[英]WSO2 Identity Server - Active Directory Integration - Change Password Issue
因此,我一直在使用最新版本的WSO2 IS(5.3.0)进行测试,这些版本仅在笔记本电脑上本地运行。
我已经设置了AD集成,并使用Delegated Control设置了LDAP绑定帐户用户,以重置特定OU上的密码以及其中的对象。 相同的LDAP绑定帐户也配置为内部/管理员帐户。
当上述特定OU中的两个用户中的任何一个登录时,他们可以更改其密码。 我正在使用的管理员帐户可以找到它们,但是不能更改其密码(在AD术语中为“ RESET PASSWORD”,即使它应该可以)。
这是我的user-mgt.xml(我删除了注释掉的大块):
<UserManager>
<Realm>
<Configuration>
<AddAdmin>true</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>ADMIN</UserName>
<Password>PASSWORD</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
<Property name="isCascadeDeleteEnabled">false</Property>
<!-- <Property name="initializeNewClaimManager">true</Property> -->
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<!-- <Property name="AnonymousBind">false</Property> -->
<Property name="BackLinksEnabled">true</Property>
<Property name="ConnectionName">CN=ADMIN,OU=DEPARTMENT,OU=USERS,DC=EXAMPLE,DC=COM</Property>
<Property name="ConnectionPassword">PASSWORD</Property>
<!-- <Property name="ConnectionPoolingEnabled">false</Property> -->
<Property name="ConnectionURL">LDAPS://DC.EXAMPLE.COM:636</Property>
<Property name="defaultRealmName">EXAMPLE.COM</Property>
<Property name="DisplayNameAttribute">sAMAccountName</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="GroupEntryObjectClass">group</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameListFilter">(objectcategory=group)</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="GroupSearchBase">OU=EXAMPLE GROUPS,DC=EXAMPLE,DC=COM</Property>
<Property name="isADLDSRole">false</Property>
<Property name="IsBulkImportSupported">false</Property>
<Property name="kdcEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
<!-- <Property name="MemberOfAttribute">memberOf</Property> -->
<Property name="MembershipAttribute">member</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<!-- <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property> -->
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="ReadGroups">true</Property>
<Property name="ReadTimeout"/>
<Property name="Referral">follow</Property>
<Property name="RetryAttempts"/>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="SCIMEnabled">false</Property>
<!-- <Property name="userAccountControl">512</Property> -->
<Property name="userAccountControl">66048</Property>
<Property name="UserEntryObjectClass">user</Property>
<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<!-- <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property> -->
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UserNameListFilter">(objectClass=user)</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(sAMAccountName=?))</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="UserSearchBase">OU=EXAMPLE Users,DC=EXAMPLE,DC=COM</Property>
<Property name="WriteGroups">false</Property>
</UserStoreManager>
<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
<Property name="GetAllRolesOfUserEnabled">true</Property>
</AuthorizationManager>
</Realm>
</UserManager>
这是我的调试:
[2017-08-18 17:00:02,466] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache miss for username : ADMIN resource /permission/admin/manage/identity/usermgt/update action : ui.execute
[2017-08-18 17:00:02,467] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Allowed roles for the ResourceID: /permission/admin/manage/identity/usermgt/update Action: ui.execute
[2017-08-18 17:00:02,467] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - role: INTERNAL/admin
[2017-08-18 17:00:02,467] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Roles which have permission for resource : /permission/admin/manage/identity/usermgt/update action : ui.execute
[2017-08-18 17:00:02,467] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Role : INTERNAL/admin
[2017-08-18 17:00:02,467] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - ADMIN user has permitted resource : /permission/admin/manage/identity/usermgt/update, action :ui.execute
[2017-08-18 17:00:02,468] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache miss for username : username01 resource /permission action : ui.execute
[2017-08-18 17:00:02,468] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Allowed roles for the ResourceID: /permission Action: ui.execute
[2017-08-18 17:00:02,468] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - role: INTERNAL/admin
[2017-08-18 17:00:02,468] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Roles which have permission for resource : /permission action : ui.execute
[2017-08-18 17:00:02,469] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Role : INTERNAL/admin
[2017-08-18 17:00:02,469] DEBUG {org.wso2.carbon.user.core.common.AbstractUserStoreManager} - Retrieving internal roles for user name : username01 and search filter *
[2017-08-18 17:00:02,470] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01
[2017-08-18 17:00:02,544] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=person)(sAMAccountName=username01)) in SearchBase:
[2017-08-18 17:00:02,547] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Name in space for username01 is CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE USERS,DC=EXAMPLE,DC=COM
[2017-08-18 17:00:02,549] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true
[2017-08-18 17:00:02,550] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Escaped DN value for filter : CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE USERS,DC=EXAMPLE,DC=COM
[2017-08-18 17:00:02,550] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Reading roles with the membershipProperty Property: member
[2017-08-18 17:00:02,550] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Result for searchBase: OU=EXAMPLE USERS,DC=EXAMPLE,DC=COM searchFilter: (&(objectcategory=group)(member=CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE USERS,DC=EXAMPLE,DC=COM)) property:cn appendDN: false
[2017-08-18 17:00:02,627] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - username01 user has permitted resource : /permission, action :ui.execute
[2017-08-18 17:00:02,627] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - username01 user is not Authorized to perform ui.execute on /permission
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache miss for username : username01 resource /permission/admin action : ui.execute
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Allowed roles for the ResourceID: /permission/admin Action: ui.execute
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - role: INTERNAL/admin
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Roles which have permission for resource : /permission/admin action : ui.execute
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Role : INTERNAL/admin
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - username01 user has permitted resource : /permission/admin, action :ui.execute
[2017-08-18 17:00:02,628] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - username01 user is not Authorized to perform ui.execute on /permission/admin
[2017-08-18 17:00:02,640] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01
[2017-08-18 17:00:02,640] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - value after escaping special characters in username01 : username01
[2017-08-18 17:00:02,640] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true
[2017-08-18 17:00:02,681] DEBUG {org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager} - value after escaping special characters in USER NAME01 : USER NAME01
[2017-08-18 17:00:02,687] DEBUG {org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager} - Can not access the directory service for user : username01
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=EXAMPLE USERS,DC=EXAMPLE,DC=COM'
]; remaining name 'CN=USER NAME01'
...
