WSO2:连接到 ldap 失败
WSO2 : connecting to ldap fails
我正在遵循 WSO2 身份管理器(独立版)上的 Active Directory WSO2 指南。我正在尝试将我的 WSO2 服务器与公司的 LDAP 连接起来。我将 admin username/password 设置为现有用户,设置连接属性(从 apache directory studio 我可以访问活动目录),我设置了获取用户的查询,但出现此错误:
13.6.2017 13:24:12[2017-06-13 11:24:12,318] ERROR - DataEndpointConnectionWorker Error while trying to connect to the endpoint. Cannot borrow client for ssl://10.42.210.146:9711
13.6.2017 13:24:12org.wso2.carbon.databridge.agent.exception.DataEndpointAuthenticationException: Cannot borrow client for ssl://10.42.210.146:9711
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:99)
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.run(DataEndpointConnectionWorker.java:42)
13.6.2017 13:24:12 at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
13.6.2017 13:24:12 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
13.6.2017 13:24:12 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
13.6.2017 13:24:12 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
13.6.2017 13:24:12 at java.lang.Thread.run(Thread.java:745)
13.6.2017 13:24:12Caused by: org.wso2.carbon.databridge.agent.exception.DataEndpointAuthenticationException: Error while trying to login to data receiver :/10.42.210.146:9711
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryDataEndpoint.login(BinaryDataEndpoint.java:47)
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:93)
13.6.2017 13:24:12 ... 6 more
13.6.2017 13:24:12Caused by: org.wso2.carbon.databridge.commons.exception.AuthenticationException: wrong userName or password
13.6.2017 13:24:12 at sun.reflect.GeneratedConstructorAccessor207.newInstance(Unknown Source)
13.6.2017 13:24:12 at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
13.6.2017 13:24:12 at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryEventSender.processResponse(BinaryEventSender.java:162)
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryDataEndpoint.login(BinaryDataEndpoint.java:42)
13.6.2017 13:24:12 ... 7 more
我设置了这个配置:
<UserManager>
<Realm>
<Configuration>
<AddAdmin>false</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>it\wso2system</UserName>
<Password>mypassword</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName>
<!-- By default users in this role sees the registry root -->
<Property name="isCascadeDeleteEnabled">true</Property>
<Property name="initializeNewClaimManager">true</Property>
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
和 AD 连接:
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="ConnectionURL">ldap://activedirectory.local:389</Property>
<Property name="ConnectionName">it\wso2system</Property>
<Property name="ConnectionPassword">mypassword</Property>
<Property name="AnonymousBind">false</Property>
<Property name="UserSearchBase">...my working search query from directory studio ...</Property>
<Property name="UserEntryObjectClass">user</Property>
<Property name="UserNameAttribute">cn</Property>
<Property name="UserNameSearchFilter">(&(objectCategory=Person)(sAMAccountName=*))</Property>
<Property name="UserNameListFilter">(objectClass=user)</Property>
<Property name="DisplayNameAttribute"/>
<Property name="ReadGroups">false</Property>
<Property name="WriteGroups">false</Property>
<Property name="GroupSearchBase">ou=system</Property>
<Property name="GroupEntryObjectClass">group</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectcategory=group)</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="MemberOfAttribute">memberOf</Property>
<Property name="BackLinksEnabled">true</Property>
<Property name="Referral">follow</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="SCIMEnabled">false</Property>
<Property name="IsBulkImportSupported">true</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="isADLDSRole">false</Property>
<Property name="userAccountControl">512</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="kdcEnabled">false</Property>
<Property name="defaultRealmName">WSO2.ORG</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout"/>
<Property name="RetryAttempts"/>
</UserStoreManager>
我是不是遗漏了一些配置文件?使用之前工作的标准数据库配置,切换后我得到上述错误加上我无法登录 wso2(无论是商店,apim 还是碳)。
我们没有在 AD 中定义角色,我们只想对 WSO2 用户进行身份验证。
感谢任何帮助:)
我的第一条建议是仅通过 carbon 添加您的 LDAP,添加辅助用户存储。这里有一些 documentation,ID 为 5.3.0。如果你想走那条路,你应该先把原来的管理员登录放回去。 (这样你至少可以登录 carbon。)然后放回 JDBC 商店。
<AddAdmin>true</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>admin</UserName>
<Password>admin</Password>
</AdminUser>
如果您确实访问辅助用户存储,它会自动在 /repository/deployment/server/userstores.
