We are currently running Artifactory Pro 6.23.7 in production using the Docker setup and would like to upgrade to Artifactory Pro 7.12.6.
To test this I created a clone of the production VM and followed the upgrade instructions here. Artifactory starts successfully, but when trying to login with my LDAP user I get several errors in the logs such as
2021-01-20T10:34:25.910Z [jfac ] [INFO ] [25da744de0923216] [j.a.s.s.t.TokenServiceImpl:438] [27.0.0.1-8040-exec-3] - Deleted 1 tokens with user: 'sebastian.gerau' and scope 'authentication:remember-me'.
2021-01-20T10:34:26.311Z [jfrt ] [WARN ] [4fdb3eea5a082893] [o.a.s.l.LdapServiceImpl:232 ] [http-nio-8081-exec-9] - No search filter defined.
2021-01-20T10:34:26.312Z [jfrt ] [WARN ] [4fdb3eea5a082893] [o.a.s.l.LdapServiceImpl:138 ] [http-nio-8081-exec-9] - Cannot find user: 'sebastian.gerau', LDAP settings not valid
2021-01-20T10:34:26.306Z [jfrt ] [WARN ] [7853637b73ed5693] [o.a.s.l.LdapServiceImpl:232 ] [http-nio-8081-exec-8] - No search filter defined.
2021-01-20T10:34:26.317Z [jfrt ] [WARN ] [7853637b73ed5693] [o.a.s.l.LdapServiceImpl:138 ] [http-nio-8081-exec-8] - Cannot find user: 'sebastian.gerau', LDAP settings not valid
2021-01-20T10:34:26.319Z [jfrt ] [WARN ] [7853637b73ed5693] [o.a.s.l.LdapServiceImpl:232 ] [ttp-nio-8081-exec-10] - No search filter defined.
2021-01-20T10:34:26.322Z [jfrt ] [WARN ] [7853637b73ed5693] [o.a.s.l.LdapServiceImpl:138 ] [ttp-nio-8081-exec-10] - Cannot find user: 'sebastian.gerau', LDAP settings not valid
2021-01-20T10:34:26.337Z [jfrt ] [WARN ] [4fdb3eea5a082893] [o.a.s.l.LdapUtils:116 ] [http-nio-8081-exec-9] - Updating user: 'sebastian.gerau' after LDAP login authentication failure
I also see a popup with the message "This request is blocked due to recurrent login failures, please try again in # seconds."
It's possible to login using the local admin user. Doing so I was able to confirm that the LDAP configuration does indeed match that of the production system and that a LDAP connection test succeeds with the exact same user that failed during login.
The questions are:
Has anyone encountered the same or a similar issue when upgrading from 6.x to 7.x?
What could cause this behavior, i.e. the connection
test succeeds but login fails - all with the same user?
What would cause these recurrent login failures?
I tried adding the search filter (mentioned in the log output), checked the LDAP logs (all looks good there), and even deleted and recreated the LDAP config from scratch. Nothing seems to change the behavior. Also, there is nothing in the service logs that would indicate a problem.
I had the same problem with the OSS version. So I downloaded the source and found this snippet:
private boolean validateLdapSettings(LdapSetting ldapSetting) {
if (ldapSetting == null) {
log.warn("No LDAP settings defined.");
return false;
}
if (!ldapSetting.isEnabled()) {
log.warn("LDAP settings not enabled.");
return false;
}
if (ldapSetting.getSearch() == null || isBlank(ldapSetting.getSearch().getSearchFilter())) {
log.warn("No search filter defined.");
return false;
}
return true;
}
Clearly the search filter is the culprit. It has apparently become non-optional.
So I added the catch-all: (objectClass=*) as a search filter. And now another error turned up:
2021-02-01T10:14:33.583Z [jfrt ] [WARN ] [1543ce38d0eaacb5] [o.a.s.l.LdapServiceImpl:208 ] [http-nio-8081-exec-9] - Unexpected exception in LDAP query: for user: 'niklas' vid LDAP: [LDAP: error code 50 - Insufficient Access Rights]; nested exception is javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name '/'
This time I needed to check at the LDAP server end, and it seems the validation is done as a separate request with starting from the top level, where, true enough, the users don't have permission . So, add a base where they do, for me that was ou=accounts. A new error!
2021-02-01T10:29:02.963Z [jfrt ] [WARN ] [76943ac7c75c40f2] [o.a.s.l.LdapServiceImpl:208 ] [http-nio-8081-exec-6] - Unexpected exception in LDAP query: for user: 'niklas' vid LDAP: Incorrect result size: expected 1, actual 57
So the search filter must be limited to only find the user entry. so I changed it to be (uid={0})
TADA! Now it worked.
Related
Got Ldap context on server
This is a part of Debug message.Was the first bind successful?
