Nexus和LDAP - 根據OpenLDAP服務器驗證用戶時的JNDI問題

Question

我正在使用Nexus存儲庫管理器（nexus.sonatype.org）和開源LDAP插件（code.google.com/p/nexus-ldap/）以及我收到一個錯誤，指出使用了錯誤的協議版本（詳情如下）。所有插件都使用JNDI LDAP服務提供程序連接到我的LDAP服務器。如果您查看nexus.log文件中的堆棧跟蹤，則會在JNDI LDAP實現中的上下文初始化期間發生異常。所以我的猜測是，下面描述的問題不是由Nexus插件引起的，而是由於JNDI的錯誤使用或對LDAP認證的誤解。

任何有關如何導致錯誤的猜測或想法都非常感謝！

什麼步驟會重現問題？

1. 配置的Nexus使用使用的OpenLDAP的1.2.x服務器LdapAuthenticatingRealm - 爲此LDAP協議的版本2。
2. 嘗試列出OpenLDAP-Server中的用戶並將它們映射到Nexus配置UI中的角色 - 完美地工作。
3. 現在嘗試使用映射到角色的LDAP用戶成功登錄到運行的Nexus實例或進行身份驗證。

預期產量是多少？你看到了什麼呢？

嘗試登錄時，我收到錯誤消息「用戶名，密碼不正確或沒有權限使用Nexus用戶界面，請重試。」。在Nexus日誌文件中，當Sun的JNDI-LDAP實現（請參閱下面的日誌文件中的堆棧跟蹤）嘗試使用給定信息初始化上下文以便根據LDAP服務器驗證用戶時，會看到引發的異常。使用Nexus用戶界面的用戶查找工作正常，以及在驗證期間執行查找（請參閱下面的日誌文件）。

CommunicationException（「[LDAP：錯誤代碼2 - 版本不支持]」）中包含的錯誤消息指示使用錯誤的LDAP協議版本。我試圖明確使用協議版本2，因爲OpenLDAP 1.2.7-30版僅支持LDAP v2（公司環境 - 服務器版本不可協商）。我這樣做是通過檢查你的源代碼，添加「env.put（」java.naming.ldap.version「，」2「）;」到se.devoteam.nexus.ldap.NexusLdapContextFactory：52。沒有改變。

在測試期間，我通過瀏覽Sun源代碼時意識到，javax.naming.ldap.InitialLdapContext.InitialLdapContext（） - 方法所做的第一件事是將ldap協議版本設置爲「3」（javax.naming.ldap .InitialLdapContext：131）。儘管Java6文檔解釋了我使用的屬性（java.sun [dot] com/javase/6/docs/technotes/guides/jndi/jndi-ldap-gl.html＃version），並且JNDI-tutorial提到了這個解決協議版本衝突的正確方法（java.sun [dot] com/products/jndi/tutorial/ldap/misc/version.html）我想知道：在使用JNDI時，是否有明確使用LDAP協議版本2的方法作爲LDAP服務提供商？

接下來，我嘗試使用相當最新版本的OpenLDAP服務器（openldap2-2.3）作爲LDAP協議版本3請求的代理，將其委派給舊服務器。同樣的問題，同樣的例外。

信息

環境：連結的webapp部署在一個Tomcat 6.0.16 的Nexus版本：1.3。6 LDAP的境界版本：0.4 JRE版本：JDK 1.6.0_14-B08 平臺：虛擬環境 LDAP目錄品牌：OpenLDAP的1.2.7和2.2.3

