Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

配置LDAP登录,但始终无法成功登录 #7924

Closed
StandardStudent opened this issue Mar 10, 2022 · 20 comments
Closed

配置LDAP登录,但始终无法成功登录 #7924

StandardStudent opened this issue Mar 10, 2022 · 20 comments
Labels
help wanted Extra attention is needed
Milestone
2.1.0

Comments

@StandardStudent
Copy link

在application中,更改了如下内容

nacos.core.auth.system.type=ldap
nacos.core.auth.ldap.url=ldap://**:389
nacos.core.auth.ldap.userdn=cn={0},ou=example,dc=com,dc=cn
nacos.core.auth.enabled=true

但仍然无法正常登陆,我这边用相同的参数可以使用ldapsearch命令查到信息
@KomachiSion KomachiSion added the help wanted Extra attention is needed label Mar 10, 2022
@KeithTt
Copy link

KeithTt commented Mar 23, 2022

Same problem. It seems only user in the root dir can be authorized, others in the subtree can not be.

Here is the exception info:

2022-03-23 16:41:07,258 ERROR login error:[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839]

2022-03-23 16:41:07,259 ERROR CONSOLE /nacos/v1/auth/users/login

java.lang.RuntimeException: login error!
	at com.alibaba.nacos.console.security.nacos.LdapAuthenticationProvider.ldapLogin(LdapAuthenticationProvider.java:145)
	at com.alibaba.nacos.console.security.nacos.LdapAuthenticationProvider.authenticate(LdapAuthenticationProvider.java:97)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:200)
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:514)
	at com.alibaba.nacos.console.security.nacos.NacosAuthManager.resolveTokenFromUser(NacosAuthManager.java:191)
	at com.alibaba.nacos.console.security.nacos.NacosAuthManager.resolveToken(NacosAuthManager.java:161)
	at com.alibaba.nacos.console.security.nacos.NacosAuthManager.login(NacosAuthManager.java:70)
	at com.alibaba.nacos.console.controller.UserController.login(UserController.java:211)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)
	at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)
	at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105)
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:892)
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:797)
	at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
	at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:652)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:97)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.boot.actuate.web.trace.servlet.HttpTraceFilter.doFilterInternal(HttpTraceFilter.java:88)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.alibaba.nacos.core.auth.AuthFilter.doFilter(AuthFilter.java:132)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:209)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:94)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:114)
	at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:104)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

@onewe
Copy link
Collaborator

onewe commented Mar 24, 2022
edited

@i will solve it@

@karsonto
Copy link
Contributor

我用Docker LDAP 服务测试能正常使用
docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.3.0

docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin

image

添加 LDAP配置信息 到application.properties
image

登入nacos 用户名字 admin 密码 admin
image

能正常访问nacos
image

@karsonto karsonto mentioned this issue Mar 27, 2022
Closed
@onewe
Copy link
Collaborator

onewe commented Mar 28, 2022

我这边也是能正常登录. 可能是 ldap 的配置问题

@onewe
Copy link
Collaborator

onewe commented Mar 28, 2022

ldap 是不是启用了 SASL ?

@KeithTt
Copy link

KeithTt commented Mar 29, 2022

@onewe 用根目录下的用户可以登陆,但是有多个 OU 的情况下,子目录下的用户都登陆不了。

类似这个 issue 的情况:#7099

应该不是 LDAP 的配置问题,我们有不少应用都接了 LDAP。

@StandardStudent
Copy link
Author

@onewe @KeithTt 我这边看了具体问题,主要原因是配置文件设置的参数,并不能满足公司的ldap组织结构。所以我改了ldap的搜索方法,变为了在组织结构下去搜索相关用户。 这也是大多数软件ldap支持的方式。 这边需要我来提交相关代码么?

