1. 首页
  2. 问答
  3. 带有OpenLDAP和SSL的WSO2身份认证服务器

带有OpenLDAP和SSL的WSO2身份认证服务器

2013-02-28 116 views
1

我正在尝试设置一个新的WSO2IS 4.1.0服务器并将其连接回OpenLDAP服务器。我们的服务器需要SSL连接。带有OpenLDAP和SSL的WSO2身份认证服务器

当我配置的连接是一个LDAPS连接我无法验证证书(是的根CA是信任存储区)。如果我没有将连接设置为LDAPS,那么它无法尝试StartTLS。我已经验证了我的连接帐户可以正常工作,并且LDAP服务器具有商业发行的证书(不要让example.com域欺骗你,我已经清理了),并且客户端信任列表中列出了根CA.信任

任何帮助弄清楚这将不胜感激!

下面是LDAP配置

<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager"> 
    <Property name="ConnectionURL">ldaps://ldapserver.example.com:636</Property> 
    <!--Property name="ConnectionURL">ldap://ldapserver.example.com:389</Property--> 
    <Property name="ConnectionName">uid=wso2,dc=example,dc=com</Property> 
    <Property name="ConnectionPassword">awesomepassword</Property> 
    <Property name="passwordHashMethod">SHA</Property> 
    <Property name="UserNameListFilter">(objectClass=person)</Property> 
    <Property name="UserEntryObjectClass">inetOrgPerson</Property> 
    <Property name="UserSearchBase">ou=Users,dc=opendaylight,dc=org</Property> 
    <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property> 
    <Property name="UserNameAttribute">uid</Property> 
    <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property> 
    <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property> 
    <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property> 
    <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property> 
    <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property> 
    <Property name="ReadLDAPGroups">true</Property> 
    <Property name="WriteLDAPGroups">true</Property> 
    <Property name="EmptyRolesAllowed">false</Property> 
    <Property name="GroupSearchBase">ou=Groups,dc=example,dc=com</Property> 
    <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property> 
    <Property name="GroupEntryObjectClass">groupOfNames</Property> 
    <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property> 
    <Property name="GroupNameAttribute">cn</Property> 
    <Property name="MembershipAttribute">member</Property> 
    <Property name="UserRolesCacheEnabled">true</Property> 
    <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property> 
    <Property name="maxFailedLoginAttempt">0</Property> 
</UserStoreManager>

