LDAP stopped working on SQ 6.7

ldap

(Mark De Michele) #1

I have two installations of Sonar Qube. One running 6.7 (build 33306) and another running 5.6.1. Both have version 2.2.0.608 of the LDAP plugin. They are running on the same windows server. The config for the LDAP portion is identical. Both were working, but then at some point, the 6.7 one stopped working. From a client perspective, when you login it takes many seconds and then you get an authentication failed message.

I turned on debug logging and this is what I see.

2018.07.12 19:48:20 DEBUG web[AWSQ5TaAiD8+OrerAAAB][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|10.196.198.48|24.0.52.3:20173][login|]
2018.07.12 19:48:21 DEBUG web[AWSQ5TaAiD8+OrerAAAE][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|10.196.198.48|24.0.52.3:20173][login|]
2018.07.12 19:48:21 DEBUG web[AWSQ5TaAiD8+OrerAAAG][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|10.196.198.48|24.0.52.3:20180][login|]
2018.07.12 19:52:43 DEBUG web[AWSQ5TaAiD8+OrerAAAH][o.s.p.l.LdapUsersProvider] Requesting details for user UDEMIM2
2018.07.12 19:52:43 DEBUG web[AWSQ5TaAiD8+OrerAAAH][o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=dc=peroot,dc=com, scope=subtree, request=(&(objectClass=user)((memberOf=CN=WW SonarQube Users,OU=Application Security Groups,OU=Enterprise Groups,DC=peroot,DC=com))(sAMAccountName={0})), parameters=[UDEMIM2], attributes=[mail, cn]}
2018.07.12 19:52:43 DEBUG web[AWSQ5TaAiD8+OrerAAAH][o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://usnj2-ad-641.peroot.com:636, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=serv.xl.builder@peroot.com, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2018.07.12 19:52:53 DEBUG web[AWSQ5TaAiD8+OrerAAAH][o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=dc=peroot,dc=com, scope=subtree, request=(&(objectClass=user)((memberOf=CN=WW SonarQube Users,OU=Application Security Groups,OU=Enterprise Groups,DC=peroot,DC=com))(sAMAccountName={0})), parameters=[UDEMIM2], attributes=null}
2018.07.12 19:52:53 DEBUG web[AWSQ5TaAiD8+OrerAAAH][o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://usnj2-ad-641.peroot.com:636, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=serv.xl.builder@peroot.com, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2018.07.12 19:52:57 DEBUG web[AWSQ5TaAiD8+OrerAAAH][o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://usnj2-ad-641.peroot.com:636, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=CN=DeMichele\, Mark,OU=Users,OU=USPISCTY,OU=North America,DC=PEROOT,DC=com, java.naming.security.authentication=simple, java.naming.referral=follow}
2018.07.12 19:52:57 DEBUG web[AWSQ5TaAiD8+OrerAAAH][o.s.p.l.LdapGroupsProvider] Requesting groups for user UDEMIM2
2018.07.12 19:52:57 DEBUG web[AWSQ5TaAiD8+OrerAAAH][o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=dc=peroot,dc=com, scope=subtree, request=(&(objectClass=user)((memberOf=CN=WW SonarQube Users,OU=Application Security Groups,OU=Enterprise Groups,DC=peroot,DC=com))(sAMAccountName={0})), parameters=[UDEMIM2], attributes=[dn]}
2018.07.12 19:52:57 DEBUG web[AWSQ5TaAiD8+OrerAAAH][o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://usnj2-ad-641.peroot.com:636, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=serv.xl.builder@peroot.com, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2018.07.12 19:53:01 DEBUG web[AWSQ5TaAiD8+OrerAAAH][o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=OU=Groups,DC=PEROOT,DC=com, scope=subtree, request=(&(objectClass=WW SonarQube Users)(member={0})), parameters=[CN=DeMichele\, Mark,OU=Users,OU=USPISCTY,OU=North America,DC=PEROOT,DC=com], attributes=[sAMAccountName]}
2018.07.12 19:53:01 DEBUG web[AWSQ5TaAiD8+OrerAAAH][o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://usnj2-ad-641.peroot.com:636, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=serv.xl.builder@peroot.com, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2018.07.12 19:53:02 DEBUG web[AWSQ5TaAiD8+OrerAAAH][o.s.p.l.LdapGroupsProvider] [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=PEROOT,DC=com'
 ]
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=PEROOT,DC=com'
 ]
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
	at javax.naming.directory.InitialDirContext.search(Unknown Source)
	at org.sonar.plugins.ldap.LdapSearch.find(LdapSearch.java:130)
	at org.sonar.plugins.ldap.LdapGroupsProvider.getGroups(LdapGroupsProvider.java:78)
	at org.sonar.plugins.ldap.LdapGroupsProvider.doGetGroups(LdapGroupsProvider.java:57)
	at org.sonar.server.authentication.RealmAuthenticator.synchronize(RealmAuthenticator.java:138)
