sonarqube - active directory ldap error code 49

荒凉一梦 提交于 2019-12-23 12:22:51

问题


I've got an instance of sonarqube 5.5 running. I wanted to use the sonar-ldap-plugin 1.5.1 in order to delegate the authentication and authorization to the Active Directory service of my company.

The configuration for the LDAP plugin is the following (modulo some obfuscation):

sonar.authenticator.createUsers=false
sonar.security.savePassword=false
sonar.security.realm=LDAP
ldap.url=ldap://host.my.domain

ldap.user.baseDn=OU=Users,OU=Organic Units,DC=my,DC=domain
ldap.user.request=(&(objectClass=user) (sAMAccountName={login}))
ldap.authentication=DIGEST-MD5
ldap.bindDn=CN=harmlessServiceAccount,OU=users,OU=Organic Units,DC=my,DC=domain
ldap.bindPassword=<the user password in clear text>

sonar.log.level=DEBUG

And the sonarqube server reports the following error:

2016.07.13 10:19:38 INFO  web[o.s.p.l.LdapContextFactory] Test LDAP connection: FAIL
2016.07.13 10:19:38 ERROR web[o.a.c.c.C.[.[.[/]] Exception sending context initialized event to listener instance of class org.sonar.server.platform.PlatformServletContextListener 
java.lang.IllegalStateException: Unable to open LDAP connection
...
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1^@]
...

I did the exact same query with ldapsearch and did not meet any problem. So I think the Active Directory service is correct and accepts this user and the DIGEST-MD5 SASL mechanism.

I also used the same user through sonarqube with the SIMPLE (unsecure) mechanism and it was working "properly" as well. I also tried to put the md5 hash of the password instead of the password. And I tried a lot of other things I'm not proud of...

I read many similar issues online (stack overflow, other sources) and couldn't find a solution yet. Do you see anything wrong in my configuration? Am I doomed to use the SIMPLE mechanism and let everyone's password move around in clear text? I cannot use CRAM-MD5 neither GSSAPI as they are not supported by my company's active directory service.

Thank you for your help, Jc


回答1:


The error code 49, has a subcode in it that tells you what the failure cause was. You reported:

[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1^@]

The data 52e part is the key.

Check out the list I maintain here, and you will see that 52e means bad password for your bind user. 525 would be bad DN for your user, so you have the correct LDAP DN, but the wrong password.




回答2:


I just encountered this and fixed it on sonarqube 6.x. and ldap plugin 2.2

The 52e will be a bit misleading I found as it can be invalid password, but that is also possible if the login is incorrect. http://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors

I had the following in my config

ldap.bindDn=domain\query_account

This has worked for other things but not SonarQube. Your line sonar.log.level=DEBUG actually helped me, I turned it on and it showed me the problem, I needed to escape the \ character. So this worked for me.

ldap.bindDn=domain\\query_account

this might not be your problem, but it definitely was mine. Hope it helps.



来源:https://stackoverflow.com/questions/38346609/sonarqube-active-directory-ldap-error-code-49

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!