Wildfly 26.1.1.Final Elytron - LDAP“上下文已关闭”

tag-icon tag-icon ldap wildfly
Wildfly 26.1.1.Final Elytron - LDAP“上下文已关闭”

我正在关注Wildfly 26.1 Elytron 文档尝试让 LDAP 适用于独立运行的本地 Wildfly 26.1.1.Final 服务器,但遇到了一个深奥的问题,即在提供凭据后上下文就关闭了。我稍微调整了一下配置,但我真的不知道我在寻找什么。

这是我的 standalone.xml 与此版本的默认文件之间的比较:

<server xmlns="urn:jboss:domain:19.0">
    ...
    <management>
        ...
        <management-interfaces>
            <http-interface http-authentication-factory="ldap-http-authentication">
                <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
                <socket-binding http="management-http"/>
            </http-interface>
        </management-interfaces>
        ...
    <profile>
        <subsystem xmlns="urn:jboss:domain:logging:8.0">
            ...
            <logger category="org.wildfly.security">
                <level name="ALL"/>
            </logger>
            ...
        </subsystem>
        ...
        <subsystem xmlns="urn:wildfly:elytron:15.1" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
            ...
            <security-domains>
                ...
                <security-domain name="LDAPDomain" default-realm="LDAPRealm" permission-mapper="default-permission-mapper">
                    <realm name="LDAPRealm" role-decoder="from-groups"/>
                </security-domain>
            </security-domains>
            <security-realms>
                ...
                <ldap-realm name="LDAPRealm" dir-context="LDAPContext">
                    <identity-mapping rdn-identifier="name" search-base-dn="OU=Users,OU=Organization,DC=myorg,DC=local">
                        <attribute-mapping>
                            <attribute from="cn" to="Groups" filter="(&amp;(objectClass=group)(member={1}))" filter-base-dn="OU=Groups,OU=Organization,DC=myorg,DC=local"/>
                        </attribute-mapping>
                        <user-password-mapper from="userPassword"/>
                    </identity-mapping>
                </ldap-realm>
                ...
            </security-realms>
            <mappers>
                ...
                <simple-role-decoder name="from-groups" attribute="Groups"/>
            </mappers>
            ...
            <http>
                <http-authentication-factory name="ldap-http-authentication" security-domain="LDAPDomain" http-server-mechanism-factory="global">
                    <mechanism-configuration>
                        <mechanism mechanism-name="BASIC">
                            <mechanism-realm realm-name="LDAPRealm"/>
                        </mechanism>
                    </mechanism-configuration>
                </http-authentication-factory>
                ...
            </http>
            <sasl>
                <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="LDAPDomain">
                    <mechanism-configuration>
                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
                        <mechanism mechanism-name="DIGEST-MD5">
                            <mechanism-realm realm-name="LDAPRealm"/>
                        </mechanism>
                    </mechanism-configuration>
                </sasl-authentication-factory>
                ...
            </sasl>
            ...
            <dir-contexts>
                <dir-context name="LDAPContext" url="ldap://my.ldap.server:389" principal="CN=my_svc_acc,OU=Service Accounts,OU=Organization,DC=myorg,DC=local">
                    <credential-reference clear-text="sv_acc_password"/>
                </dir-context>
            </dir-contexts>
        <subsystem>
        ...
    </profile>
    ...
</server>

省略的所有内容均为默认设置。

这是我尝试向管理控制台进行身份验证后收到的输出:

