4

我正在将 Nexus 存储库管理器 (nexus.sonatype.org) 与开源 LDAP 插件 (code.google.com/p/nexus-ldap/) 一起使用,我收到一个错误,表明使用了错误的协议版本(详情如下) . 该插件所做的只是使用 JNDI LDAP 服务提供者连接到我的 LDAP 服务器。如果您查看 nexus.log 文件中的堆栈跟踪,则会在 JNDI LDAP 实现中的上下文初始化期间发生异常。所以我的猜测是,下面描述的问题不是由 Nexus 插件引起的,而是由于 JNDI 的误用或对 LDAP 身份验证的误解。

任何关于这是如何引起错误的猜测或想法都非常感谢!

哪些步骤将重现该问题?

  1. 将 Nexus 配置为使用 OpenLDAP 1.2.x 服务器使用 LdapAuthenticatingRealm - 因此是 LDAP 协议的版本 2。
  2. 尝试从 OpenLDAP-Server 列出用户并将它们映射到 Nexus 配置 UI 中的角色 - 效果很好。
  3. 现在尝试使用已成功映射到角色的 LDAP 用户登录或验证正在运行的 Nexus 实例。

什么是预期的输出?你看到了什么呢?

尝试登录时,我收到错误消息“用户名、密码不正确或无权使用 Nexus 用户界面。再试一次。”。在 Nexus 日志文件中,我看到 Sun 的 JNDI-LDAP 实现(请参阅下面的日志文件中的堆栈跟踪)尝试使用给定信息初始化上下文以针对 LDAP 服务器对用户进行身份验证时引发异常。使用 Nexus UI 的用户查找工作正常,以及在身份验证期间执行的查找(请参阅下面的日志文件)。

CommunicationException ("[LDAP: error code 2 - version not supported]") 中包含的错误消息表明使用了错误的 LDAP 协议版本。我尝试明确使用协议版本 2,因为 OpenLDAP 版本 1.2.7-30 仅支持 LDAP v2(企业环境 - 服务器版本不可协商)。我通过检查您的源代码来做到这一点,添加行“env.put("java.naming.ldap.version", "2");" 到 se.devoteam.nexus.ldap.NexusLdapContextFactory:52。没有改变。

在测试期间,我在浏览 Sun 源代码时意识到 javax.naming.ldap.InitialLdapContext.InitialLdapContext() 方法所做的第一件事是将 ldap 协议版本设置为“3”(javax.naming.ldap.InitialLdapContext:131 )。尽管 Java6 文档解释了我使用的属性 (java.sun[dot]com/javase/6/docs/technotes/guides/jndi/jndi-ldap-gl.html#version) 并且 JNDI 教程将其作为解决协议版本冲突的正确方法 (java.sun[dot]com/products/jndi/tutorial/ldap/misc/version.html) 我想知道:有没有办法在使用 JNDI 时显式使用 LDAP 协议版本 2作为 LDAP 服务提供者?

接下来,我尝试使用最新版本的 OpenLDAP 服务器 (openldap2-2.3) 作为 LDAP 协议版本 3 请求的代理,它将它们委托给旧服务器。同样的问题,同样的例外。

附加信息

环境:Nexus Webapp 部署在 Tomcat 6.0.16 Nexus 版本:1.3.6 ldap-realm 版本:0.4 JRE 版本:JDK 1.6.0_14-b08 平台:虚拟环境 LDAP 目录品牌:OpenLDAP 1.2.7 和 2.2.3

nexus.log 的相关部分:

2009-10-23 15:06:37 DEBUG [ajp-8009-3     ] - o.s.j.r.PlexusSecur~          - Realm: 'org.sonatype.jsecurity.realms.XmlAuthenticatingRealm', caused: User 'testuser' cannot be retrieved.
org.jsecurity.authc.AccountException: User 'testuser' cannot be retrieved.
    at org.sonatype.jsecurity.realms.XmlAuthenticatingRealm.doGetAuthenticationInfo(XmlAuthenticatingRealm.java:68)
    at org.jsecurity.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:168)
    at org.sonatype.jsecurity.web.WebPlexusSecurity.getAuthenticationInfo(WebPlexusSecurity.java:185)
    at org.jsecurity.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:186)
    at org.jsecurity.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:276)
    at org.jsecurity.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:141)
    at org.jsecurity.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:171)
    at org.jsecurity.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:312)
    at org.jsecurity.subject.DelegatingSubject.login(DelegatingSubject.java:237)
    at org.jsecurity.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:49)
    at org.sonatype.nexus.security.filter.authc.NexusHttpAuthenticationFilter.onAccessDenied(NexusHttpAuthenticationFilter.java:121)
    at org.jsecurity.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:145)
    at org.jsecurity.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:175)
    at org.jsecurity.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:129)
    at org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    at org.jsecurity.web.servlet.FilterChainWrapper.doFilter(FilterChainWrapper.java:57)
    at org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    at org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
    at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:419)
    at org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:378)
    at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1509)
    at java.lang.Thread.run(Thread.java:619)
Caused by: org.sonatype.jsecurity.realms.tools.NoSuchUserException: User with id='testuser' not found!
    at org.sonatype.jsecurity.realms.tools.DefaultConfigurationManager.readUser(DefaultConfigurationManager.java:410)
    at org.sonatype.jsecurity.realms.tools.ResourceMergingConfigurationManager.readUser(ResourceMergingConfigurationManager.java:278)
    at org.sonatype.jsecurity.realms.XmlAuthenticatingRealm.doGetAuthenticationInfo(XmlAuthenticatingRealm.java:64)
    ... 29 more
2009-10-23 15:06:37 DEBUG [ajp-8009-3     ] - s.d.n.l.LdapAuthent~          - Authenticating user 'testuser' through LDAP
2009-10-23 15:06:37 DEBUG [ajp-8009-3     ] - s.d.n.l.LdapAuthent~          - LDAP user search filter: (&(objectClass=account)(uid={0}))
2009-10-23 15:06:37 DEBUG [ajp-8009-3     ] - s.d.n.l.NexusLdapCo~          - LDAP security principal not set
2009-10-23 15:06:37 DEBUG [ajp-8009-3     ] - s.d.n.l.NexusLdapCo~          - LDAP security credentials not set
2009-10-23 15:06:37 DEBUG [ajp-8009-3     ] - s.d.n.l.NexusLdapCo~          - LDAP provider url(s): ldap://ldap:389
2009-10-23 15:06:37 DEBUG [ajp-8009-3     ] - s.d.n.l.NexusLdapCo~          - LDAP initial context factory: com.sun.jndi.ldap.LdapCtxFactory
2009-10-23 15:06:37 DEBUG [ajp-8009-3     ] - s.d.n.l.NexusLdapCo~          - LDAP security protocol: null
2009-10-23 15:06:37 DEBUG [ajp-8009-3     ] - s.d.n.l.NexusLdapCo~          - LDAP security authentication: null
2009-10-23 15:06:37 DEBUG [ajp-8009-3     ] - s.d.n.l.NexusLdapCo~          - LDAP search scope: subtree
2009-10-23 15:06:37 DEBUG [ajp-8009-3     ] - s.d.n.l.LdapAuthent~          - User object found
2009-10-23 15:06:37 DEBUG [ajp-8009-3     ] - s.d.n.l.LdapAuthent~          - LDAP authentication principal: uid=testuser, dc=corporation,dc=de
2009-10-23 15:06:37 DEBUG [ajp-8009-3     ] - s.d.n.l.NexusLdapCo~          - LDAP provider url(s): ldap://ldap:389
2009-10-23 15:06:37 DEBUG [ajp-8009-3     ] - s.d.n.l.NexusLdapCo~          - LDAP initial context factory: com.sun.jndi.ldap.LdapCtxFactory
2009-10-23 15:06:37 DEBUG [ajp-8009-3     ] - s.d.n.l.NexusLdapCo~          - LDAP security protocol: null
2009-10-23 15:06:37 DEBUG [ajp-8009-3     ] - s.d.n.l.NexusLdapCo~          - LDAP security authentication: null
2009-10-23 15:06:37 ERROR [ajp-8009-3     ] - o.j.r.l.AbstractLda~          - LDAP naming error while attempting to authenticate user.
javax.naming.CommunicationException: [LDAP: error code 2 - version not supported]
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3089)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
    at javax.naming.InitialContext.init(InitialContext.java:223)
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
    at se.devoteam.nexus.ldap.NexusLdapContextFactory.getLdapContext(NexusLdapContextFactory.java:63)
    at se.devoteam.nexus.ldap.LdapAuthenticatingRealm.queryForAuthenticationInfo(LdapAuthenticatingRealm.java:139)
    at org.jsecurity.realm.ldap.AbstractLdapRealm.doGetAuthenticationInfo(AbstractLdapRealm.java:186)
    at org.jsecurity.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:168)
    at org.sonatype.jsecurity.web.WebPlexusSecurity.getAuthenticationInfo(WebPlexusSecurity.java:185)
    at org.jsecurity.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:186)
    at org.jsecurity.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:276)
    at org.jsecurity.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:141)
    at org.jsecurity.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:171)
    at org.jsecurity.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:312)
    at org.jsecurity.subject.DelegatingSubject.login(DelegatingSubject.java:237)
    at org.jsecurity.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:49)
    at org.sonatype.nexus.security.filter.authc.NexusHttpAuthenticationFilter.onAccessDenied(NexusHttpAuthenticationFilter.java:121)
    at org.jsecurity.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:145)
    at org.jsecurity.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:175)
    at org.jsecurity.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:129)
    at org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    at org.jsecurity.web.servlet.FilterChainWrapper.doFilter(FilterChainWrapper.java:57)
    at org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
    at org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
    at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:419)
    at org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:378)
    at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1509)
    at java.lang.Thread.run(Thread.java:619)
2009-10-23 15:06:37 INFO  [ajp-8009-3     ] - o.s.n.s.f.a.NexusSe~          - Unable to authenticate user [testuser] from address/host [172.31.2.155/172.31.2.155]
2009-10-23 15:06:37 DEBUG [ajp-8009-3     ] - o.s.n.e.Authenticat~:default  - Notifying 1 EventListener about event org.sonatype.nexus.auth.NexusAuthenticationEvent fired (org.sonatype.nexus.auth.NexusAuthenticationEvent@d637d)
4

1 回答 1

1

嗯...我不是 LDAP 专家,但根据错误 ID:4908306 LDAP 提供程序版本协商失败,OpenLDAP 服务器(LDAP v2)

InitialLdapContext 仅用于 LDAP v3。它向 DirContext 添加了仅对 v3 有意义的方法。要使用 DirContext 方法,请使用 InitialDirContext。InitialDirContext 将进行适当的 v2/v3 协商。在 1.4.1 中进行了更改以加强实现以匹配规范并避免为 v3 发送无关的 BIND。

实际上,我对上述评论和InitialLdapContext javadoc 的理解是:

此类是执行 LDAPv3 样式的扩展操作和控制的起始上下文。

该类InitialLdapContext不能用于 LDAP-v2,它在其源中明确设置java.naming.ldap.version环境属性。"3"对于 LDAP-v2,您必须使用InitialDirContext.

如果更改服务器不是一个选项,我想你必须修补http://code.google.com/p/nexus-ldap/

于 2009-10-26T11:39:35.417 回答