我目前的配置段这里的服务器日志

[2013-02-28 03:48:32,380] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Starting WSO2 Carbon... 
[2013-02-28 03:48:32,383] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Operating System : Linux 2.6.32-358.el6.x86_64, amd64 
[2013-02-28 03:48:32,383] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Home  : /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre 
[2013-02-28 03:48:32,383] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Version  : 1.7.0_09-icedtea 
[2013-02-28 03:48:32,383] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java VM   : OpenJDK 64-Bit Server VM 23.7-b01,Oracle Corporation 
[2013-02-28 03:48:32,383] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Carbon Home  : /opt/wso2is/wso2is 
[2013-02-28 03:48:32,384] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Temp Dir : /opt/wso2is/wso2is/tmp 
[2013-02-28 03:48:32,384] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - User    : wso2is, en-US, Zulu 
[2013-02-28 03:48:32,416] WARN {org.wso2.carbon.core.bootup.validator.SystemValidator} - Could not validate the system for configuration parameter : CPU 
[2013-02-28 03:48:32,417] WARN {org.wso2.carbon.core.bootup.validator.util.ValidationResultPrinter} - Maximum free Disk Space (MB): 665 of the system is below the recommended minimum size :1024 
[2013-02-28 03:48:32,427] INFO {org.wso2.carbon.databridge.agent.thrift.AgentHolder} - Agent created ! 
[2013-02-28 03:48:32,446] INFO {org.wso2.carbon.databridge.agent.thrift.internal.AgentDS} - Successfully deployed Agent Client 
[2013-02-28 03:48:32,515] INFO {org.wso2.carbon.identity.authenticator.iwa.ui.internal.Activator} - Integrated Windows Authenticator enabled in the system 
[2013-02-28 03:48:32,581] INFO {org.wso2.carbon.ldap.server.DirectoryActivator} - Embedded LDAP is disabled. 
[2013-02-28 03:48:34,547] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} - Error obtaining connection. simple bind failed: ldapserver.example.com:636 
javax.naming.CommunicationException: simple bind failed: ldapserver.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] 
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215) 
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) 
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) 
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) 
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) 
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) 
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) 
    at org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContextFactory.getInitialContext(CarbonContextDataHolder.java:834) 
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) 
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) 
    at javax.naming.InitialContext.init(InitialContext.java:242) 
    at javax.naming.InitialContext.<init>(InitialContext.java:216) 
    at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) 
    at org.wso2.carbon.user.core.ldap.LDAPConnectionContext.getContext(LDAPConnectionContext.java:114) 
    at org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager.<init>(ReadWriteLDAPUserStoreManager.java:133) 
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) 
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) 
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) 
    at java.lang.reflect.Constructor.newInstance(Constructor.java:525) 
    at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:225) 
    at org.wso2.carbon.user.core.common.DefaultRealm.initializeObjects(DefaultRealm.java:147) 
    at org.wso2.carbon.user.core.common.DefaultRealm.init(DefaultRealm.java:113) 
    at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:223) 
    at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:103) 
    at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:116) 
    at org.wso2.carbon.user.core.internal.Activator.startDeploy(Activator.java:67) 
    at org.wso2.carbon.user.core.internal.BundleCheckActivator.start(BundleCheckActivator.java:61) 
    at org.eclipse.osgi.framework.internal.core.BundleContextImpl$1.run(BundleContextImpl.java:711) 
    at java.security.AccessController.doPrivileged(Native Method) 
    at org.eclipse.osgi.framework.internal.core.BundleContextImpl.startActivator(BundleContextImpl.java:702) 
    at org.eclipse.osgi.framework.internal.core.BundleContextImpl.start(BundleContextImpl.java:683) 
    at org.eclipse.osgi.framework.internal.core.BundleHost.startWorker(BundleHost.java:381) 
    at org.eclipse.osgi.framework.internal.core.AbstractBundle.resume(AbstractBundle.java:389) 
    at org.eclipse.osgi.framework.internal.core.Framework.resumeBundle(Framework.java:1130) 
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:559) 
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:544) 
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.incFWSL(StartLevelManager.java:457) 
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.doSetStartLevel(StartLevelManager.java:243) 
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:438) 
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:1) 
    at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230) 
    at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340) 
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) 
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886) 
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) 
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) 
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) 
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) 
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) 
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) 
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) 
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) 
    at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882) 
    at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) 
    at java.io.BufferedInputStream.fill(BufferedInputStream.java:235) 
    at java.io.BufferedInputStream.read1(BufferedInputStream.java:275) 
    at java.io.BufferedInputStream.read(BufferedInputStream.java:334) 
    at com.sun.jndi.ldap.Connection.run(Connection.java:849) 
    at java.lang.Thread.run(Thread.java:722) 
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) 
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) 
    at sun.security.validator.Validator.validate(Validator.java:260) 
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) 
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) 
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) 
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) 
    ... 12 more 
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) 
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) 
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) 
    ... 18 more 
[2013-02-28 03:48:34,556] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} - Trying again to get connection.

