Encrypt ldap.bindPassword fails to decrypt when re-encrypted 9.1.0

SonarQube Server / Community Build
1
  • Sonarqube version 9.1.0
  • Deployed to Kubernetes using Helm chart

We are currently running SonarQube in version 9.1.0, which has been upgraded. The last version used was 8.9.2.

In order to prepare for eventualities, we are currently testing (using a community image) that we are able to:

  1. Start from scratch, if need be
  2. Change the ldap bind password, if that needs to happen

And this is where it gets strange.

We are able to copy the existing key and reuse that in our test, together with the current encrypted ldap.bindPassword. This enables ldap, and all things are rolling.

The current encrypted value is of type {aes}somechars.

If we then use the same bindPassword (original, not encrypted) and try to encrypt it again, we get an encrypted value like this {aes-gcm}morethansomechars. We then proceed to change the existing ldap.bindPassword with the newly encrypted password, and then restart Sonarqube.

This fails with the following error messages:

2021.10.07 02:41:32 INFO  web[][o.s.a.l.LdapContextFactory] Test LDAP connection: FAIL
2021.10.07 02:41:32 ERROR web[][o.s.s.p.Platform] Background initialization failed. Stopping SonarQube
org.sonar.api.utils.SonarException: Security realm fails to start: Unable to open LDAP connection
	at org.sonar.server.user.SecurityRealmFactory.start(SecurityRealmFactory.java:93)
	at org.sonar.core.platform.StartableCloseableSafeLifecyleStrategy.start(StartableCloseableSafeLifecyleStrategy.java:40)
	at org.picocontainer.injectors.AbstractInjectionFactory$LifecycleAdapter.start(AbstractInjectionFactory.java:84)
	at org.picocontainer.behaviors.AbstractBehavior.start(AbstractBehavior.java:169)
	at org.picocontainer.behaviors.Stored$RealComponentLifecycle.start(Stored.java:132)
	at org.picocontainer.behaviors.Stored.start(Stored.java:110)
	at org.picocontainer.DefaultPicoContainer.potentiallyStartAdapter(DefaultPicoContainer.java:1016)
	at org.picocontainer.DefaultPicoContainer.startAdapters(DefaultPicoContainer.java:1009)
	at org.picocontainer.DefaultPicoContainer.start(DefaultPicoContainer.java:767)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:136)
	at org.sonar.server.platform.platformlevel.PlatformLevel.start(PlatformLevel.java:90)
	at org.sonar.server.platform.platformlevel.PlatformLevel4.start(PlatformLevel4.java:575)
	at org.sonar.server.platform.PlatformImpl.start(PlatformImpl.java:213)
	at org.sonar.server.platform.PlatformImpl.startLevel34Containers(PlatformImpl.java:187)
	at org.sonar.server.platform.PlatformImpl$1.lambda$doRun$0(PlatformImpl.java:120)
	at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.runIfNotAborted(PlatformImpl.java:370)
	at org.sonar.server.platform.PlatformImpl$1.doRun(PlatformImpl.java:120)
	at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.run(PlatformImpl.java:354)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: org.sonar.auth.ldap.LdapException: Unable to open LDAP connection
	at org.sonar.auth.ldap.LdapContextFactory.testConnection(LdapContextFactory.java:214)
	at org.sonar.auth.ldap.LdapRealm.init(LdapRealm.java:63)
	at org.sonar.server.user.SecurityRealmFactory.start(SecurityRealmFactory.java:87)
	... 18 common frames omitted
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580]
	at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3259)
	at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3205)
	at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2991)
	at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2905)
	at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:262)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:226)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:280)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:185)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:115)
	at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
	at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
	at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
	at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
	at org.sonar.auth.ldap.LdapContextFactory.createInitialDirContext(LdapContextFactory.java:137)
	at org.sonar.auth.ldap.LdapContextFactory.createBindContext(LdapContextFactory.java:95)
	at org.sonar.auth.ldap.LdapContextFactory.testConnection(LdapContextFactory.java:210)
	... 20 common frames omitted

AcceptSecurityContext error, data 52e seems to mean Bad password.

If we revert to the old encrypted value, it returns to a running state.

If we create a new encryption key, change the sonar-secret.txt to match and do not change the ldap.bindPassword, we get an error decrypting the “working” password.

If we create a new encryption key, change the sonar-secret.txt to match, then generate a new ldap.bindPassword and update that value, it fails with the above provided error message.

Reverting back to the previously (and originally) created sonar-secret.txt and ldap.bindPassword returns everything to a running state.

We must be missing something here :blush:… Any help would be highly appreciated :heart:

1 Like