下创建用户存储的 XML 文件
这是用户存储文件的示例。
<?xml version="1.0" encoding="UTF-8"?>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
<Property name="ConnectionURL">ldap://domain.com:389</Property>
<Property name="ConnectionName">CN=user,OU=work,DC=domain,DC=com</Property>
<Property encrypted="true" name="ConnectionPassword">cantseethat</Property>
<Property name="UserSearchBase">OU=Unit,DC=domain,DC=com</Property>
<Property name="UserNameAttribute">cn</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(cn=?))</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserDNPattern"/>
<Property name="DisplayNameAttribute">name</Property>
<Property name="Disabled">false</Property>
<Property name="ReadGroups">true</Property>
<Property name="GroupSearchBase">OU=R,DC=domain,DC=com</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectClass=group)</Property>
<Property name="RoleDNPattern"/>
<Property name="MembershipAttribute">member</Property>
<Property name="MemberOfAttribute">memberOf</Property>
<Property name="BackLinksEnabled">false</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="SCIMEnabled">false</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout">5000</Property>
<Property name="RetryAttempts">0</Property>
<Property name="CountRetrieverClass"/>
<Property name="java.naming.ldap.attributes.binary"> </Property>
<Property name="DomainName">Domain</Property>
<Property name="Description">LDAP User Store</Property>
</UserStoreManager>
其他内容
在 /repository/conf/identity/embedded-ldap 下禁用嵌入式 LDAP。xml
<EmbeddedLDAP>
<Property name="enable">false</Property>
"If you are using LDAPS (secure) to connect to the Active Directory, you need to import its public certificate to the client-truststore.jks of the WSO2 product you are configuring." Oracle: Import Cert
也可以在密钥库下使用碳导入。
抱歉,我不能提供更多帮助。
这个问题的解决方案有点棘手,但我们开始吧:
经过几次尝试,我决定使用 LDAP 只读连接器将 AD 连接设置为辅助用户存储。我陷入了 NullPointerException。
我得到了wso2am的源代码并开始调试。服务器尝试打开证书链以获得用于加密密码的 public 密钥。此链条未正确返回
TID: [-1234] [] [2017-06-20 12:18:21,318] ERROR {org.apache.axis2.rpc.receivers.RPCMessageReceiver} - Exception occurred while trying
to invoke service method addUserStore {org.apache.axis2.rpc.receivers.RPCMessageReceiver}
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:212)
at org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:117)
at org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.axis2.transport.local.LocalTransportReceiver.processMessage(LocalTransportReceiver.java:169)
at org.apache.axis2.transport.local.LocalTransportReceiver.processMessage(LocalTransportReceiver.java:82)
at org.wso2.carbon.core.transports.local.CarbonLocalTransportSender.finalizeSendWithToAddress(CarbonLocalTransportSender.java:4
5)
at org.apache.axis2.transport.local.LocalTransportSender.invoke(LocalTransportSender.java:77)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.wso2.carbon.identity.user.store.configuration.stub.UserStoreConfigAdminServiceStub.addUserStore(UserStoreConfigAdminServ
iceStub.java:889)
at org.wso2.carbon.identity.user.store.configuration.ui.client.UserStoreConfigAdminServiceClient.addUserStore(UserStoreConfigAd
minServiceClient.java:95)
at org.apache.jsp.userstore_005fconfig.userstore_002dconfig_002dfinish_002dajaxprocessor_jsp._jspService(userstore_002dconfig_0
02dfinish_002dajaxprocessor_jsp.java:198)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.wso2.carbon.ui.JspServlet.service(JspServlet.java:155)
at org.wso2.carbon.ui.TilesJspServlet.service(TilesJspServlet.java:80)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:120)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.event.receiver.core.internal.tenantmgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:48)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:958)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1756)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1715)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at org.wso2.carbon.identity.user.store.configuration.utils.SecondaryUserStoreConfigurationUtil.initializeKeyStore(SecondaryUserStoreConfigurationUtil.java:82)
at org.wso2.carbon.identity.user.store.configuration.utils.SecondaryUserStoreConfigurationUtil.encryptPlainText(SecondaryUserStoreConfigurationUtil.java:125)
at org.wso2.carbon.identity.user.store.configuration.UserStoreConfigAdminService.addProperties(UserStoreConfigAdminService.java:569)
at org.wso2.carbon.identity.user.store.configuration.UserStoreConfigAdminService.writeUserMgtXMLFile(UserStoreConfigAdminService.java:812)
at org.wso2.carbon.identity.user.store.configuration.UserStoreConfigAdminService.addUserStore(UserStoreConfigAdminService.java:270)
... 76 more
为了解决这个问题,我提取了代码并将其放入独立程序中which can be found on our github site.
