I use the Nexus repository manager (nexus.sonatype.org) with the open source LDAP plugin (code.google.com/p/nexus-ldap/) and I get an error message indicating that the wrong version of the protocol is being used (details below). All plugins use the LDAP JNDI provider to connect to my LDAP server. If you look at the stack trace in the nexus.log file, an exception occurs during context initialization in the JNDI LDAP implementation. Therefore, I assume that the problem described below is not caused by the Nexus plugin, but by improper use of JNDI or a misunderstanding of LDAP authentication.
Any guess or idea of ββhow this is caused by a bug is greatly appreciated!
What steps will reproduce the problem?
- Configure Nexus to use LdapAuthenticatingRealm using the OpenLDAP 1.2.x server - for version 2 of the LDAP protocol.
- Try to specify users with OpenLDAP-Server and map them to roles in the Nexus user interface - it works fine.
- Now try logging in or authenticating against the executable Nexus instance using the LDAP user that was successfully mapped to the role.
What is the expected result? What do you see instead?
When you try to log in, you receive the error message "Invalid username, password or no permission to use the Nexus user interface. Try again." In the Nexus log file, I see an exception that occurred when the Sun JNDI-LDAP implementation (see the stack trace taken from the log file below) tries to initialize the context with this information in order to authenticate the user on the LDAP server. Finding a user using the Nexus user interface works fine, and it also searches during authentication (see Log File below).
The error message contained in CommunicationException ("[LDAP: Error Code 2 - Version Not Supported]") indicates the use of the wrong version of LDAP. I tried to explicitly use version 2 of the protocol, since OpenLDAP version 1.2.7-30 only supports LDAP v2 (enterprise environment - the server version is not negotiable). I did this by checking the source code, adding the line "env.put" ("java.naming.ldap.version", "2"); to se.devoteam.nexus.ldap.NexusLdapContextFactory: 52. Nothing has changed.
During testing, I realized, looking at the Sun source code, that the first thing javax.naming.ldap.InitialLdapContext.InitialLdapContext () does is set the ldap protocol version to "3" (javax.naming.ldap. InitialLdapContext: 131). Although the Java6 documentation explains the property (java.sun [dot] com / javase / 6 / docs / technotes / guide / jndi / jndi-ldap-gl.html # version), I used and in the JNDI manual it is referred to as (java .sun [dot] com / products / jndi / tutorial / ldap / misc / version.html) Interesting: is there any way to use LDAP version 2 when using JNDI as an LDAP service provider?
Next, I tried to use a fairly updated version of the OpenLDAP server (openldap2-2.3) as a proxy server for the LDAP protocol version 3, which would transfer them to an older server. Same problem, same exception.
Additional Information
Environment: Nexus Webapp deployed on Tomcat 6.0.16 Nexus version: 1.3.6 ldap-realm version: 0.4 JRE version: JDK 1.6.0_14-b08 Platform: virtual environment LDAP directory: OpenLDAP 1.2.7 and 2.2.3
Relevant part of nexus.log:
2009-10-23 15:06:37 DEBUG [ajp-8009-3 ] - osjrPlexusSecur~ - Realm: 'org.sonatype.jsecurity.realms.XmlAuthenticatingRealm', caused: User 'testuser' cannot be retrieved. org.jsecurity.authc.AccountException: User 'testuser' cannot be retrieved. at org.sonatype.jsecurity.realms.XmlAuthenticatingRealm.doGetAuthenticationInfo(XmlAuthenticatingRealm.java:68) at org.jsecurity.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:168) at org.sonatype.jsecurity.web.WebPlexusSecurity.getAuthenticationInfo(WebPlexusSecurity.java:185) at org.jsecurity.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:186) at org.jsecurity.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:276) at org.jsecurity.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:141) at org.jsecurity.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:171) at org.jsecurity.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:312) at org.jsecurity.subject.DelegatingSubject.login(DelegatingSubject.java:237) at org.jsecurity.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:49) at org.sonatype.nexus.security.filter.authc.NexusHttpAuthenticationFilter.onAccessDenied(NexusHttpAuthenticationFilter.java:121) at org.jsecurity.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:145) at org.jsecurity.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:175) at org.jsecurity.