我一直在用jasper 6.4.0对一个活动目录服务器进行身份验证,现在已经出现了以下错误。
2017-10-16 13:39:35,145 WARN JSLdapAuthenticationProvider,http-apr-8080-exec-9:62 - [
LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ];
nested exception is javax.naming.AuthenticationException:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ]
根据我收集的内容,data 52e表示凭据无效。我尝试将配置中的服务帐户密码更改为bob以查看是否会收到相同的错误(显示绑定到ldaps服务器时出错,而不是我登录的测试帐户和),我做了。
以下是jasper中服务帐户的配置。
<bean id="ldapContextSource" class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource">
<constructor-arg value="ldaps://MyLDAPSServer:636/"/>
<!-- manager user name and password (may not be needed) -->
<property name="userDn" value="dc=mydomain,dc=com,uid=MyServiceAccount"/>
<property name="password" value="SomePasswordWithSpecialCharacters"/>
</bean>
我确信用户名和密码是正确的。我可以使用以下Python代码对相同的ldaps服务器进行身份验证。
from ldap3 import Server, \
Connection, \
AUTO_BIND_NO_TLS, \
SUBTREE, \
ALL_ATTRIBUTES
def get_ldap_info(u):
with Connection(Server('MyLDAPSServer', port=636, use_ssl=True),
auto_bind=AUTO_BIND_NO_TLS,
read_only=True,
check_names=True,
user='MyServiceAccount', password='SomePasswordWithSpecialCharacters') as c:
c.search(search_base='DC=mydomain,DC=com',
search_filter='(&(samAccountName=' + u + '))',
search_scope=SUBTREE,
attributes=ALL_ATTRIBUTES,
get_operational_attributes=True)
print(c.response_to_json())
print(c.result)
get_ldap_info('test.user')
我能够想到的一件事是,jasper可能不喜欢在密码中加入特殊字符吗?
以下是jasper服务器的其余配置,以防我遗漏某些内容。
<!--
~ Copyright (C) 2005 - 2014 TIBCO Software Inc. All rights reserved.
~ http://www.jaspersoft.com.
~ Licensed under commercial Jaspersoft Subscription License Agreement
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<!-- ############ LDAP authentication ############
- Sample configuration of external authentication via an external LDAP server.
-->
<bean id="proxyAuthenticationProcessingFilter" class="com.jaspersoft.jasperserver.api.security.EncryptionAuthenticationProcessingFilter"
parent="mtAuthenticationProcessingFilter">
<property name="authenticationManager">
<ref local="ldapAuthenticationManager"/>
</property>
<property name="authenticationSuccessHandler" ref="externalAuthSuccessHandler" />
</bean>
<bean id="proxyAuthenticationSoapProcessingFilter"
class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.MTDefaultAuthenticationSoapProcessingFilter">
<property name="authenticationManager" ref="ldapAuthenticationManager"/>
<property name="authenticationSuccessHandler" ref="externalAuthSuccessHandler" />
<property name="filterProcessesUrl" value="/services"/>
</bean>
<bean id="proxyAuthenticationRestProcessingFilter" class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.MTDefaultAuthenticationRestProcessingFilter">
<property name="authenticationManager">
<ref local="ldapAuthenticationManager"/>
</property>
<property name="authenticationSuccessHandler" ref="externalAuthSuccessHandler" />
<property name="filterProcessesUrl" value="/rest/login"/>
</bean>
<bean id="proxyRequestParameterAuthenticationFilter"
class="com.jaspersoft.jasperserver.war.util.ExternalRequestParameterAuthenticationFilter" parent="requestParameterAuthenticationFilter">
<property name="authenticationManager">
<ref local="ldapAuthenticationManager"/>
</property>
<property name="externalDataSynchronizer" ref="externalDataSynchronizer"/>
</bean>
<bean id="externalAuthSuccessHandler"
class="com.jaspersoft.jasperserver.api.security.externalAuth.JrsExternalAuthenticationSuccessHandler" parent="successHandler">
<property name="externalDataSynchronizer">
<ref local="externalDataSynchronizer"/>
</property>
</bean>
<bean id="proxyBasicProcessingFilter"
class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.MTExternalAuthBasicProcessingFilter" parent="mtBasicProcessingFilter">
<property name="authenticationManager" ref="ldapAuthenticationManager"/>
