问题
I've got an instance of sonarqube 5.5 running. I wanted to use the sonar-ldap-plugin 1.5.1 in order to delegate the authentication and authorization to the Active Directory service of my company.
The configuration for the LDAP plugin is the following (modulo some obfuscation):
sonar.authenticator.createUsers=false
sonar.security.savePassword=false
sonar.security.realm=LDAP
ldap.url=ldap://host.my.domain
ldap.user.baseDn=OU=Users,OU=Organic Units,DC=my,DC=domain
ldap.user.request=(&(objectClass=user) (sAMAccountName={login}))
ldap.authentication=DIGEST-MD5
ldap.bindDn=CN=harmlessServiceAccount,OU=users,OU=Organic Units,DC=my,DC=domain
ldap.bindPassword=<the user password in clear text>
sonar.log.level=DEBUG
And the sonarqube server reports the following error:
2016.07.13 10:19:38 INFO web[o.s.p.l.LdapContextFactory] Test LDAP connection: FAIL
2016.07.13 10:19:38 ERROR web[o.a.c.c.C.[.[.[/]] Exception sending context initialized event to listener instance of class org.sonar.server.platform.PlatformServletContextListener
java.lang.IllegalStateException: Unable to open LDAP connection
...
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1^@]
...
I did the exact same query with ldapsearch and did not meet any problem. So I think the Active Directory service is correct and accepts this user and the DIGEST-MD5 SASL mechanism.
I also used the same user through sonarqube with the SIMPLE (unsecure) mechanism and it was working "properly" as well. I also tried to put the md5 hash of the password instead of the password. And I tried a lot of other things I'm not proud of...
I read many similar issues online (stack overflow, other sources) and couldn't find a solution yet. Do you see anything wrong in my configuration? Am I doomed to use the SIMPLE mechanism and let everyone's password move around in clear text? I cannot use CRAM-MD5 neither GSSAPI as they are not supported by my company's active directory service.
Thank you for your help, Jc
回答1:
The error code 49, has a subcode in it that tells you what the failure cause was. You reported:
[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1^@]
The data 52e part is the key.
Check out the list I maintain here, and you will see that 52e means bad password for your bind user. 525 would be bad DN for your user, so you have the correct LDAP DN, but the wrong password.
回答2:
I just encountered this and fixed it on sonarqube 6.x. and ldap plugin 2.2
The 52e will be a bit misleading I found as it can be invalid password, but that is also possible if the login is incorrect. http://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors
I had the following in my config
ldap.bindDn=domain\query_account
This has worked for other things but not SonarQube. Your line sonar.log.level=DEBUG
actually helped me, I turned it on and it showed me the problem, I needed to escape the \
character. So this worked for me.
ldap.bindDn=domain\\query_account
this might not be your problem, but it definitely was mine. Hope it helps.
来源:https://stackoverflow.com/questions/38346609/sonarqube-active-directory-ldap-error-code-49