所以我一直在使用最新版本的WSO2 IS(5.3.0)进行一些测试,只是在笔记本电脑上本地运行。
我已设置AD集成,并使用Delegated Control设置LDAP绑定帐户用户,以重置特定OU上的密码及其中的对象。同一个LDAP绑定帐户也配置为INTERNAL / admin帐户。
当上述特定OU中的两个用户中的任何一个登录时,他们可以更改其密码。我正在使用的管理员帐户可以找到它们,但不能更改其密码(在AD术语中,"重置密码",即使它应该能够。
这是我的user-mgt.xml(我已删除已注释掉的大块):
<UserManager>
<Realm>
<Configuration>
<AddAdmin>true</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>ADMIN</UserName>
<Password>PASSWORD</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
<Property name="isCascadeDeleteEnabled">false</Property>
<!-- <Property name="initializeNewClaimManager">true</Property> -->
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<!-- <Property name="AnonymousBind">false</Property> -->
<Property name="BackLinksEnabled">true</Property>
<Property name="ConnectionName">CN=ADMIN,OU=DEPARTMENT,OU=USERS,DC=EXAMPLE,DC=COM</Property>
<Property name="ConnectionPassword">PASSWORD</Property>
<!-- <Property name="ConnectionPoolingEnabled">false</Property> -->
<Property name="ConnectionURL">LDAPS://DC.EXAMPLE.COM:636</Property>
<Property name="defaultRealmName">EXAMPLE.COM</Property>
<Property name="DisplayNameAttribute">sAMAccountName</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="GroupEntryObjectClass">group</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameListFilter">(objectcategory=group)</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="GroupSearchBase">OU=EXAMPLE GROUPS,DC=EXAMPLE,DC=COM</Property>
<Property name="isADLDSRole">false</Property>
<Property name="IsBulkImportSupported">false</Property>
<Property name="kdcEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
<!-- <Property name="MemberOfAttribute">memberOf</Property> -->
<Property name="MembershipAttribute">member</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<!-- <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property> -->
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="ReadGroups">true</Property>
<Property name="ReadTimeout"/>
<Property name="Referral">follow</Property>
<Property name="RetryAttempts"/>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="SCIMEnabled">false</Property>
<!-- <Property name="userAccountControl">512</Property> -->
<Property name="userAccountControl">66048</Property>
<Property name="UserEntryObjectClass">user</Property>
<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<!-- <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property> -->
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UserNameListFilter">(objectClass=user)</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(sAMAccountName=?))</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="UserSearchBase">OU=EXAMPLE Users,DC=EXAMPLE,DC=COM</Property>
<Property name="WriteGroups">false</Property>
</UserStoreManager>
<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
<Property name="GetAllRolesOfUserEnabled">true</Property>
</AuthorizationManager>
</Realm>
</UserManager>
这是我的调试:
[2017-08-18 17:00:02,466] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache miss for username : ADMIN resource /permission/admin/manage/identity/usermgt/update action : ui.execute
[2017-08-18 17:00:02,467] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Allowed roles for the ResourceID: /permission/admin/manage/identity/usermgt/update Action: ui.execute
[2017-08-18 17:00:02,467] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - role: INTERNAL/admin
[2017-08-18 17:00:02,467] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Roles which have permission for resource : /permission/admin/manage/identity/usermgt/update action : ui.execute
[2017-08-18 17:00:02,467] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Role : INTERNAL/admin
[2017-08-18 17:00:02,467] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - ADMIN user has permitted resource : /permission/admin/manage/identity/usermgt/update, action :ui.execute
[2017-08-18 17:00:02,468] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache miss for username : username01 resource /permission action : ui.execute
[2017-08-18 17:00:02,468] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Allowed roles for the ResourceID: /permission Action: ui.execute
[2017-08-18 17:00:02,468] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - role: INTERNAL/admin
[2017-08-18 17:00:02,468] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Roles which have permission for resource : /permission action : ui.execute
[2017-08-18 17:00:02,469] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Role : INTERNAL/admin
[2017-08-18 17:00:02,469] DEBUG {org.wso2.carbon.user.core.common.AbstractUserStoreManager} - Retrieving internal roles for user name : username01 and search filter *
[2017-08-18 17:00:02,470] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01
[2017-08-18 17:00:02,544] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=person)(sAMAccountName=username01)) in SearchBase:
[2017-08-18 17:00:02,547] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Name in space for username01 is CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE USERS,DC=EXAMPLE,DC=COM
[2017-08-18 17:00:02,549] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true
[2017-08-18 17:00:02,550] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Escaped DN value for filter : CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE USERS,DC=EXAMPLE,DC=COM
[2017-08-18 17:00:02,550] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Reading roles with the membershipProperty Property: member
[2017-08-18 17:00:02,550] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Result for searchBase: OU=EXAMPLE USERS,DC=EXAMPLE,DC=COM searchFilter: (&(objectcategory=group)(member=CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE USERS,DC=EXAMPLE,DC=COM)) property:cn appendDN: false
[2017-08-18 17:00:02,627] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - username01 user has permitted resource : /permission, action :ui.execute
[2017-08-18 17:00:02,627] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - username01 user is not Authorized to perform ui.execute on /permission
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache miss for username : username01 resource /permission/admin action : ui.execute
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Allowed roles for the ResourceID: /permission/admin Action: ui.execute
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - role: INTERNAL/admin
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Roles which have permission for resource : /permission/admin action : ui.execute
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Role : INTERNAL/admin
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - username01 user has permitted resource : /permission/admin, action :ui.execute
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - username01 user is not Authorized to perform ui.execute on /permission/admin
[2017-08-18 17:00:02,640] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01
[2017-08-18 17:00:02,640] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - value after escaping special characters in username01 : username01
[2017-08-18 17:00:02,640] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true
[2017-08-18 17:00:02,681] DEBUG {org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager} - value after escaping special characters in USER NAME01 : USER NAME01
[2017-08-18 17:00:02,687] DEBUG {org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager} - Can not access the directory service for user : username01
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=EXAMPLE USERS,DC=EXAMPLE,DC=COM'
]; remaining name 'CN=USER NAME01'
...