<property name="externalDataSynchronizer" ref="externalDataSynchronizer"/>
</bean>
<bean id="ldapAuthenticationManager" class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.JSProviderManager">
<property name="providers">
<list>
<ref local="ldapAuthenticationProvider"/>
<ref bean="${bean.daoAuthenticationProvider}"/>
<!--anonymousAuthenticationProvider only needed if filterInvocationInterceptor.alwaysReauthenticate is set to true
<ref bean="anonymousAuthenticationProvider"/>-->
</list>
</property>
</bean>
<bean id="ldapAuthenticationProvider" class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSLdapAuthenticationProvider">
<constructor-arg>
<bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSBindAuthenticator">
<constructor-arg><ref local="ldapContextSource"/></constructor-arg>
<property name="userSearch" ref="userSearch"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSDefaultLdapAuthoritiesPopulator">
<constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
<constructor-arg index="1"><value></value></constructor-arg>
<property name="groupRoleAttribute" value="title"/>
<property name="groupSearchFilter" value="(uid={1})"/>
<property name="searchSubtree" value="true"/>
<!-- Can setup additional external default roles here <property name="defaultRole" value="LDAP"/> -->
</bean>
</constructor-arg>
</bean>
<bean id="userSearch"
class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSFilterBasedLdapUserSearch">
<constructor-arg index="0">
<value>cn=Users</value>
</constructor-arg>
<constructor-arg index="1">
<!--<value>(uid={0})</value>-->
<!--<value>(uid=test.user)</value>-->
<value>(sAMAccountName={0})</value>
</constructor-arg>
<constructor-arg index="2">
<ref local="ldapContextSource" />
</constructor-arg>
<property name="searchSubtree">
<value>true</value>
</property>
</bean>
<bean id="ldapContextSource" class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource">
<constructor-arg value="ldaps://MyLDAPSServer:636/"/>
<!-- manager user name and password (may not be needed) -->
<property name="userDn" value="dc=mydomain,dc=com,uid=MyServiceAccount"/>
<property name="password" value="SomePasswordWithSpecialCharacters"/>
</bean>
<!-- ############ LDAP authentication ############ -->
<!-- ############ JRS Synchronizer ############ -->
<bean id="externalDataSynchronizer"
class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.MTExternalDataSynchronizerImpl">
<property name="externalUserProcessors">
<list>
<ref local="ldapExternalTenantProcessor"/>
<ref local="mtExternalUserSetupProcessor"/>
<!-- Example processor for creating user folder-->
<!--<ref local="externalUserFolderProcessor"/>-->
</list>
</property>
</bean>
<bean id="abstractExternalProcessor" class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.AbstractExternalUserProcessor" abstract="true">
<property name="repositoryService" ref="${bean.repositoryService}"/>
<property name="userAuthorityService" ref="${bean.userAuthorityService}"/>
<property name="tenantService" ref="${bean.tenantService}"/>
<property name="profileAttributeService" ref="profileAttributeService"/>
<property name="objectPermissionService" ref="objectPermissionService"/>
</bean>
<!--
Multi-tenant configuration. For a JRS deployment with multiple
organizations, modify this bean to set up your organizations. For
single-organization deployments, comment this out and uncomment the version
below.
-->
<bean id="ldapExternalTenantProcessor" class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.processors.ldap.LdapExternalTenantProcessor" parent="abstractExternalProcessor">
<property name="ldapContextSource" ref="ldapContextSource"/>
<property name="multiTenancyService"><ref bean="internalMultiTenancyService"/></property>
<property name="excludeRootDn" value="false"/>
<!--only following LDAP attributes will be used in creation of organization hierarchy.