我发现,链没有充分打包到密钥库中。为了创建一个有效的密钥库,我遵循了 Non 的回答 to this Whosebug.
我得到了
- 我的服务器证书 (PEM)
- go daddy bundle certificate including root (PEM)
- go daddy 安全服务器证书 (PEM)
- certiface 密钥(来自 CSR 的密钥文件)
了解这三个证书you may look here
按照上面提到的post回答我做了
> cat server.crt bundle-g2-g1.crt gdig2.crt >combined.crt
> openssl pkcs12 -export -chain -in server.crt -inkey server.key -out keystore.p12 -name wso2carbon -CAfile combined.crt
> keytool -importkeystore -destkeystore wso2carbon.jks -srckeystore keystore.p12 -alias wso2carbon
创建的密钥库成功通过了我的测试程序。安装的 wso2 实例成功保存了我的 AD 连接并且没有产生任何 SSL 问题。
PS: 我这里也是用PKCS12格式操作得到的keystore。无法将其转换为 jks 密钥库,该死的密钥工具 DROPS 链!
我正在遵循 WSO2 身份管理器(独立版)上的 Active Directory WSO2 指南。我正在尝试将我的 WSO2 服务器与公司的 LDAP 连接起来。我将 admin username/password 设置为现有用户,设置连接属性(从 apache directory studio 我可以访问活动目录),我设置了获取用户的查询,但出现此错误:
13.6.2017 13:24:12[2017-06-13 11:24:12,318] ERROR - DataEndpointConnectionWorker Error while trying to connect to the endpoint. Cannot borrow client for ssl://10.42.210.146:9711
13.6.2017 13:24:12org.wso2.carbon.databridge.agent.exception.DataEndpointAuthenticationException: Cannot borrow client for ssl://10.42.210.146:9711
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:99)
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.run(DataEndpointConnectionWorker.java:42)
13.6.2017 13:24:12 at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
13.6.2017 13:24:12 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
13.6.2017 13:24:12 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
13.6.2017 13:24:12 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
13.6.2017 13:24:12 at java.lang.Thread.run(Thread.java:745)
13.6.2017 13:24:12Caused by: org.wso2.carbon.databridge.agent.exception.DataEndpointAuthenticationException: Error while trying to login to data receiver :/10.42.210.146:9711
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryDataEndpoint.login(BinaryDataEndpoint.java:47)
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:93)
13.6.2017 13:24:12 ... 6 more
13.6.2017 13:24:12Caused by: org.wso2.carbon.databridge.commons.exception.AuthenticationException: wrong userName or password
13.6.2017 13:24:12 at sun.reflect.GeneratedConstructorAccessor207.newInstance(Unknown Source)
13.6.2017 13:24:12 at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
13.6.2017 13:24:12 at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryEventSender.processResponse(BinaryEventSender.java:162)
13.6.2017 13:24:12 at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryDataEndpoint.login(BinaryDataEndpoint.java:42)
13.6.2017 13:24:12 ... 7 more
我设置了这个配置:
<UserManager>
<Realm>
<Configuration>
<AddAdmin>false</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>it\wso2system</UserName>
<Password>mypassword</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName>
<!-- By default users in this role sees the registry root -->
<Property name="isCascadeDeleteEnabled">true</Property>
<Property name="initializeNewClaimManager">true</Property>
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
和 AD 连接:
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="ConnectionURL">ldap://activedirectory.local:389</Property>
<Property name="ConnectionName">it\wso2system</Property>
<Property name="ConnectionPassword">mypassword</Property>
<Property name="AnonymousBind">false</Property>
<Property name="UserSearchBase">...my working search query from directory studio ...</Property>
<Property name="UserEntryObjectClass">user</Property>
