Basic LDAP Integration

Вопросы и проблемы
#1

Коллеги, день добрый!
Пробую настроить подключение https://doc.cuba-platform.com/manual-7.2-ru/ldap_basic.html

  1. Подключаюсь так, через AD Explorer под тех УЗ к AD. Вижу так. (раз УЗ читает, значит необходимые права есть и ее можно указывать в настройках?)
    image

Нахожу ее
image

  1. Пробую настроить подключение в тестовом проекте, указываю тех. УЗ
    Добавил в
    image
    строчки
    cuba.web.ldap.enabled = true
    cuba.web.ldap.urls = ldap://10...40:389
    cuba.web.ldap.base = dc=co,dc=ro    **,dc=ru
    cuba.web.ldap.user = cn=ra,ou=Users
    cuba.web.ldap.userLoginField = r    a
    cuba.web.standardAuthenticationUsers = admin
    cuba.web.ldap.password = ******

  2. Запустил проект, добавил свою доменную УЗ в систему
    image

  3. Перезапустил проект, пробую зайти, получаю ошибку
    image

  4. Смотрим лог

com.haulmont.cuba.security.global.InternalAuthenticationException: Exception is thrown by login provider
at com.haulmont.cuba.web.security.ConnectionImpl.loginInternal(ConnectionImpl.java:208) ~[cuba-web-7.2.14.jar:7.2.14]
at com.haulmont.cuba.web.security.ConnectionImpl.login(ConnectionImpl.java:91) ~[cuba-web-7.2.14.jar:7.2.14]
at com.haulmont.cuba.web.security.LoginScreenAuthDelegate.doLogin(LoginScreenAuthDelegate.java:148) ~[cuba-web-7.2.14.jar:7.2.14]
at com.haulmont.cuba.web.app.login.LoginScreen.doLogin(LoginScreen.java:275) ~[cuba-web-7.2.14.jar:7.2.14]
at com.haulmont.cuba.web.app.login.LoginScreen.doLogin(LoginScreen.java:243) ~[cuba-web-7.2.14.jar:7.2.14]
at com.haulmont.cuba.web.app.login.LoginScreen.login(LoginScreen.java:213) ~[cuba-web-7.2.14.jar:7.2.14]
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:na]
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]
at com.haulmont.cuba.gui.xml.DeclarativeAction.actionPerform(DeclarativeAction.java:101) ~[cuba-gui-7.2.14.jar:7.2.14]
at com.haulmont.cuba.web.gui.components.WebButton.buttonClicked(WebButton.java:67) ~[cuba-web-7.2.14.jar:7.2.14]
at com.haulmont.cuba.web.widgets.CubaButton.fireClick(CubaButton.java:76) ~[cuba-web-widgets-7.2.14.jar:na]
at com.vaadin.ui.Button$1.click(Button.java:57) ~[vaadin-server-8.9.2-26-cuba.jar:8.9.2-26-cuba]
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:na]
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]
at com.vaadin.server.ServerRpcManager.applyInvocation(ServerRpcManager.java:153) ~[vaadin-server-8.9.2-26-cuba.jar:8.9.2-26-cuba]
at com.vaadin.server.ServerRpcManager.applyInvocation(ServerRpcManager.java:115) ~[vaadin-server-8.9.2-26-cuba.jar:8.9.2-26-cuba]
at com.vaadin.server.communication.ServerRpcHandler.handleInvocation(ServerRpcHandler.java:431) ~[vaadin-server-8.9.2-26-cuba.jar:8.9.2-26-cuba]
at com.vaadin.server.communication.ServerRpcHandler.handleInvocations(ServerRpcHandler.java:396) ~[vaadin-server-8.9.2-26-cuba.jar:8.9.2-26-cuba]
at com.vaadin.server.communication.ServerRpcHandler.handleRpc(ServerRpcHandler.java:260) ~[vaadin-server-8.9.2-26-cuba.jar:8.9.2-26-cuba]
at com.vaadin.server.communication.UidlRequestHandler.synchronizedHandleRequest(UidlRequestHandler.java:82) ~[vaadin-server-8.9.2-26-cuba.jar:8.9.2-26-cuba]
at com.vaadin.server.SynchronizedRequestHandler.handleRequest(SynchronizedRequestHandler.java:40) ~[vaadin-server-8.9.2-26-cuba.jar:8.9.2-26-cuba]
at com.vaadin.server.VaadinService.handleRequest(VaadinService.java:1580) ~[vaadin-server-8.9.2-26-cuba.jar:8.9.2-26-cuba]
at com.vaadin.server.VaadinServlet.service(VaadinServlet.java:425) ~[vaadin-server-8.9.2-26-cuba.jar:8.9.2-26-cuba]
at com.haulmont.cuba.web.sys.CubaApplicationServlet.serviceAppRequest(CubaApplicationServlet.java:329) ~[cuba-web-7.2.14.jar:7.2.14]
at com.haulmont.cuba.web.sys.CubaApplicationServlet.service(CubaApplicationServlet.java:215) ~[cuba-web-7.2.14.jar:7.2.14]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) ~[servlet-api.jar:4.0.FR]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[catalina.jar:9.0.38]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.38]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) ~[tomcat-websocket.jar:9.0.38]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:9.0.38]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.38]
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:108) ~[spring-web-5.2.9.RELEASE.jar:5.2.9.RELEASE]
at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) ~[spring-web-5.2.9.RELEASE.jar:5.2.9.RELEASE]