Eg. cn=Smith,ou=Developement,o=Jaspersoft will produce tanant Development as child of
tenant Jaspersoft (if excludeRootDn=false) as child of default tenant organization_1-->
<property name="organizationRDNs">
<list>
<value>dc</value>
<value>c</value>
<value>o</value>
<value>ou</value>
<value>st</value>
</list>
</property>
<property name="rootOrganizationId" value="organization_1"/>
<property name="tenantIdNotSupportedSymbols" value="#{configurationBean.tenantIdNotSupportedSymbols}"/>
<!-- User credentials are setup in js.externalAuth.properties-->
<property name="externalTenantSetupUsers">
<list>
<bean class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.processors.MTAbstractExternalProcessor.ExternalTenantSetupUser">
<property name="username" value="${new.tenant.user.name.1}"/>
<property name="fullName" value="${new.tenant.user.fullname.1}"/>
<property name="password" value="${new.tenant.user.password.1}"/>
<property name="emailAddress" value="${new.tenant.user.email.1}"/>
<property name="roleSet">
<set>
<value>ROLE_ADMINISTRATOR</value>
<value>ROLE_USER</value>
</set>
</property>
</bean>
</list>
</property>
</bean>
<!--
Single tenant configuration. For a JRS deployment with a single
organization, uncomment this bean and configure it to set up your organization.
Comment out the multi-tenant version of ldapExternalTenantProcessor above
-->
<!--<bean id="ldapExternalTenantProcessor" class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.processors.ldap.LdapExternalTenantProcessor" parent="abstractExternalProcessor">
<property name="ldapContextSource" ref="ldapContextSource"/>
<property name="multiTenancyService"><ref bean="internalMultiTenancyService"/></property>
<property name="excludeRootDn" value="true"/>
<property name="defaultOrganization" value="organization_1"/>
</bean>-->
<bean id="mtExternalUserSetupProcessor" class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.processors.MTExternalUserSetupProcessor" parent="abstractExternalProcessor">
<!--Default permitted role characters; others are removed. Change regular expression to allow other chars.
<property name="permittedExternalRoleNameRegex" value="[A-Za-z0-9_]+"/>-->
<property name="userAuthorityService">
<ref bean="${bean.internalUserAuthorityService}"/>
</property>
<property name="defaultInternalRoles">
<list>
<value>ROLE_USER</value>
</list>
</property>
<property name="organizationRoleMap">
<map>
<!-- Example of mapping customer roles to JRS roles -->
<entry>
<key>
<value>ROLE_ADMIN_EXTERNAL_ORGANIZATION</value>
</key>
<!-- JRS role that the <key> external role is mapped to-->
<value>ROLE_ADMINISTRATOR</value>
</entry>
</map>
</property>
</bean>
<!-- EXAMPLE Processor
<bean id="externalUserFolderProcessor"
class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.ExternalUserFolderProcessor"
parent="abstractExternalProcessor">
<property name="repositoryService" ref="${bean.unsecureRepositoryService}"/>
</bean>
-->
<!-- ############ JRS Synchronizer ############ -->
</beans>
答案 0 :(得分:0)
对于将来像我一样苦苦挣扎的人,问题是我ldapContextSource中的userDn。
正确的userDn是
<property name="userDn" value="CN=myserviceaccount,OU=my ou,DC=mydomain,DC=com"/>
我发现通过运行这个python脚本并查看输出:
from ldap3 import Server, \
Connection, \
AUTO_BIND_NO_TLS, \
SUBTREE, \
ALL_ATTRIBUTES
def get_ldap_info(u):
with Connection(Server('MyLDAPSServer', port=636, use_ssl=True),
auto_bind=AUTO_BIND_NO_TLS,
read_only=True,
check_names=True,
user='MyServiceAccount', password='SomePasswordWithSpecialCharacters') as c:
c.search(search_base='DC=mydomain,DC=com',
search_filter='(&(samAccountName=' + u + '))',
search_scope=SUBTREE,
attributes=ALL_ATTRIBUTES,
get_operational_attributes=True)
print(c.response_to_json())
print(c.result)
get_ldap_info('myserviceaccount')