[2017-08-18 17:00:02,970] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache miss for username : ADMIN resource /permission/admin/login action : ui.execute
[2017-08-18 17:00:02,971] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Allowed roles for the ResourceID: /permission/admin/login Action: ui.execute
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - role: INTERNAL/admin
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - role: INTERNAL/everyone
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Roles which have permission for resource : /permission/admin/login action : ui.execute
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Role : INTERNAL/admin
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Role : INTERNAL/everyone
[2017-08-18 17:00:02,972] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - ADMIN user has permitted resource : /permission/admin/login, action :ui.execute
(希望我已经对它们进行了足够的消毒...)
当其中一个用户登录并成功更改其密码时,日志如下所示:
[2017-08-18 17:21:27,471] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01
[2017-08-18 17:21:27,472] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - value after escaping special characters in username01 : username01
[2017-08-18 17:21:27,472] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - value after escaping special characters in username01 : username01
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - value after escaping special characters in username01 : username01
[2017-08-18 17:21:27,474] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true
[2017-08-18 17:21:27,534] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=person)(sAMAccountName=username01)) in SearchBase:
[2017-08-18 17:21:27,535] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :ref
[2017-08-18 17:21:27,547] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user username01
[2017-08-18 17:21:27,547] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - value after escaping special characters in username01 : username01
[2017-08-18 17:21:27,547] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: username01 exist: true
[2017-08-18 17:21:27,627] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Searching for user with SearchFilter: (&(objectClass=person)(sAMAccountName=username01)) in SearchBase:
[2017-08-18 17:21:27,627] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Requesting attribute :accountLock
[2017-08-18 17:21:27,632] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Authenticating user username01
[2017-08-18 17:21:27,632] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Cache hit. Using DN CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE Users,DC=EXAMPLE,DC=COM
[2017-08-18 17:21:27,705] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE Users,DC=EXAMPLE,DC=COM is authnticated: true
[2017-08-18 17:21:27,712] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Authenticating user username01
[2017-08-18 17:21:27,712] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Cache hit. Using DN CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE Users,DC=EXAMPLE,DC=COM
[2017-08-18 17:21:27,783] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - User: CN=USER NAME01,OU=DEPARTMENT,OU=EXAMPLE Users,DC=EXAMPLE,DC=COM is authnticated: true
[2017-08-18 17:21:28,031] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache hit. username01 user is not Authorized to perform ui.execute on /permission/admin/manage/identity
[2017-08-18 17:21:28,031] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache hit. username01 user is not Authorized to perform ui.execute on /permission/admin/manage/identity/usermgt/users
[2017-08-18 17:21:28,031] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache hit. username01 user is not Authorized to perform ui.execute on /permission/admin/manage/identity/usermgt/passwords
[2017-08-18 17:21:28,032] DEBUG {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Authorization cache hit. username01 user is not Authorized to perform ui.execute on /permission/admin/manage/identity/usermgt/profiles
而且我已经确认,通过执行以下简单的操作,密码实际上确实会在AD中更改:Get-ADUser username01 -Properties *
无论如何,有人可以指出出什么问题吗? 我们有一个合作伙伴正在为我们以及他们的用户设置此产品的生产版本,同时还有其他问题(因此我设置了自己的本地版本以帮助测试),他们的确允许用户登录并更改他们的自己的密码,以及该ADMIN用户登录并更改这两个用户的密码。
我什至尝试将他们的user-mgt.xml复制到本地实例中,但这也不起作用。 我认为生产版本是5.1.0,而我的是5.3.0,但这可能是相关的。
救命?
IS CN = ADMIN,OU =部门,OU = USERS,DC = EXAMPLE,DC = COM用户在AD中具有更改其他用户密码的权限。 为了获得最佳实践,请创建一个具有域控制权限的用户,然后重试。
问候,Tayyab
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.