	at org.sonar.server.authentication.RealmAuthenticator.doAuthenticate(RealmAuthenticator.java:109)
	at org.sonar.server.authentication.RealmAuthenticator.authenticate(RealmAuthenticator.java:86)
	at org.sonar.server.authentication.CredentialsAuthenticator.authenticate(CredentialsAuthenticator.java:61)
	at org.sonar.server.authentication.CredentialsAuthenticator.authenticate(CredentialsAuthenticator.java:50)
	at org.sonar.server.authentication.ws.LoginAction.authenticate(LoginAction.java:123)
	at org.sonar.server.authentication.ws.LoginAction.doFilter(LoginAction.java:104)
	at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:126)
	at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:95)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.user.UserSessionFilter.doFilter(UserSessionFilter.java:87)
	at org.sonar.server.user.UserSessionFilter.doFilter(UserSessionFilter.java:71)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.SecurityServletFilter.doHttpFilter(SecurityServletFilter.java:72)
	at org.sonar.server.platform.web.SecurityServletFilter.doFilter(SecurityServletFilter.java:48)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.RedirectFilter.doFilter(RedirectFilter.java:61)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.requestid.RequestIdFilter.doFilter(RequestIdFilter.java:63)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:62)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:108)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:256)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Unknown Source)
2018.07.12 19:53:02 ERROR web[AWSQ5TaAiD8+OrerAAAH][o.s.s.a.RealmAuthenticator] Error during authentication
org.sonar.plugins.ldap.LdapException: Unable to retrieve groups for user UDEMIM2 in <default>
	at org.sonar.plugins.ldap.LdapGroupsProvider.getGroups(LdapGroupsProvider.java:85)
	at org.sonar.plugins.ldap.LdapGroupsProvider.doGetGroups(LdapGroupsProvider.java:57)
	at org.sonar.server.authentication.RealmAuthenticator.synchronize(RealmAuthenticator.java:138)
	at org.sonar.server.authentication.RealmAuthenticator.doAuthenticate(RealmAuthenticator.java:109)
	at org.sonar.server.authentication.RealmAuthenticator.authenticate(RealmAuthenticator.java:86)
	at org.sonar.server.authentication.CredentialsAuthenticator.authenticate(CredentialsAuthenticator.java:61)
	at org.sonar.server.authentication.CredentialsAuthenticator.authenticate(CredentialsAuthenticator.java:50)
	at org.sonar.server.authentication.ws.LoginAction.authenticate(LoginAction.java:123)
	at org.sonar.server.authentication.ws.LoginAction.doFilter(LoginAction.java:104)
	at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:126)
	at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:95)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.user.UserSessionFilter.doFilter(UserSessionFilter.java:87)
	at org.sonar.server.user.UserSessionFilter.doFilter(UserSessionFilter.java:71)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.SecurityServletFilter.doHttpFilter(SecurityServletFilter.java:72)
	at org.sonar.server.platform.web.SecurityServletFilter.doFilter(SecurityServletFilter.java:48)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.RedirectFilter.doFilter(RedirectFilter.java:61)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.requestid.RequestIdFilter.doFilter(RequestIdFilter.java:63)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:62)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:108)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:256)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Unknown Source)
Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=PEROOT,DC=com'
 ]
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
	at javax.naming.directory.InitialDirContext.search(Unknown Source)
	at org.sonar.plugins.ldap.LdapSearch.find(LdapSearch.java:130)
	at org.sonar.plugins.ldap.LdapGroupsProvider.getGroups(LdapGroupsProvider.java:78)
	... 48 common frames omitted
2018.07.12 19:53:02 DEBUG web[AWSQ5TaAiD8+OrerAAAH][auth.event] login failure [cause|Unable to retrieve groups for user UDEMIM2 in <default>][method|FORM][provider|REALM|LDAP][IP|10.196.198.48|24.0.52.3:20180][login|UDEMIM2]

Does anyone have any idea what could be happening?


(Nicolas Bontoux) #2

Hi there,

The error you’re hitting here is due to LDAP returning an error code:

So in answer to this question:

I think the first people to check with is the team maintaining your LDAP setup. They’ll be able to explain what this LDAP server error means, and maybe correlate it with some changes/config/setup on their side.