[2017-08-18 17:00:02,970] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache miss for username : ADMIN resource /permission/admin/login action : ui.execute
[2017-08-18 17:00:02,971] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Allowed roles for the ResourceID: /permission/admin/login Action: ui.execute
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - role: INTERNAL/admin
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - role: INTERNAL/everyone
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Roles which have permission for resource : /permission/admin/login action : ui.execute
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Role : INTERNAL/admin
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Role : INTERNAL/everyone
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - ADMIN user has permitted resource : /permission/admin/login, action :ui.execute
(希望我已经很好地消毒了这些......)
当其中一个用户登录并成功更改密码时,这就是日志的样子:
[2017-08-18 17:21:27,471] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01
[2017-08-18 17:21:27,472] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - value after escaping special characters in username01 : username01
[2017-08-18 17:21:27,472] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - value after escaping special characters in username01 : username01
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - value after escaping special characters in username01 : username01
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true
[2017-08-18 17:21:27,534] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=person)(sAMAccountName=username01)) in SearchBase:
[2017-08-18 17:21:27,535] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :ref
[2017-08-18 17:21:27,547] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01
[2017-08-18 17:21:27,547] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - value after escaping special characters in username01 : username01
[2017-08-18 17:21:27,547] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true
[2017-08-18 17:21:27,627] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=person)(sAMAccountName=username01)) in SearchBase:
[2017-08-18 17:21:27,627] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :accountLock
[2017-08-18 17:21:27,632] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Authenticating user username01
[2017-08-18 17:21:27,632] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Cache hit. Using DN CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE Users,DC=EXAMPLE,DC=COM
[2017-08-18 17:21:27,705] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE Users,DC=EXAMPLE,DC=COM is authnticated: true
[2017-08-18 17:21:27,712] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Authenticating user username01
[2017-08-18 17:21:27,712] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Cache hit. Using DN CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE Users,DC=EXAMPLE,DC=COM
[2017-08-18 17:21:27,783] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE Users,DC=EXAMPLE,DC=COM is authnticated: true
[2017-08-18 17:21:28,031] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache hit. username01 user is not Authorized to perform ui.execute on /permission/admin/manage/identity
[2017-08-18 17:21:28,031] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache hit. username01 user is not Authorized to perform ui.execute on /permission/admin/manage/identity/usermgt/users
[2017-08-18 17:21:28,031] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache hit. username01 user is not Authorized to perform ui.execute on /permission/admin/manage/identity/usermgt/passwords
[2017-08-18 17:21:28,032] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache hit. username01 user is not Authorized to perform ui.execute on /permission/admin/manage/identity/usermgt/profiles
我已经确认密码确实在AD中通过简单的方式进行了更改:Get-ADUser username01 -Properties *
无论如何,有人可以指出错误吗?我们有一个合作伙伴正在为我们和他们建立一个这样的生产版本,同时还有其他问题(因此我设置了我自己的本地版本以帮助测试),他们确实允许用户登录并更改他们的拥有自己的密码,以及这个ADMIN用户登录并更改这两个用户的密码。
我甚至尝试将他们的user-mgt.xml复制到我的本地实例中,但这也没有用。我认为生产版本是5.1.0,而我的版本是5.3.0,但这可能是相关的。
帮助?
答案 0 :(得分:0)
IS CN = ADMIN,OU = DEPARTMENT,OU = USERS,DC = EXAMPLE,DC = COM用户在AD中有权更改其他用户的密码。为了获得最佳实践,请创建具有域控制权限的用户,然后重试。
此致 Tayyab