wildfly / eap domain mode remoting ldap authentification

时间:2018-04-06 15:14:59

标签: jboss ldap jmx remoting jconsole

我对Wildlfy 10/11/12有疑问。我使用完整的AD身份验证,通过http管理成功地在域模式下设置了wf。我无法设置远程端口4447以使用AD身份验证。我使用本地mgmt-users.properties和mgmt-groups.properties进行了测试,一切正常。

现在我正在测试这个:

1)Ldap适用于http://127.0.0.1:9990/console/(我的用户拥有所有广告组)

2)Ldap与jconsole服务一起使用:jmx:remote + http://127.0.0.1:9990(域控制器)

3)无法使用AD身份验证,使用本地mgmt-users一切正常: 服务:JMX:远程+ http://127.0.0.1:4447 服务:JMX:远程://127.0.0.1:4447

为什么我需要这个?我需要监控每个服务器的数据源统计信息。对HC的监控并没有给我这些数据。此配置使用2个ldaps:一个用于http管理,另一个用于测试远程端口(RemotingRealm)。你能帮我设置两个ldaps吗?

我使用此方法在域模式下启用远程处理: https://kb.novaordis.com/index.php/JMX_Access_to_Domain_Mode_EAP_7_Server_Node

Coplete域名和主持人文件:

https://tomashermanek.cz/download/domain.xml

https://tomashermanek.cz/download/host.xml

  

domain.xml中

...
    <management>
        <access-control provider="rbac">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <group name="_wildfly_adm"/>
                    </include>
                </role>
                <role name="Administrator">
                    <include>
                        <group name="_wildfly_adm"/>
                    </include>
                </role>
                <role name="Auditor">
                    <include>
                        <group name="_wildfly_audit"/>
                    </include>
                </role>
                <role name="Deployer">
                    <include>
                        <group name="_wildfly_deploy"/>
                    </include>
                </role>
                <role name="Maintainer">
                    <include>
                        <group name="_wildfly_maintain"/>
                    </include>
                </role>
                <role name="Monitor">
                    <include>
                        <group name="_wildfly_monit"/>
                    </include>
                </role>
                <role name="Operator">
                    <include>
                        <group name="_wildfly_ops"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>
    </management>
...
            <subsystem xmlns="urn:jboss:domain:jmx:1.3">
                <expose-resolved-model/>
                <expose-expression-model/>
                <remoting-connector use-management-endpoint="false"/>
                <sensitivity non-core-mbeans="true"/>
            </subsystem>
            <subsystem xmlns
...
            <subsystem xmlns="urn:jboss:domain:remoting:4.0">
                <connector name="remoting-connector" socket-binding="remoting" security-realm="RemotingRealm"/>
                <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
            </subsystem>
...
    <socket-binding-groups>
        <socket-binding-group name="ha-sockets" default-interface="public">
            <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
            <socket-binding name="http" port="${jboss.http.port:8080}"/>
            <socket-binding name="https" port="${jboss.https.port:8443}"/>
            <socket-binding name="jgroups-mping" interface="private" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
            <socket-binding name="jgroups-tcp" interface="private" port="7600"/>
            <socket-binding name="jgroups-udp" interface="private" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
            <socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
            <socket-binding name="txn-recovery-environment" port="4712"/>
            <socket-binding name="txn-status-manager" port="4713"/>
            <socket-binding name="remoting" port="4447"/>
            <outbound-socket-binding name="mail-smtp">
                <remote-destination host="localhost" port="25"/>
            </outbound-socket-binding>
        </socket-binding-group>
  