@StandardStudent
Copy link
Author

我用Docker LDAP 服务测试能正常使用 docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.3.0

docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin

image

添加 LDAP配置信息 到application.properties image

登入nacos 用户名字 admin 密码 admin image

能正常访问nacos image

找到了问题, 我这边公司内的结构包含多级, 且存在多个可变的量。因此配置文件中单一变量的方式不能解决我的问题,所以我从源码中更改了ldap相关方法

@karsonto
Copy link
Contributor

@StandardStudent 感谢,请提交PR参考!

@StandardStudent
Copy link
Author

StandardStudent commented Mar 29, 2022
edited

@karsonto 第一次尝试这样做, 请查看 #8029

@karsonto
Copy link
Contributor

感谢!

@KomachiSion KomachiSion mentioned this issue Apr 11, 2022
Merged
5 tasks
KomachiSion pushed a commit that referenced this issue Apr 11, 2022
@karsonto
Fix issue #7924 (#8062)
fa09c65 
* Fix issue#7924

* reformat code style
@KomachiSion KomachiSion added this to the 2.1.0 milestone Apr 11, 2022
@KeithTt
Copy link

KeithTt commented May 12, 2022
edited

@onewe @karsonto @KomachiSion 2.0.4 upgrade to 2.1.0,升级到最新版发现数据库不兼容,字段报错,有没有升级文档

@karsonto
Copy link
Contributor

你这边指的是ldap login的问题吧?配置文件参考如下
nacos.core.auth.system.type=ldap
nacos.core.auth.ldap.url=ldap://localhost:389
nacos.core.auth.ldap.basedc=dc=example,dc=org
nacos.core.auth.ldap.userDn=cn=admin,${nacos.core.auth.ldap.basedc}
nacos.core.auth.ldap.password=admin
nacos.core.auth.ldap.userdn=cn={0},dc=example,dc=org

@KeithTt
Copy link

KeithTt commented May 16, 2022

@karsonto 感谢提供参考配置!

不过我的问题还没到 ldap 配置,我的测试环境是跑在 k8s 集群上,我把镜像版本替换成最新的 2.1.0 之后,集群起不来,看日志提示数据库字段不兼容,不知道是不是要更新数据库呢?

@karsonto
Copy link
Contributor

这块我不是太s熟,你可以把代码clone下来,看看Git logs 再对比一下现有数据库的脚本修改记录就可以
image

@onewe
Copy link
Collaborator

onewe commented May 16, 2022

@KeithTt 最新的版本增加配置加密功能,数据库需要增加字段,分别在config_info表,config_info_betahis_config_info中增加encrypted_data_key字段. 详情请参考发行版中的sql文件

@KeithTt
Copy link

KeithTt commented May 18, 2022

@karsonto @onewe 感谢两位!

通过 blame 这个文件 https://github.com/alibaba/nacos/blob/develop/distribution/conf/nacos-mysql.sql ,分别给config_infoconfig_info_betahis_config_info三张表添加了encrypted_data_key字段。

再次更新镜像版本到 2.1.0 已经正常启动。遗憾的是,容器版本看起来不支持 ldap。

### The auth system to use, currently only 'nacos' is supported:
nacos.core.auth.system.type=${NACOS_AUTH_SYSTEM_TYPE:nacos}

@onewe
Copy link
Collaborator

onewe commented May 18, 2022

@KeithTt 容器支持 ldap 有点点麻烦

@KeithTt
Copy link

KeithTt commented May 18, 2022

@onewe Sigh... 如果是本地非容器实例的话,要怎么升级呢?

  • 更新数据库添加字段
  • 停掉一个实例
  • 将 2.0.4 的代码备份
  • 下载 2.1.0 的代码
  • 修改配置
  • 启动服务
  • 然后轮流升级剩下的两个实例

这样操作对吗?会影响已经在使用 Nacos 的服务吗?

@onewe
Copy link
Collaborator

onewe commented May 18, 2022

应该行吧,可以演练一下,我没升级过 @KeithTt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
2.1.0
Development

No branches or pull requests
5 participants
@KeithTt @StandardStudent @karsonto @KomachiSion @onewe