我正在尝试设置一个新的 WSO2IS 4.1.0 服务器并将其连接回 OpenLDAP 服务器。我们的服务器需要 SSL 连接。
当我将连接配置为 LDAPS 连接时,我无法验证证书(是的,根 CA 在信任库中)。如果我没有设置与 LDAPS 的连接,那么它将无法尝试 StartTLS。我已验证我的连接帐户有效,并且 LDAP 服务器具有商业颁发的证书(不要让 example.com 域欺骗你,我擦洗过),根 CA 列在 client-truststore.jks
如果您能帮助解决这个问题,我们将不胜感激!
这是我当前的 LDAP 配置段
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property name="ConnectionURL">ldaps://ldapserver.example.com:636</Property>
<!--Property name="ConnectionURL">ldap://ldapserver.example.com:389</Property-->
<Property name="ConnectionName">uid=wso2,dc=example,dc=com</Property>
<Property name="ConnectionPassword">awesomepassword</Property>
<Property name="passwordHashMethod">SHA</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserEntryObjectClass">inetOrgPerson</Property>
<Property name="UserSearchBase">ou=Users,dc=opendaylight,dc=org</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
<Property name="ReadLDAPGroups">true</Property>
<Property name="WriteLDAPGroups">true</Property>
<Property name="EmptyRolesAllowed">false</Property>
<Property name="GroupSearchBase">ou=Groups,dc=example,dc=com</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="maxFailedLoginAttempt">0</Property>
</UserStoreManager>
这是服务器日志的一部分
[2013-02-28 03:48:32,380] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Starting WSO2 Carbon...
[2013-02-28 03:48:32,383] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Operating System : Linux 2.6.32-358.el6.x86_64, amd64
[2013-02-28 03:48:32,383] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Home : /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre
[2013-02-28 03:48:32,383] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Version : 1.7.0_09-icedtea
[2013-02-28 03:48:32,383] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java VM : OpenJDK 64-Bit Server VM 23.7-b01,Oracle Corporation
[2013-02-28 03:48:32,383] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Carbon Home : /opt/wso2is/wso2is
[2013-02-28 03:48:32,384] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Temp Dir : /opt/wso2is/wso2is/tmp
[2013-02-28 03:48:32,384] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - User : wso2is, en-US, Zulu
[2013-02-28 03:48:32,416] WARN {org.wso2.carbon.core.bootup.validator.SystemValidator} - Could not validate the system for configuration parameter : CPU
[2013-02-28 03:48:32,417] WARN {org.wso2.carbon.core.bootup.validator.util.ValidationResultPrinter} - Maximum free Disk Space (MB): 665 of the system is below the recommended minimum size :1024
[2013-02-28 03:48:32,427] INFO {org.wso2.carbon.databridge.agent.thrift.AgentHolder} - Agent created !
[2013-02-28 03:48:32,446] INFO {org.wso2.carbon.databridge.agent.thrift.internal.AgentDS} - Successfully deployed Agent Client
[2013-02-28 03:48:32,515] INFO {org.wso2.carbon.identity.authenticator.iwa.ui.internal.Activator} - Integrated Windows Authenticator enabled in the system
[2013-02-28 03:48:32,581] INFO {org.wso2.carbon.ldap.server.DirectoryActivator} - Embedded LDAP is disabled.
[2013-02-28 03:48:34,547] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} - Error obtaining connection. simple bind failed: ldapserver.example.com:636
javax.naming.CommunicationException: simple bind failed: ldapserver.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContextFactory.getInitialContext(CarbonContextDataHolder.java:834)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
at javax.naming.InitialContext.init(InitialContext.java:242)
at javax.naming.InitialContext.<init>(InitialContext.java:216)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at org.wso2.carbon.user.core.ldap.LDAPConnectionContext.getContext(LDAPConnectionContext.java:114)
at org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager.<init>(ReadWriteLDAPUserStoreManager.java:133)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:225)
at org.wso2.carbon.user.core.common.DefaultRealm.initializeObjects(DefaultRealm.java:147)
at org.wso2.carbon.user.core.common.DefaultRealm.init(DefaultRealm.java:113)
at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:223)
at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:103)
at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:116)
at org.wso2.carbon.user.core.internal.Activator.startDeploy(Activator.java:67)
at org.wso2.carbon.user.core.internal.BundleCheckActivator.start(BundleCheckActivator.java:61)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl$1.run(BundleContextImpl.java:711)
at java.security.AccessController.doPrivileged(Native Method)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.startActivator(BundleContextImpl.java:702)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.start(BundleContextImpl.java:683)
at org.eclipse.osgi.framework.internal.core.BundleHost.startWorker(BundleHost.java:381)
at org.eclipse.osgi.framework.internal.core.AbstractBundle.resume(AbstractBundle.java:389)
at org.eclipse.osgi.framework.internal.core.Framework.resumeBundle(Framework.java:1130)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:559)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:544)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.incFWSL(StartLevelManager.java:457)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.doSetStartLevel(StartLevelManager.java:243)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:438)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:1)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:275)
at java.io.BufferedInputStream.read(BufferedInputStream.java:334)
at com.sun.jndi.ldap.Connection.run(Connection.java:849)
at java.lang.Thread.run(Thread.java:722)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 18 more
[2013-02-28 03:48:34,556] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} - Trying again to get connection.