host.xml

...
            <security-realm name="LdapRealm">
                <authentication>
                    <ldap connection="ldap" base-dn="DC=example,DC=com" recursive="true">
                        <username-filter attribute="sAMAccountName"/>
                    </ldap>
                </authentication>
                <authorization>
                    <ldap connection="ldap">
                        <group-search group-dn-attribute="cn" group-name-attribute="cn">
                            <group-to-principal search-by="DISTINGUISHED_NAME" base-dn="OU=Groups,OU=Corp-Restricted,DC=example,DC=internal">
                                <membership-filter principal-attribute="member"/>
                            </group-to-principal>
                        </group-search>
                    </ldap>
                </authorization>
            </security-realm>
            <security-realm name="RemotingRealm">
                <authentication>
                    <ldap connection="ldap" base-dn="DC=example,DC=com" recursive="true">
                        <username-filter attribute="sAMAccountName"/>
                    </ldap>
                </authentication>
                <authorization>
                    <ldap connection="ldap">
                        <group-search group-dn-attribute="cn" group-name-attribute="cn">
                            <group-to-principal search-by="DISTINGUISHED_NAME" base-dn="OU=Groups,OU=Corp-Restricted,DC=example,DC=internal">
                                <membership-filter principal-attribute="member"/>
                            </group-to-principal>
                        </group-search>
                    </ldap>
                </authorization>
        </security-realms>
        <outbound-connections>
            <ldap name="ldap" url="ldap://ldap.server.one">
                <properties>
                    <property name="java.naming.security.principal" value="search_user"/>
                    <property name="java.naming.security.credentials" value="password" />
                    <property name="java.naming.security.authentication" value="simple" />
                </properties>
            </ldap>
        </outbound-connections>
...
        <management-interfaces>
            <native-interface security-realm="ManagementRealm">
                <socket interface="management" port="${jboss.management.native.port:9999}"/>
            </native-interface>
            <http-interface security-realm="LdapRealm">
        <http-upgrade enabled="true"/>
                <socket interface="management" port="${jboss.management.http.port:9990}"/>
            </http-interface>
        </management-interfaces>
  

LOG来自服务器dev-001

2018-04-06 15:26:16,598 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = tomas.hermanek
2018-04-06 15:26:16,598 TRACE [org.jboss.as.domain.management.security] (default task-1) Non caching search for 'tomas.hermanek'
2018-04-06 15:26:16,598 TRACE [org.jboss.as.domain.management.security] (default task-1) Performing recursive search
2018-04-06 15:26:16,598 TRACE [org.jboss.as.domain.management.security] (default task-1) Searching for user 'tomas.hermanek' using filter '(sAMAccountName={0})'.
2018-04-06 15:26:16,598 TRACE [org.jboss.as.domain.management.security] (default task-1) Connecting to LDAP with properties ({java.naming.provider.url=ldap://10.1.31.10, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=ignore})
2018-04-06 15:26:16,621 TRACE [org.wildfly.security] (default task-1) Principal assigning: [tomas.hermanek], pre-realm rewritten: [tomas.hermanek@RemotingRealm], realm name: [PLAIN], post-realm rewritten: [tomas.hermanek@RemotingRealm], realm rewritten: [tomas.hermanek@RemotingRealm]
2018-04-06 15:26:16,621 TRACE [org.jboss.as.domain.management.security] (default task-1) Non caching search for 'tomas.hermanek'
2018-04-06 15:26:16,621 TRACE [org.jboss.as.domain.management.security] (default task-1) Performing recursive search
2018-04-06 15:26:16,621 TRACE [org.jboss.as.domain.management.security] (default task-1) Searching for user 'tomas.hermanek' using filter '(sAMAccountName={0})'.
2018-04-06 15:26:16,621 TRACE [org.jboss.as.domain.management.security] (default task-1) Connecting to LDAP with properties ({java.naming.provider.url=ldap://10.1.31.10, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=ignore})
2018-04-06 15:26:16,641 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: fail
2018-04-06 15:26:16,641 TRACE [org.jboss.remoting.remote.server] (default task-1) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05013: Authentication mechanism password not verified
    at org.wildfly.security.sasl.plain.PlainSaslServer.evaluateResponse(PlainSaslServer.java:127)
    at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
    at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
    at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:59)
    at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
    at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
    at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)
    at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:926)
    at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
    at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
    at java.lang.Thread.run(Thread.java:745)

2018-04-06 15:26:16,641 TRACE [org.jboss.remoting.remote.server] (default task-1) No more authentication attempts allowed, closing the connection

1 个答案:

答案 0 :(得分:0)

如果LdapRealm与RemotingRealm相同。即使你用LdapRealm替换RemotingRealm,这也不行,那么这似乎就是bug。