at com.haulmont.cuba.web.sys.CubaHttpFilter.doFilter(CubaHttpFilter.java:93) ~[cuba-web-7.2.14.jar:7.2.14]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:9.0.38]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.38]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) ~[catalina.jar:9.0.38]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) ~[catalina.jar:9.0.38]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) ~[catalina.jar:9.0.38]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) ~[catalina.jar:9.0.38]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[catalina.jar:9.0.38]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690) ~[catalina.jar:9.0.38]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[catalina.jar:9.0.38]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) ~[catalina.jar:9.0.38]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374) ~[tomcat-coyote.jar:9.0.38]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-coyote.jar:9.0.38]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) ~[tomcat-coyote.jar:9.0.38]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590) ~[tomcat-coyote.jar:9.0.38]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-coyote.jar:9.0.38]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[na:na]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[na:na]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:9.0.38]
at java.base/java.lang.Thread.run(Thread.java:829) ~[na:na]
Caused by: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 52e, v3839 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 52e, v3839 ]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:191) ~[spring-ldap-core-2.3.2.RELEASE.jar:2.3.2.RELEASE]
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355) ~[spring-ldap-core-2.3.2.RELEASE.jar:2.3.2.RELEASE]
at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139) ~[spring-ldap-core-2.3.2.RELEASE.jar:2.3.2.RELEASE]
at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158) ~[spring-ldap-core-2.3.2.RELEASE.jar:2.3.2.RELEASE]
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357) ~[spring-ldap-core-2.3.2.RELEASE.jar:2.3.2.RELEASE]
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:309) ~[spring-ldap-core-2.3.2.RELEASE.jar:2.3.2.RELEASE]
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:642) ~[spring-ldap-core-2.3.2.RELEASE.jar:2.3.2.RELEASE]
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:578) ~[spring-ldap-core-2.3.2.RELEASE.jar:2.3.2.RELEASE]
at org.springframework.ldap.core.LdapTemplate.authenticate(LdapTemplate.java:1441) ~[spring-ldap-core-2.3.2.RELEASE.jar:2.3.2.RELEASE]
at org.springframework.ldap.core.LdapTemplate.authenticate(LdapTemplate.java:1426) ~[spring-ldap-core-2.3.2.RELEASE.jar:2.3.2.RELEASE]
at org.springframework.ldap.core.LdapTemplate.authenticate(LdapTemplate.java:1359) ~[spring-ldap-core-2.3.2.RELEASE.jar:2.3.2.RELEASE]
at com.haulmont.cuba.web.security.ldap.LdapLoginProvider.authenticateInLdap(LdapLoginProvider.java:130) ~[cuba-web-7.2.14.jar:7.2.14]
at com.haulmont.cuba.web.security.ldap.LdapLoginProvider.login(LdapLoginProvider.java:81) ~[cuba-web-7.2.14.jar:7.2.14]
at com.haulmont.cuba.web.security.ConnectionImpl.loginInternal(ConnectionImpl.java:192) ~[cuba-web-7.2.14.jar:7.2.14]
… 56 common frames omitted
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 52e, v3839 ]
at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3259) ~[na:na]
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3205) ~[na:na]
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2991) ~[na:na]
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2905) ~[na:na]
at java.naming/com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:348) ~[na:na]
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:262) ~[na:na]
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:226) ~[na:na]
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:280) ~[na:na]
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:185) ~[na:na]
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:115) ~[na:na]
at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730) ~[na:na]
at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) ~[na:na]
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236) ~[na:na]
at java.naming/javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) ~[na:na]
at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42) ~[spring-ldap-core-2.3.2.RELEASE.jar:2.3.2.RELEASE]
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:343) ~[spring-ldap-core-2.3.2.RELEASE.jar:2.3.2.RELEASE]
… 68 common frames omitted

#2

Заработало, указал настройки в cuba.web.ldap.user , полученные таким способом
в cmd выполнить
dsquery * domainroot -filter "(&(objectcategory=person)(objectclass=user)(samaccountname=****))"

всем спасибо.