如果我将它切换到普通的 ldap connectionURL,这是我得到的结果
[2013-02-28 04:22:21,491] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Starting WSO2 Carbon...
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Operating System : Linux 2.6.32-358.el6.x86_64, amd64
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Home : /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Version : 1.7.0_09-icedtea
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java VM : OpenJDK 64-Bit Server VM 23.7-b01,Oracle Corporation
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Carbon Home : /opt/wso2is/wso2is
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - Java Temp Dir : /opt/wso2is/wso2is/tmp
[2013-02-28 04:22:21,494] INFO {org.wso2.carbon.core.internal.CarbonCoreActivator} - User : wso2is, en-US, Zulu
[2013-02-28 04:22:21,524] WARN {org.wso2.carbon.core.bootup.validator.SystemValidator} - Could not validate the system for configuration parameter : CPU
[2013-02-28 04:22:21,525] WARN {org.wso2.carbon.core.bootup.validator.util.ValidationResultPrinter} - Maximum free Disk Space (MB): 665 of the system is below the recommended minimum size :1024
[2013-02-28 04:22:21,541] INFO {org.wso2.carbon.databridge.agent.thrift.AgentHolder} - Agent created !
[2013-02-28 04:22:21,562] INFO {org.wso2.carbon.databridge.agent.thrift.internal.AgentDS} - Successfully deployed Agent Client
[2013-02-28 04:22:21,624] INFO {org.wso2.carbon.identity.authenticator.iwa.ui.internal.Activator} - Integrated Windows Authenticator enabled in the system
[2013-02-28 04:22:22,711] INFO {org.wso2.carbon.ldap.server.DirectoryActivator} - Embedded LDAP is disabled.
[2013-02-28 04:22:27,432] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} - Error obtaining connection. [LDAP: error code 13 - confidentiality required]
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - confidentiality required]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3078)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContextFactory.getInitialContext(CarbonContextDataHolder.java:834)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
at javax.naming.InitialContext.init(InitialContext.java:242)
at javax.naming.InitialContext.<init>(InitialContext.java:216)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at org.wso2.carbon.user.core.ldap.LDAPConnectionContext.getContext(LDAPConnectionContext.java:114)
at org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager.<init>(ReadWriteLDAPUserStoreManager.java:133)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:225)
at org.wso2.carbon.user.core.common.DefaultRealm.initializeObjects(DefaultRealm.java:147)
at org.wso2.carbon.user.core.common.DefaultRealm.init(DefaultRealm.java:113)
at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:223)
at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:103)
at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:116)
at org.wso2.carbon.user.core.internal.Activator.startDeploy(Activator.java:67)
at org.wso2.carbon.user.core.internal.BundleCheckActivator.start(BundleCheckActivator.java:61)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl$1.run(BundleContextImpl.java:711)
at java.security.AccessController.doPrivileged(Native Method)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.startActivator(BundleContextImpl.java:702)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.start(BundleContextImpl.java:683)
at org.eclipse.osgi.framework.internal.core.BundleHost.startWorker(BundleHost.java:381)
at org.eclipse.osgi.framework.internal.core.AbstractBundle.resume(AbstractBundle.java:389)
at org.eclipse.osgi.framework.internal.core.Framework.resumeBundle(Framework.java:1130)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:559)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:544)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.incFWSL(StartLevelManager.java:457)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.doSetStartLevel(StartLevelManager.java:243)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:438)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:1)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340)
[2013-02-28 04:22:27,437] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} - Trying again to get connection.
最佳答案
尝试将 CA 证书添加到 repository/resources/security/wso2carbon.jks,如果您的证书有任何中间签名者,您可能还需要将整个链作为单个条目导入。
关于ssl - 具有 OpenLDAP 和 SSL 的 WSO2 身份服务器,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/15127543/