的nexus.log的有關部分：

2009-10-23 15:06:37 DEBUG [ajp-8009-3  ] - o.s.j.r.PlexusSecur~   - Realm: 'org.sonatype.jsecurity.realms.XmlAuthenticatingRealm', caused: User 'testuser' cannot be retrieved. 
org.jsecurity.authc.AccountException: User 'testuser' cannot be retrieved. 
    at org.sonatype.jsecurity.realms.XmlAuthenticatingRealm.doGetAuthenticationInfo(XmlAuthenticatingRealm.java:68) 
    at org.jsecurity.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:168) 
    at org.sonatype.jsecurity.web.WebPlexusSecurity.getAuthenticationInfo(WebPlexusSecurity.java:185) 
    at org.jsecurity.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:186) 
    at org.jsecurity.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:276) 
    at org.jsecurity.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:141) 
    at org.jsecurity.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:171) 
    at org.jsecurity.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:312) 
    at org.jsecurity.subject.DelegatingSubject.login(DelegatingSubject.java:237) 
    at org.jsecurity.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:49) 
    at org.sonatype.nexus.security.filter.authc.NexusHttpAuthenticationFilter.onAccessDenied(NexusHttpAuthenticationFilter.java:121) 
    at org.jsecurity.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:145) 
    at org.jsecurity.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:175) 
    at org.jsecurity.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:129) 
    at org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180) 
    at org.jsecurity.web.servlet.FilterChainWrapper.doFilter(FilterChainWrapper.java:57) 
    at org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382) 
    at org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) 
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) 
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) 
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) 
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) 
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) 
    at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:419) 
    at org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:378) 
    at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1509) 
    at java.lang.Thread.run(Thread.java:619) 
Caused by: org.sonatype.jsecurity.realms.tools.NoSuchUserException: User with id='testuser' not found! 
    at org.sonatype.jsecurity.realms.tools.DefaultConfigurationManager.readUser(DefaultConfigurationManager.java:410) 
    at org.sonatype.jsecurity.realms.tools.ResourceMergingConfigurationManager.readUser(ResourceMergingConfigurationManager.java:278) 
    at org.sonatype.jsecurity.realms.XmlAuthenticatingRealm.doGetAuthenticationInfo(XmlAuthenticatingRealm.java:64) 
    ... 29 more 
2009-10-23 15:06:37 DEBUG [ajp-8009-3  ] - s.d.n.l.LdapAuthent~   - Authenticating user 'testuser' through LDAP 
2009-10-23 15:06:37 DEBUG [ajp-8009-3  ] - s.d.n.l.LdapAuthent~   - LDAP user search filter: (&(objectClass=account)(uid={0})) 
2009-10-23 15:06:37 DEBUG [ajp-8009-3  ] - s.d.n.l.NexusLdapCo~   - LDAP security principal not set 
2009-10-23 15:06:37 DEBUG [ajp-8009-3  ] - s.d.n.l.NexusLdapCo~   - LDAP security credentials not set 
2009-10-23 15:06:37 DEBUG [ajp-8009-3  ] - s.d.n.l.NexusLdapCo~   - LDAP provider url(s): ldap://ldap:389 
2009-10-23 15:06:37 DEBUG [ajp-8009-3  ] - s.d.n.l.NexusLdapCo~   - LDAP initial context factory: com.sun.jndi.ldap.LdapCtxFactory 
2009-10-23 15:06:37 DEBUG [ajp-8009-3  ] - s.d.n.l.NexusLdapCo~   - LDAP security protocol: null 
2009-10-23 15:06:37 DEBUG [ajp-8009-3  ] - s.d.n.l.NexusLdapCo~   - LDAP security authentication: null 
2009-10-23 15:06:37 DEBUG [ajp-8009-3  ] - s.d.n.l.NexusLdapCo~   - LDAP search scope: subtree 
2009-10-23 15:06:37 DEBUG [ajp-8009-3  ] - s.d.n.l.LdapAuthent~   - User object found 
2009-10-23 15:06:37 DEBUG [ajp-8009-3  ] - s.d.n.l.LdapAuthent~   - LDAP authentication principal: uid=testuser, dc=corporation,dc=de 
2009-10-23 15:06:37 DEBUG [ajp-8009-3  ] - s.d.n.l.NexusLdapCo~   - LDAP provider url(s): ldap://ldap:389 
2009-10-23 15:06:37 DEBUG [ajp-8009-3  ] - s.d.n.l.NexusLdapCo~   - LDAP initial context factory: com.sun.jndi.ldap.LdapCtxFactory 
