.carbon.user.core.common.AbstractUserStoreManager} - Retrieving internal roles for user name : username01 and search filter * 
[2017-08-18 17:00:02,470] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01 
[2017-08-18 17:00:02,544] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=person)(sAMAccountName=username01)) in SearchBase: 
[2017-08-18 17:00:02,547] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Name in space for username01 is CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE USERS,DC=EXAMPLE,DC=COM 
[2017-08-18 17:00:02,549] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true 
[2017-08-18 17:00:02,550] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Escaped DN value for filter : CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE USERS,DC=EXAMPLE,DC=COM 
[2017-08-18 17:00:02,550] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Reading roles with the membershipProperty Property: member 
[2017-08-18 17:00:02,550] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Result for searchBase: OU=EXAMPLE USERS,DC=EXAMPLE,DC=COM searchFilter: (&(objectcategory=group)(member=CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE USERS,DC=EXAMPLE,DC=COM)) property:cn appendDN: false 
[2017-08-18 17:00:02,627] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - username01 user has permitted resource : /permission, action :ui.execute 
[2017-08-18 17:00:02,627] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - username01 user is not Authorized to perform ui.execute on /permission 
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache miss for username : username01 resource /permission/admin action : ui.execute 
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Allowed roles for the ResourceID: /permission/admin Action: ui.execute 
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - role: INTERNAL/admin 
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Roles which have permission for resource : /permission/admin action : ui.execute 
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Role : INTERNAL/admin 
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - username01 user has permitted resource : /permission/admin, action :ui.execute 
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - username01 user is not Authorized to perform ui.execute on /permission/admin 
[2017-08-18 17:00:02,640] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01 
[2017-08-18 17:00:02,640] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - value after escaping special characters in username01 : username01 
[2017-08-18 17:00:02,640] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true 
[2017-08-18 17:00:02,681] DEBUG {org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager} - value after escaping special characters in USER NAME01 : USER NAME01 
[2017-08-18 17:00:02,687] DEBUG {org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager} - Can not access the directory service for user : username01 
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of: 
    'OU=EXAMPLE USERS,DC=EXAMPLE,DC=COM' 
]; remaining name 'CN=USER NAME01' 

    ... 

[2017-08-18 17:00:02,970] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache miss for username : ADMIN resource /permission/admin/login action : ui.execute 
[2017-08-18 17:00:02,971] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Allowed roles for the ResourceID: /permission/admin/login Action: ui.execute 
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - role: INTERNAL/admin 
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - role: INTERNAL/everyone 
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Roles which have permission for resource : /permission/admin/login action : ui.execute 
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Role : INTERNAL/admin 
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Role : INTERNAL/everyone 
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - ADMIN user has permitted resource : /permission/admin/login, action :ui.execute

(希望我這些消毒不夠好......)

這是什麼日誌看看當這些用戶之一登錄等,成功地改變了他們的密碼:

[2017-08-18 17:21:27,471] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01 
[2017-08-18 17:21:27,472] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - value after escaping special characters in username01 : username01 
[2017-08-18 17:21:27,472] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true 
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01 
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - value after escaping special characters in username01 : username01 
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true 
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01 
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - value after escaping special characters in username01 : username01 
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true 
[2017-08-18 17:21:27,534] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=person)(sAMAccountName=username01)) in SearchBase: 
[2017-08-18 17:21:27,535] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :ref 
[2017-08-18 17:21:27,547] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01 
[2017-08-18 17:21:27,547] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - value after escaping special characters in username01 : username01 
[2017-08-18 17:21:27,547] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true 
[2017-08-18 17:21:27,627] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=person)(sAMAccountName=username01)) in SearchBase: 
[2017-08-18 17:21:27,627] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :accountLock 
[2017-08-18 17:21:27,632] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Authenticating user username01 
[2017-08-18 17:21:27,632] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Cache hit. Using DN CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE Users,DC=EXAMPLE,DC=COM 
[2017-08-18 17:21:27,705] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE Users,DC=EXAMPLE,DC=COM is authnticated: true 
[2017-08-18 17:21:27,712] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Authenticating user username01 
[2017-08-18 17:21:27,712] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Cache hit. Using DN CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE Users,DC=EXAMPLE,DC=COM 
[2017-08-18 17:21:27,783] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE Users,DC=EXAMPLE,DC=COM is authnticated: true 
[2017-08-18 17:21:28,031] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache hit. username01 user is not Authorized to perform ui.execute on /permission/admin/manage/identity 
[2017-08-18 17:21:28,031] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache hit. username01 user is not Authorized to perform ui.execute on /permission/admin/manage/identity/usermgt/users 
[2017-08-18 17:21:28,031] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache hit. username01 user is not Authorized to perform ui.execute on /permission/admin/manage/identity/usermgt/passwords 
[2017-08-18 17:21:28,032] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache hit. username01 user is not Authorized to perform ui.execute on /permission/admin/manage/identity/usermgt/profiles

而且我證實,密碼其實沒有得到改變AD做一個簡單:GET-ADUser便有username01 -Properties *

反正,有人可以指出有什麼不對?我們有一個合作伙伴爲我們和他們的他們設置了一個生產版本,同時還有其他問題(因此我設置了自己的本地版本來幫助測試),他們確實允許用戶登錄並更改他們自己的密碼以及此ADMIN用戶登錄並更改這兩個用戶的密碼。

我甚至試圖將他們的user-mgt.xml複製到我的本地實例中,但這也不起作用。我認爲生產版本是5.1.0,而我的版本是5.3.0,但也可能是相關的。

幫助?

來源

2017-08-19 amoreno

回答

0

是CN = ADMIN,OU = DEPARTMENT,OU = USERS,DC =示例,DC = COM用戶在AD中有權更改其他用戶的密碼。要獲得最佳實踐,請創建具有域控制權的用戶,然後重試。

問候, Tayyab

來源

2017-08-21 06:50:16

+0

它。正如我原來的描述中提到的,「我已經設置了AD集成,並使用Delegated Control設置LDAP綁定帳戶用戶來重置特定OU上的密碼及其中的對象。」請注意,我已在AD中授予它「重置密碼」權限,而不是「更改密碼」。區別在於「CHANGE」是針對個人用戶本身的,需要了解當前密碼。 「RESET」是一種管理功能,具有正確權限的帳戶可以在另一個帳戶上執行,而不知道該用戶的當前密碼。 – amoreno

+0

我也拒絕這個想法,即在這種情況下,應該將一攬子域管理權限視爲最佳實踐。我們使用此AD帳戶進行LDAP綁定和密碼管理。因此,它不需要任何進一步的權限。我們不允許它創建用戶或組(或WSO2稱爲「角色」)。 有問題的用戶帳戶可以在我們合作伙伴的實施中對用戶帳戶執行「更改」(同樣在AD中,它是「重置」)功能,注意*,沒有*域管理員權限,但當我將他們的配置複製到我的測試實例。 – amoreno

相關問題

 相關問題