2022-10-05 10:36:17,376 TRACE [org.wildfly.security] (management task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1@78de6b3] for mechanism [BASIC]
2022-10-05 10:36:17,377 TRACE [org.wildfly.security] (management task-1) Handling SocketAddressCallback
2022-10-05 10:36:17,377 TRACE [org.wildfly.security] (management task-1) Handling MechanismInformationCallback type='HTTP' name='BASIC' host-name='localhost' protocol='http'
2022-10-05 10:36:17,377 TRACE [org.wildfly.security] (management task-1) Handling AvailableRealmsCallback: realms = [LDAPRealm]
2022-10-05 10:36:17,377 DEBUG [org.wildfly.security.http.password] (management task-1) Username authentication. Realm: [LDAPRealm], Username: [gumpf].
2022-10-05 10:36:17,377 TRACE [org.wildfly.security] (management task-1) Handling RealmCallback: selected = [LDAPRealm]
2022-10-05 10:36:17,377 TRACE [org.wildfly.security] (management task-1) Handling NameCallback: authenticationName = gumpf
2022-10-05 10:36:17,377 TRACE [org.wildfly.security] (management task-1) Principal assigning: [gumpf], pre-realm rewritten: [gumpf], realm name: [LDAPRealm], post-realm rewritten: [gumpf], realm rewritten: [gumpf]
2022-10-05 10:36:17,377 DEBUG [org.wildfly.security] (management task-1) Obtaining lock for identity [gumpf]...
2022-10-05 10:36:17,377 DEBUG [org.wildfly.security] (management task-1) Obtained lock for identity [gumpf].
2022-10-05 10:36:17,377 DEBUG [org.wildfly.security] (management task-1) Creating [class javax.naming.directory.InitialDirContext] with environment:
2022-10-05 10:36:17,377 DEBUG [org.wildfly.security] (management task-1)     Property [java.naming.security.credentials] with value [******]
2022-10-05 10:36:17,377 DEBUG [org.wildfly.security] (management task-1)     Property [java.naming.security.authentication] with value [simple]
2022-10-05 10:36:17,377 DEBUG [org.wildfly.security] (management task-1)     Property [java.naming.provider.url] with value [ldap://my.ldap.server:389]
2022-10-05 10:36:17,377 DEBUG [org.wildfly.security] (management task-1)     Property [com.sun.jndi.ldap.read.timeout] with value [60000]
2022-10-05 10:36:17,377 DEBUG [org.wildfly.security] (management task-1)     Property [com.sun.jndi.ldap.connect.pool] with value [false]
2022-10-05 10:36:17,378 DEBUG [org.wildfly.security] (management task-1)     Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
2022-10-05 10:36:17,378 DEBUG [org.wildfly.security] (management task-1)     Property [java.naming.security.principal] with value [CN=my_svc_acc,OU=Service Accounts,OU=Organization,DC=myorg,DC=local]
2022-10-05 10:36:17,378 DEBUG [org.wildfly.security] (management task-1)     Property [java.naming.referral] with value [ignore]
2022-10-05 10:36:17,378 DEBUG [org.wildfly.security] (management task-1)     Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
2022-10-05 10:36:17,381 DEBUG [org.wildfly.security] (management task-1) [javax.naming.ldap.InitialLdapContext@4b805c78] successfully created. Connection established to LDAP server.
2022-10-05 10:36:17,381 DEBUG [org.wildfly.security] (management task-1) Trying to create identity for principal [gumpf].
2022-10-05 10:36:17,381 DEBUG [org.wildfly.security] (management task-1) Executing search [(name={0})] in context [OU=Users,OU=Organization,DC=myorg,DC=local] with arguments [gumpf]. Returning attributes are [userPassword]. Binary attributes are [].
2022-10-05 10:36:17,382 DEBUG [org.wildfly.security] (management task-1) Found entry [CN=gumpf,OU=Users,OU=Organization,DC=myorg,DC=local].
2022-10-05 10:36:17,382 DEBUG [org.wildfly.security] (management task-1) Identity for principal [gumpf] found at [CN=gumpf,OU=Users,OU=Organization,DC=myorg,DC=local].
2022-10-05 10:36:17,382 DEBUG [org.wildfly.security] (management task-1) Context [javax.naming.ldap.InitialLdapContext@4b805c78] was closed. Connection closed or just returned to the pool.
2022-10-05 10:36:17,383 DEBUG [org.wildfly.security.http.basic] (management task-1) User gumpf authentication failed.
2022-10-05 10:36:17,383 TRACE [org.wildfly.security] (management task-1) Handling AuthenticationCompleteCallback: fail

这是我正在使用的当前 LDAP 结构,它被输入到上述 Elytron 文档中列出的命令中:

dn: dc=myorg,dc=local
dc: myorg
objectClass: top
objectClass: domain

dn: ou=Organization,dc=myorg,dc=local
objectClass: organizationalUnit
objectClass: top
ou: Organization
 
dn: ou=Users,ou=Organization,dc=myorg,dc=local
objectClass: organizationalUnit
objectClass: top
ou: Users
 
dn: cn=gumpf,ou=Users,ou=Organization,dc=myorg,dc=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: gumpf
name: gumpf
 
dn: ou=Groups,ou=Organization,dc=myorg,dc=local
objectclass: top
objectclass: organizationalUnit
ou: Groups
 
dn: cn=Dev,ou=Groups,ou=Organization,dc=myorg,dc=local
objectClass: top
objectClass: group
cn: Dev
member: cn=gumpf,ou=Users,ou=Organization,dc=myorg,dc=local

dn: cn=my_svc_acc,ou=Servuce Accounts,ou=Organization,dc=myorg,dc=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: my_svc_acc
name: my_svc_acc

请注意,这是根据我自己可以访问的内容构建的。我假设该userPassword属性存在,但我看不到。这是对 LDAP 了解有限的假设,因此如果它以某种方式出现或它的缺失是我遇到的问题的原因,请告诉我。

我之前曾启用过 org.wildfly.security 日志记录来获取更多详细信息(在我让服务器连接到 LDAP 之前),但该消息并未表明用户身份验证失败的原因。有没有办法获取有关 javax.naming.ldap.InitialLdapContext 正在执行的即时操作的更多具体信息?或者,如果对其他人来说,此输出或配置描述了失败的原因,那么为什么会失败?

我还尝试过其他方法:

  • 服务帐户和我自己的凭据均输入正确
  • 针对 my.ldap.server 在我的帐户上进行 ldapsearch 操作
  • 服务帐户和我自己的帐户均存在于 Active Directory Explorer 中

答案1

不确定为什么它修复了它,但我改变了这一点:

<ldap-realm name="LDAPRealm" dir-context="LDAPContext">
    <identity-mapping rdn-identifier="name" search-base-dn="OU=Users,OU=Organization,DC=myorg,DC=local">
        <attribute-mapping>
            <attribute from="cn" to="Groups" filter="(&amp;(objectClass=group)(member={1}))" filter-base-dn="OU=Groups,OU=Organization,DC=myorg,DC=local"/>
        </attribute-mapping>
        <user-password-mapper from="userPassword"/>
    </identity-mapping>
</ldap-realm>

对此:

<ldap-realm name="LDAPRealm" dir-context="LDAPContext" direct-verification="true">
    <identity-mapping rdn-identifier="name" search-base-dn="OU=Organization,DC=myorg,DC=local" use-recursive-search="true">
        <attribute-mapping>
            <attribute from="name" to="Groups" filter="(&amp;(objectClass=group)(member={1}))" filter-base-dn="OU=Organization,DC=myorg,DC=local"/>
        </attribute-mapping>
        <user-password-mapper from="userPassword"/>
    </identity-mapping>
</ldap-realm>

相关内容