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:129) at org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180) at org.jsecurity.web.servlet.FilterChainWrapper.doFilter(FilterChainWrapper.java:57) at org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382) at org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:419) at org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:378) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1509) at java.lang.Thread.run(Thread.java:619) Caused by: org.sonatype.jsecurity.realms.tools.NoSuchUserException: User with id='testuser' not found! at org.sonatype.jsecurity.realms.tools.DefaultConfigurationManager.readUser(DefaultConfigurationManager.java:410) at org.sonatype.jsecurity.realms.tools.ResourceMergingConfigurationManager.readUser(ResourceMergingConfigurationManager.java:278) at org.sonatype.jsecurity.realms.XmlAuthenticatingRealm.doGetAuthenticationInfo(XmlAuthenticatingRealm.java:64) ... 29 more 2009-10-23 15:06:37 DEBUG [ajp-8009-3 ] - sdnlLdapAuthent~ - Authenticating user 'testuser' through LDAP 2009-10-23 15:06:37 DEBUG [ajp-8009-3 ] - sdnlLdapAuthent~ - LDAP user search filter: (&(objectClass=account)(uid={0})) 2009-10-23 15:06:37 DEBUG [ajp-8009-3 ] - sdnlNexusLdapCo~ - LDAP security principal not set 2009-10-23 15:06:37 DEBUG [ajp-8009-3 ] - sdnlNexusLdapCo~ - LDAP security credentials not set 2009-10-23 15:06:37 DEBUG [ajp-8009-3 ] - sdnlNexusLdapCo~ - LDAP provider url(s): ldap://ldap:389 2009-10-23 15:06:37 DEBUG [ajp-8009-3 ] - sdnlNexusLdapCo~ - LDAP initial context factory: com.sun.jndi.ldap.LdapCtxFactory 2009-10-23 15:06:37 DEBUG [ajp-8009-3 ] - sdnlNexusLdapCo~ - LDAP security protocol: null 2009-10-23 15:06:37 DEBUG [ajp-8009-3 ] - sdnlNexusLdapCo~ - LDAP security authentication: null 2009-10-23 15:06:37 DEBUG [ajp-8009-3 ] - sdnlNexusLdapCo~ - LDAP search scope: subtree 2009-10-23 15:06:37 DEBUG [ajp-8009-3 ] - sdnlLdapAuthent~ - User object found 2009-10-23 15:06:37 DEBUG [ajp-8009-3 ] - sdnlLdapAuthent~ - LDAP authentication principal: uid=testuser, dc=corporation,dc=de 2009-10-23 15:06:37 DEBUG [ajp-8009-3 ] - sdnlNexusLdapCo~ - LDAP provider url(s): ldap://ldap:389 2009-10-23 15:06:37 DEBUG [ajp-8009-3 ] - sdnlNexusLdapCo~ - LDAP initial context factory: com.sun.jndi.ldap.LdapCtxFactory 2009-10-23 15:06:37 DEBUG [ajp-8009-3 ] - sdnlNexusLdapCo~ - LDAP security protocol: null 2009-10-23 15:06:37 DEBUG [ajp-8009-3 ] - sdnlNexusLdapCo~ - LDAP security authentication: null 2009-10-23 15:06:37 ERROR [ajp-8009-3 ] - ojrlAbstractLda~ - LDAP naming error while attempting to authenticate user. javax.naming.CommunicationException: [LDAP: error code 2 - version not supported] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3089) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288) at javax.naming.InitialContext.init(InitialContext.java:223) at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134) at se.devoteam.nexus.ldap.NexusLdapContextFactory.getLdapContext(NexusLdapContextFactory.java:63) at se.devoteam.nexus.ldap.LdapAuthenticatingRealm.queryForAuthenticationInfo(LdapAuthenticatingRealm.java:139) at org.jsecurity.realm.ldap.AbstractLdapRealm.doGetAuthenticationInfo(AbstractLdapRealm.java:186) at org.jsecurity.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:168) at org.sonatype.jsecurity.web.WebPlexusSecurity.getAuthenticationInfo(WebPlexusSecurity.java:185) at org.jsecurity.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:186) at org.jsecurity.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:276) at org.jsecurity.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:141) at org.jsecurity.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:171) at org.jsecurity.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:312) at org.jsecurity.subject.DelegatingSubject.login(DelegatingSubject.java:237) at org.jsecurity.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:49) at org.sonatype.nexus.security.filter.authc.NexusHttpAuthenticationFilter.onAccessDenied(NexusHttpAuthenticationFilter.java:121) at org.jsecurity.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:145) at org.jsecurity.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:175) at org.jsecurity.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:129) at org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180) at org.jsecurity.web.servlet.FilterChainWrapper.doFilter(FilterChainWrapper.java:57) at org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382) at org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:419) at org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:378) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1509) at java.lang.Thread.run(Thread.java:619) 2009-10-23 15:06:37 INFO [ajp-8009-3 ] - osnsfaNexusSe~ - Unable to authenticate user [testuser] from address/host [172.31.2.155/172.31.2.155] 2009-10-23 15:06:37 DEBUG [ajp-8009-3 ] - osneAuthenticat~:default - Notifying 1 EventListener about event org.sonatype.nexus.auth.NexusAuthenticationEvent fired ( org.sonatype.nexus.auth.NexusAuthenticationEvent@d637d )