2X Mar 201X 15:36:36,880 DEBUG [ambari-client-thread-37] FilterBasedLdapUserSearch:115 - Searching for user 'XXXX', with user search [ searchFilter: '(&(sAMAccountName={0})(objectClass=posixAccount))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2X Mar 201X 15:36:36,917 DEBUG [ambari-client-thread-37] AbstractContextSource:349 - Got Ldap context on server 'ldap://rXXX92.corp.XXX.com:389/DC=corp,DC=XXX,DC=com'
2X Mar 201X 15:36:36,929 DEBUG [ambari-client-thread-37] DefaultAuthenticationEventPublisher:94 - No event was found for the exception org.apache.ambari.server.security.authorization.InvalidUsernamePasswordCombinationException
2X Mar 201X 15:36:36,929 DEBUG [ambari-client-thread-37] AmbariBasicAuthenticationFilter:185 - Authentication request for failed: org.apache.ambari.server.security.authorization.InvalidUsernamePasswordCombinationException: Unable to sign in. Invalid username/password combination.
No.
Looks like LDAP credentials are wrong: "Unable to sign in. Invalid username/password combination"
I implemented a REST api in django with django-rest-framework,on localhost working fine with successful results.
When pushing this up to an existing AWS elastic beanstalk instance, I received:
{
"detail": "Authentication credentials were not provided."
}
For solution I followed this question : Authorization Credentials Stripped
But when I push mycode on aws EB I am getting this error :
Pipeline failed with error "Service:AmazonRDS, is not authorized to perform: rds:DescribeDBEngineVersions"
I tried lots of solutions but every time I am getting this error.
Note: I am using python3.6
I got the answer of my problem.
I set the RDS policy and create new custom_wsgi.config file on .ebextensions directory and write command :
files:
"/etc/httpd/conf.d/wsgihacks.conf":
mode: "000644"
owner: root
group: root
content: |
WSGIPassAuthorization On
I Have a cluster which is kerbroized ,i have installed drill in another server and i am trying to use hive which is part of kerbrorized cluster .
As part of hive i have put below configuration on my drill-override.conf
drill.exec: {
security: {
# user.auth.enabled:true,
auth.mechanisms:["KERBEROS"],
auth.principal:"xxxx/xxxxxxxx",
auth.keytab:"/xxx/xxxx/drill.keytab"
drill.exec.http.ssl_enabled="true"
}
}
drill.exec:
{
cluster-id: "drillbits1",
zk.connect: "localhost:2181"
}
when i am accessing hive from drill ui ,getting below errors:
2017-04-07 12:32:48,322 [2718c667-5587-b307-58f7-b673e29b7dbf:frag:0:0] WARN o.a.d.e.s.h.schema.HiveSchemaFactory - Failure while getti
ng Hive database list.
org.apache.thrift.TException: java.util.concurrent.ExecutionException: MetaException(message:Got exception: org.apache.thrift.transport.
TTransportException null)
I have tried with drill version:1.5.0,1.10.0
Appriciate any help to resolve this issue.
The configuration you have mentioned inside drill-override.conf is for DrillClient to Drillbit connection using kerberos.
For Hive, I don't think we have tried it before, but based on some research I think you can try to add below in your Drill Hive Storage Plugin. Also make sure that you have generated a kerberos ticket on the Drillbit node using kinit command for the process user which you are using to run Drillbit. Please try and let us if it helps.
{
"type": "hive",
"enabled": true,
"configProps": {
"hive.metastore.uris": "thrift://<metastore_ip:port>",
"hive.metastore.sasl.enabled": "true",
"hive.metastore.kerberos.principal": "<metastore_kerberos_principal"
}
}
I am trying to use AD authentication. I am able to login successfully but i am not authorized to perform any query in marvel.
Everytime i execute query in marvel, i get the following error.Below are the details
{
"error": "AuthorizationException[action [indices:data/read/search] is unauthorized for user [shivang.Mittal]]",
"status": 403
}
elasticsearch.yml (C:\ES\elasticsearch-1.4.4\config)
shield:
authc:
realms:
active_directory:
type: active_directory
domain_name: tavant.in
url: "LDAP://DODC1.tavant.in:389"
user_dn_templates:
- "cn={0}, dc=tavant, dc=in"
group_search:
base_dn: "dc=tavant,dc=in"
files:
role_mapping: "C:/ES/elasticsearch-1.4.4/config/shield/role_mapping.yml"
role_mapping.yml (C:\ES\elasticsearch-1.4.4\config\shield).
Copied the same file in Node(C:\ES\elasticsearch-1.4.4\data\elasticsearch\nodes\0)
admin:
- "cn=users, dc=tavant,dc=in"
roles.yml
admin:
cluster: all
indices:
'*': all
UPDATE
As per Jaymode suggestion, I added the shield.auth: debug.