这里的一部分是我得到,如果我切换它到普通LDAP的ConnectionURL

[2013-02-28 04:22:21,491] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Starting WSO2 Carbon... 
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Operating System : Linux 2.6.32-358.el6.x86_64, amd64 
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Home  : /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre 
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Version  : 1.7.0_09-icedtea 
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java VM   : OpenJDK 64-Bit Server VM 23.7-b01,Oracle Corporation 
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Carbon Home  : /opt/wso2is/wso2is 
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Temp Dir : /opt/wso2is/wso2is/tmp 
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - User    : wso2is, en-US, Zulu 
[2013-02-28 04:22:21,524] WARN {org.wso2.carbon.core.bootup.validator.SystemValidator} - Could not validate the system for configuration parameter : CPU 
[2013-02-28 04:22:21,525] WARN {org.wso2.carbon.core.bootup.validator.util.ValidationResultPrinter} - Maximum free Disk Space (MB): 665 of the system is below the recommended minimum size :1024 
[2013-02-28 04:22:21,541] INFO {org.wso2.carbon.databridge.agent.thrift.AgentHolder} - Agent created ! 
[2013-02-28 04:22:21,562] INFO {org.wso2.carbon.databridge.agent.thrift.internal.AgentDS} - Successfully deployed Agent Client 
[2013-02-28 04:22:21,624] INFO {org.wso2.carbon.identity.authenticator.iwa.ui.internal.Activator} - Integrated Windows Authenticator enabled in the system 
[2013-02-28 04:22:22,711] INFO {org.wso2.carbon.ldap.server.DirectoryActivator} - Embedded LDAP is disabled. 
[2013-02-28 04:22:27,432] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} - Error obtaining connection. [LDAP: error code 13 - confidentiality required] 
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - confidentiality required] 
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3078) 
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) 
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835) 
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) 
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) 
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) 
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) 
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) 
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) 
    at org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContextFactory.getInitialContext(CarbonContextDataHolder.java:834) 
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) 
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) 
    at javax.naming.InitialContext.init(InitialContext.java:242) 
    at javax.naming.InitialContext.<init>(InitialContext.java:216) 
    at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) 
    at org.wso2.carbon.user.core.ldap.LDAPConnectionContext.getContext(LDAPConnectionContext.java:114) 
    at org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager.<init>(ReadWriteLDAPUserStoreManager.java:133) 
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) 
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) 
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) 
    at java.lang.reflect.Constructor.newInstance(Constructor.java:525) 
    at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:225) 
    at org.wso2.carbon.user.core.common.DefaultRealm.initializeObjects(DefaultRealm.java:147) 
    at org.wso2.carbon.user.core.common.DefaultRealm.init(DefaultRealm.java:113) 
    at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:223) 
    at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:103) 
    at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:116) 
    at org.wso2.carbon.user.core.internal.Activator.startDeploy(Activator.java:67) 
    at org.wso2.carbon.user.core.internal.BundleCheckActivator.start(BundleCheckActivator.java:61) 
    at org.eclipse.osgi.framework.internal.core.BundleContextImpl$1.run(BundleContextImpl.java:711) 
    at java.security.AccessController.doPrivileged(Native Method) 
    at org.eclipse.osgi.framework.internal.core.BundleContextImpl.startActivator(BundleContextImpl.java:702) 
    at org.eclipse.osgi.framework.internal.core.BundleContextImpl.start(BundleContextImpl.java:683) 
    at org.eclipse.osgi.framework.internal.core.BundleHost.startWorker(BundleHost.java:381) 
    at org.eclipse.osgi.framework.internal.core.AbstractBundle.resume(AbstractBundle.java:389) 
    at org.eclipse.osgi.framework.internal.core.Framework.resumeBundle(Framework.java:1130) 
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:559) 
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:544) 
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.incFWSL(StartLevelManager.java:457) 
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.doSetStartLevel(StartLevelManager.java:243) 
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:438) 
    at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:1) 
    at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230) 
    at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340) 
[2013-02-28 04:22:27,437] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} - Trying again to get connection.

来源

2013-02-28 tykeal

+0

由于周围的工作仍然不能够通过分授权(这两者都是在信任存储)来验证从根CA证书我发现,导入目标LDAP的公共证书不得到解决问题。这不是一个特别好的方法来处理这个问题,因为该证书只有1年有效期,而且CA证书的有效期更长! – tykeal 2013-03-05 16:21:40

回答

0

尝试添加CA证书到存储库/资源/安全/ wso2carbon.jk如果您的证书有任何中间签名者,您可能还需要将整个链条作为单个条目导入。

来源

2013-03-27 18:43:36 user1604342

+0

我曾试过。它从来没有为我工作。现在,我仍在使用上面列出的解决方法。我对此并不特别高兴。 – tykeal 2013-04-03 16:18:24

相关问题

 相关问题