2009-10-23 15:06:37 DEBUG [ajp-8009-3  ] - s.d.n.l.NexusLdapCo~   - LDAP security protocol: null 
2009-10-23 15:06:37 DEBUG [ajp-8009-3  ] - s.d.n.l.NexusLdapCo~   - LDAP security authentication: null 
2009-10-23 15:06:37 ERROR [ajp-8009-3  ] - o.j.r.l.AbstractLda~   - LDAP naming error while attempting to authenticate user. 
javax.naming.CommunicationException: [LDAP: error code 2 - version not supported] 
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3089) 
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987) 
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789) 
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703) 
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293) 
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) 
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193) 
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136) 
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) 
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667) 
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288) 
    at javax.naming.InitialContext.init(InitialContext.java:223) 
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134) 
    at se.devoteam.nexus.ldap.NexusLdapContextFactory.getLdapContext(NexusLdapContextFactory.java:63) 
    at se.devoteam.nexus.ldap.LdapAuthenticatingRealm.queryForAuthenticationInfo(LdapAuthenticatingRealm.java:139) 
    at org.jsecurity.realm.ldap.AbstractLdapRealm.doGetAuthenticationInfo(AbstractLdapRealm.java:186) 
    at org.jsecurity.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:168) 
    at org.sonatype.jsecurity.web.WebPlexusSecurity.getAuthenticationInfo(WebPlexusSecurity.java:185) 
    at org.jsecurity.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:186) 
    at org.jsecurity.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:276) 
    at org.jsecurity.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:141) 
    at org.jsecurity.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:171) 
    at org.jsecurity.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:312) 
    at org.jsecurity.subject.DelegatingSubject.login(DelegatingSubject.java:237) 
    at org.jsecurity.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:49) 
    at org.sonatype.nexus.security.filter.authc.NexusHttpAuthenticationFilter.onAccessDenied(NexusHttpAuthenticationFilter.java:121) 
    at org.jsecurity.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:145) 
    at org.jsecurity.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:175) 
    at org.jsecurity.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:129) 
    at org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180) 
    at org.jsecurity.web.servlet.FilterChainWrapper.doFilter(FilterChainWrapper.java:57) 
    at org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382) 
    at org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) 
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) 
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) 
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) 
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) 
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) 
    at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:419) 
    at org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:378) 
    at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1509) 
    at java.lang.Thread.run(Thread.java:619) 
2009-10-23 15:06:37 INFO [ajp-8009-3  ] - o.s.n.s.f.a.NexusSe~   - Unable to authenticate user [testuser] from address/host [172.31.2.155/172.31.2.155] 
2009-10-23 15:06:37 DEBUG [ajp-8009-3  ] - o.s.n.e.Authenticat~:default - Notifying 1 EventListener about event org.sonatype.nexus.auth.NexusAuthenticationEvent fired (org.sonatype.nexus.auth.NexusAuthenticationEvent@d637d) 

Answer 1

嗯......我不是一個LDAP專家，但據Bug ID: 4908306 LDAP Provider version negotiation fails with OpenLDAP server (LDAP v2)：

InitialLdapContext用於LDAP僅V3。它向DirContext添加方法， 僅適用於v3。要使用DirContext方法，請使用InitialDirContext。 InitialDirContext將執行適當的v2/v3協商。 更改是在1.4.1中進行的，以加強實施以符合規範 ，並避免爲v3發送無關的BIND。

其實，我的上面和InitialLdapContext的Javadoc的註釋的理解是：

此類是執行LDAPv3樣式的擴展操作和控件的初始上下文。

的InitialLdapContext類不能用於LDAP-V2，它設置明確的java.naming.ldap.version環境屬性在其來源"3"。對於LDAP-v2，您必須使用InitialDirContext。

如果更改服務器是不是一種選擇，我想，你必須修補http://code.google.com/p/nexus-ldap/