<Property name="UserNameAttribute">cn</Property>
<Property name="UserNameSearchFilter">(&(objectCategory=Person)(sAMAccountName=*))</Property>
<Property name="UserNameListFilter">(objectClass=user)</Property>
<Property name="DisplayNameAttribute"/>
<Property name="ReadGroups">false</Property>
<Property name="WriteGroups">false</Property>
<Property name="GroupSearchBase">ou=system</Property>
<Property name="GroupEntryObjectClass">group</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectcategory=group)</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="MemberOfAttribute">memberOf</Property>
<Property name="BackLinksEnabled">true</Property>
<Property name="Referral">follow</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="SCIMEnabled">false</Property>
<Property name="IsBulkImportSupported">true</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="isADLDSRole">false</Property>
<Property name="userAccountControl">512</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="kdcEnabled">false</Property>
<Property name="defaultRealmName">WSO2.ORG</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout"/>
<Property name="RetryAttempts"/>
</UserStoreManager>
我是不是遗漏了一些配置文件?使用之前工作的标准数据库配置,切换后我得到上述错误加上我无法登录 wso2(无论是商店,apim 还是碳)。
我们没有在 AD 中定义角色,我们只想对 WSO2 用户进行身份验证。
感谢任何帮助:)
我的第一条建议是仅通过 carbon 添加您的 LDAP,添加辅助用户存储。这里有一些 documentation,ID 为 5.3.0。如果你想走那条路,你应该先把原来的管理员登录放回去。 (这样你至少可以登录 carbon。)然后放回 JDBC 商店。
<AddAdmin>true</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>admin</UserName>
<Password>admin</Password>
</AdminUser>
如果您确实访问辅助用户存储,它会自动在 /repository/deployment/server/userstores.
下创建用户存储的 XML 文件这是用户存储文件的示例。
<?xml version="1.0" encoding="UTF-8"?>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
<Property name="ConnectionURL">ldap://domain.com:389</Property>
<Property name="ConnectionName">CN=user,OU=work,DC=domain,DC=com</Property>
<Property encrypted="true" name="ConnectionPassword">cantseethat</Property>
<Property name="UserSearchBase">OU=Unit,DC=domain,DC=com</Property>
<Property name="UserNameAttribute">cn</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(cn=?))</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserDNPattern"/>
<Property name="DisplayNameAttribute">name</Property>
<Property name="Disabled">false</Property>
<Property name="ReadGroups">true</Property>
<Property name="GroupSearchBase">OU=R,DC=domain,DC=com</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectClass=group)</Property>
<Property name="RoleDNPattern"/>
<Property name="MembershipAttribute">member</Property>
<Property name="MemberOfAttribute">memberOf</Property>
<Property name="BackLinksEnabled">false</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="SCIMEnabled">false</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout">5000</Property>
<Property name="RetryAttempts">0</Property>
<Property name="CountRetrieverClass"/>
<Property name="java.naming.ldap.attributes.binary"> </Property>
<Property name="DomainName">Domain</Property>
<Property name="Description">LDAP User Store</Property>
</UserStoreManager>
其他内容
在 /repository/conf/identity/embedded-ldap 下禁用嵌入式 LDAP。xml
<EmbeddedLDAP>
<Property name="enable">false</Property>
"If you are using LDAPS (secure) to connect to the Active Directory, you need to import its public certificate to the client-truststore.jks of the WSO2 product you are configuring." Oracle: Import Cert 也可以在密钥库下使用碳导入。
抱歉,我不能提供更多帮助。
这个问题的解决方案有点棘手,但我们开始吧:
经过几次尝试,我决定使用 LDAP 只读连接器将 AD 连接设置为辅助用户存储。我陷入了 NullPointerException。
我得到了wso2am的源代码并开始调试。服务器尝试打开证书链以获得用于加密密码的 public 密钥。此链条未正确返回
TID: [-1234] [] [2017-06-20 12:18:21,318] ERROR {org.apache.axis2.rpc.receivers.RPCMessageReceiver} - Exception occurred while trying
to invoke service method addUserStore {org.apache.axis2.rpc.receivers.RPCMessageReceiver}
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:212)
at org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:117)
at org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.axis2.transport.local.LocalTransportReceiver.processMessage(LocalTransportReceiver.java:169)
at org.apache.axis2.transport.local.LocalTransportReceiver.processMessage(LocalTransportReceiver.java:82)
at org.wso2.carbon.core.transports.local.CarbonLocalTransportSender.finalizeSendWithToAddress(CarbonLocalTransportSender.java:4
5)
at org.apache.axis2.transport.local.LocalTransportSender.invoke(LocalTransportSender.java:77)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.wso2.carbon.identity.user.store.configuration.stub.UserStoreConfigAdminServiceStub.addUserStore(UserStoreConfigAdminServ
iceStub.java:889)
at org.wso2.carbon.identity.user.store.configuration.ui.client.UserStoreConfigAdminServiceClient.addUserStore(UserStoreConfigAd
minServiceClient.java:95)
at org.apache.jsp.userstore_005fconfig.userstore_002dconfig_002dfinish_002dajaxprocessor_jsp._jspService(userstore_002dconfig_0
02dfinish_002dajaxprocessor_jsp.java:198)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.wso2.carbon.ui.JspServlet.service(JspServlet.java:155)
at org.wso2.carbon.ui.TilesJspServlet.service(TilesJspServlet.java:80)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:120)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.event.receiver.core.internal.tenantmgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:48)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:958)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1756)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1715)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at org.wso2.carbon.identity.user.store.configuration.utils.SecondaryUserStoreConfigurationUtil.initializeKeyStore(SecondaryUserStoreConfigurationUtil.java:82)
at org.wso2.carbon.identity.user.store.configuration.utils.SecondaryUserStoreConfigurationUtil.encryptPlainText(SecondaryUserStoreConfigurationUtil.java:125)
at org.wso2.carbon.identity.user.store.configuration.UserStoreConfigAdminService.addProperties(UserStoreConfigAdminService.java:569)
at org.wso2.carbon.identity.user.store.configuration.UserStoreConfigAdminService.writeUserMgtXMLFile(UserStoreConfigAdminService.java:812)
at org.wso2.carbon.identity.user.store.configuration.UserStoreConfigAdminService.addUserStore(UserStoreConfigAdminService.java:270)
... 76 more
为了解决这个问题,我提取了代码并将其放入独立程序中which can be found on our github site.
我发现,链没有充分打包到密钥库中。为了创建一个有效的密钥库,我遵循了 Non 的回答 to this Whosebug.
我得到了
- 我的服务器证书 (PEM)
- go daddy bundle certificate including root (PEM)
- go daddy 安全服务器证书 (PEM)
- certiface 密钥(来自 CSR 的密钥文件)
了解这三个证书you may look here
按照上面提到的post回答我做了
> cat server.crt bundle-g2-g1.crt gdig2.crt >combined.crt
> openssl pkcs12 -export -chain -in server.crt -inkey server.key -out keystore.p12 -name wso2carbon -CAfile combined.crt
> keytool -importkeystore -destkeystore wso2carbon.jks -srckeystore keystore.p12 -alias wso2carbon
创建的密钥库成功通过了我的测试程序。安装的 wso2 实例成功保存了我的 AD 连接并且没有产生任何 SSL 问题。
PS: 我这里也是用PKCS12格式操作得到的keystore。无法将其转换为 jks 密钥库,该死的密钥工具 DROPS 链!