Below is the log (Which i thought would be useful)
[2015-04-27 11:54:12][DEBUG][shield.authc.ldap.support] [Talisman] the roles [[]], are mapped from these [active_directory] groups [[CN=Users,CN=Builtin,DC=tavant,DC=in, CN=Domain Users,CN=Users,DC=tavant,DC=in,
[2015-04-27 11:54:14,935][DEBUG][shield.authc.activedirectory] [Talisman] authenticated user [shivang.Mittal], with roles [[]]
[2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter ] [Talisman] error adding the marvel template to [[0:0:0:0:0:0:0:0]:9200] response code [401 Unauthorized]. content: [{"error":"AuthenticationException[missing authentication token for REST request [/_template/marvel]]","status":401}]
[2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter ] [Talisman] failed to verify/upload the marvel template to [[0:0:0:0:0:0:0:0]:9200]:
Server returned HTTP response code: 401 for URL: http://[0:0:0:0:0:0:0:0]:9200/_template/marvel
[2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter ] [Talisman] failed to verify/upload the marvel template to [[0:0:0:0:0:0:0:0]:9200]:
Server returned HTTP response code: 401 for URL: http://[0:0:0:0:0:0:0:0]:9200/_template/marvel
EDIT 2: Based on your log message, you probably want to use the following mapping
admin:
- "CN=Users,CN=Builtin,DC=tavant,DC=in"
EDIT: I think I see your issue. In your role_mapping.yml you have:
admin:
- "cn=users, dc=tavant,dc=tavant"
It should most likely be:
admin:
- "cn=users,dc=tavant,dc=in"
I wonder if the DN you are using for role mapping is correct and is being retrieved. If you set debug logging the list of groups that are found for the user will be logged. To enable debug logging, edit the C:\ES\elasticsearch-1.4.4\config\logging.yml file:
...
logger:
# Add the line below
shield.authc: DEBUG
...
The log line will look something like this: the roles [], are mapped from these [active_directory] groups [ list of group DNs here ] for realm [active_directory/active_directory]
In that line you will find the actual list of group DNs that are retrieved. Also, your realm configuration can be simplified to the following:
shield:
authc:
realms:
active_directory:
type: active_directory
domain_name: tavant.in
url: "LDAP://DODC1.tavant.in:389"
The other settings actually appear to just specify what would be the default values if they are not specified.
The error:(occurring in the prod env)
request.CRITICAL: PDOException: SQLSTATE[28000] [1045] Access denied for user 'root'#'localhost' (using password: YES) (uncaught exception) at /srv/inta/current/vendor/doctrine-dbal/lib/Doctrine/DBAL/Driver/PDOConnection.php line 36 [] []
What I've tried so far
The weird thing is that I actually have access using the root user, and the provided password. Logging in as root via the console works great.
I'm using the following parameters.yml file located in app/config/
parameters:
database_driver: pdo_mysql
database_host: localhost
database_port: ~
database_name: int_apartments
database_user: root
database_password: pw goes here
mailer_transport: smtp
mailer_host: localhost
mailer_user: ~
mailer_password: ~
locale: en
secret: ThisTokenIsNotSoSecretChangeIt
As you can see, it is quite standard with only the name of the db, user and password changed.
In my config.yml located in app/config (the relevant portions)
imports:
- { resource: security.yml }
- { resource: parameters.yml }
...
doctrine:
dbal:
driver: %database_driver%
host: %database_host%
port: %database_port%
dbname: %database_name%
user: %database_user%
password: %database_password%
charset: UTF8
dbname: int_apartments
orm:
auto_generate_proxy_classes: %kernel.debug%
auto_mapping: true
mappings:
StofDoctrineExtensionsBundle: false
Now, I wanted to start at "step 1" and verify that the parameters.yml file is actually being imported, so I changed the host to "localhos" or the user to "tom" or whatever and the error message located in app/logs/prod.log stays exact as is - the location doesn't change and the user doesn't change.
So I checked my config_prod.yml located in app/config
imports:
- { resource: config.yml }
#doctrine:
# metadata_cache_driver: apc
# result_cache_driver: apc
# query_cache_driver: apc
monolog:
handlers:
main:
type: fingers_crossed
action_level: error
handler: nested
nested:
type: stream
path: %kernel.logs_dir%/%kernel.environment%.log
level: debug
...and everything seems standard!
Summary of what's going on
So here is the quick version.
Authentication error exists for root#localhost
Verified my authentication creditials by logging in as that user via the console
Want to check if the parameters.yml file is being loaded
Changed some values - none affected the error message
(small)Edit:
What I actually want to do is to connect to the DB as a completely different user with a different password. Even when I enter different credentials into my parameters.yml file, doctrine still spits out the "root#localhost" error.
Ideas?
Silly mistake, seems due to a bad user/group/owner configuration on the server.
the app/cache directory is owned by "root", but when I run
app/console cache:clear --env=prod --no-debug
I am running as another user (not root). So there were issues in clearing the cache and doctrine seems to have been using a very old configuration located in the cache files.
Lessons learned:
Always try running as root (as a last resort)
Use a properly configured web server to avoid ownership issues
I solved my problem by renaming the prod folder i uploaded to prod_old because the system could not delete the folder for some reason.