Настройка безопасного LDAP Azure AD с помощью WSO2 AM

Я пытаюсь настроить WSO2 API Manager Userstore с помощью Azure AD LDAP. Я включил защищенный LDAP на Azure AD и могу проверить возможность подключения с помощью Apache Directory Studio.

Но когда я пытаюсь настроить LDAP в WSO2, AM user-mgt.xml. Выдает ошибку при запуске сервера. Ниже приведены configs и трассировка стека.

пользователь-mgt.xml

<UserStoreManager class = "org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
            <Property name = "TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
            <Property name = "ConnectionURL">ldaps://ldap-public-ip:636</Property> 
            <Property name = "ConnectionName">CN=Configuration,DC=wso2-azure,DC=onmicrosoft,DC=com</Property>
            <Property name = "ConnectionPassword">Password</Property>
            <Property name = "AnonymousBind">false</Property>
            <Property name = "UserSearchBase">CN=Configuration,DC=wso2-azure,DC=onmicrosoft,DC=com</Property>
            <Property name = "UserEntryObjectClass">user</Property>
            <Property name = "UserNameAttribute">cn</Property>
            <Property name = "UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>
            <Property name = "UserNameListFilter">(objectClass=user)</Property>
            <Property name = "DisplayNameAttribute"/>
            <Property name = "ReadGroups">true</Property>
            <Property name = "WriteGroups">true</Property>
            <Property name = "GroupSearchBase">CN=Configuration,DC=wso2-azure,DC=onmicrosoft,DC=com</Property>
            <Property name = "GroupEntryObjectClass">group</Property>
            <Property name = "GroupNameAttribute">cn</Property>
            <Property name = "GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property>
            <Property name = "GroupNameListFilter">(objectcategory=group)</Property>
            <Property name = "MembershipAttribute">member</Property>
            <Property name = "MemberOfAttribute">memberOf</Property>
            <Property name = "BackLinksEnabled">true</Property>
            <Property name = "Referral">follow</Property>
            <Property name = "UsernameJavaRegEx">[a-zA-Z0-9._\-|//]{3,30}$</Property>
            <Property name = "UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name = "UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
            <Property name = "PasswordJavaRegEx">^[\S]{5,30}$</Property>
            <Property name = "PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
            <Property name = "PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
            <Property name = "RolenameJavaRegEx">[a-zA-Z0-9._\-|//]{3,30}$</Property>
            <Property name = "RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name = "SCIMEnabled">false</Property>
            <Property name = "IsBulkImportSupported">true</Property>
            <Property name = "EmptyRolesAllowed">true</Property>
            <Property name = "PasswordHashMethod">PLAIN_TEXT</Property>
            <Property name = "MultiAttributeSeparator">,</Property>
            <Property name = "isADLDSRole">false</Property>
            <Property name = "userAccountControl">512</Property>
            <Property name = "MaxUserNameListLength">100</Property>     
            <Property name = "MaxRoleNameListLength">100</Property>                     
            <Property name = "MembershipAttributeRange">1500</Property>
            <Property name = "kdcEnabled">false</Property>
            <Property name = "defaultRealmName">wso2-azure.onmicrosoft.com</Property>
            <Property name = "UserRolesCacheEnabled">true</Property>
            <Property name = "ConnectionPoolingEnabled">false</Property>
            <Property name = "LDAPConnectionTimeout">5000</Property>
            <Property name = "ReadTimeout"/>
            <Property name = "RetryAttempts"/>
        </UserStoreManager>

Ошибка:

javax.naming.CommunicationException: 40.78.48.218:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 40.78.48.218 found]
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
        at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
        at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
        at javax.naming.InitialContext.init(InitialContext.java:244)
        at javax.naming.InitialContext.<init>(InitialContext.java:216)
        at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
        at org.wso2.carbon.user.core.ldap.LDAPConnectionContext.getContext(LDAPConnectionContext.java:180)
        at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.<init>(ReadOnlyLDAPUserStoreManager.java:215)
        at org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager.<init>(ReadWriteLDAPUserStoreManager.java:122)
        at org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager.<init>(ActiveDirectoryUserStoreManager.java:105)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:355)
        at org.wso2.carbon.user.core.common.DefaultRealm.initializeObjects(DefaultRealm.java:222)
        at org.wso2.carbon.user.core.common.DefaultRealm.init(DefaultRealm.java:127)
        at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:264)
        at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:102)
        at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:115)
        at org.wso2.carbon.user.core.internal.Activator.startDeploy(Activator.java:68)
        at org.wso2.carbon.user.core.internal.BundleCheckActivator.start(BundleCheckActivator.java:61)
        at org.eclipse.osgi.framework.internal.core.BundleContextImpl$1.run(BundleContextImpl.java:711)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.eclipse.osgi.framework.internal.core.BundleContextImpl.startActivator(BundleContextImpl.java:702)
        at org.eclipse.osgi.framework.internal.core.BundleContextImpl.start(BundleContextImpl.java:683)
        at org.eclipse.osgi.framework.internal.core.BundleHost.startWorker(BundleHost.java:381)
        at org.eclipse.osgi.framework.internal.core.AbstractBundle.resume(AbstractBundle.java:390)
        at org.eclipse.osgi.framework.internal.core.Framework.resumeBundle(Framework.java:1176)
        at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:559)
        at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:544)
        at org.eclipse.osgi.framework.internal.core.StartLevelManager.incFWSL(StartLevelManager.java:457)
        at org.eclipse.osgi.framework.internal.core.StartLevelManager.doSetStartLevel(StartLevelManager.java:243)
        at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:438)
        at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:1)
        at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
        at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 40.78.48.218 found
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
        at com.sun.jndi.ldap.Connection.createSocket(Connection.java:394)
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:215)
        ... 44 more
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 40.78.48.218 found
        at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168)
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
        ... 53 more

Кто-нибудь может помочь?

Как установить LAMP Stack - Security 5/5 на виртуальную машину Azure Linux VM
Как установить LAMP Stack - Security 5/5 на виртуальную машину Azure Linux VM
В предыдущей статье мы завершили установку базы данных, для тех, кто не знает.
Как установить LAMP Stack 1/2 на Azure Linux VM
Как установить LAMP Stack 1/2 на Azure Linux VM
В дополнение к нашему предыдущему сообщению о намерении Azure прекратить поддержку Azure Database для MySQL в качестве единого сервера после 16...
0
0
146
1

Ответы 1

Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 40.78.48.218 found

Вам необходимо импортировать сертификат, используемый для безопасного LDAP Azure AD, в client-truststore.jks на сервере идентификации. И вам необходимо использовать альтернативы cn или subject, упомянутые в сертификате для связи.

Другие вопросы по теме