Thank you so much Wei! It worked! In my case the LDAP server accepts anonymous bind. So, instead of updating the value for ldap.bind.password (there is no line with this value) I had to update lines with ldap.truststore.password.
Now users can authenticate. Thank you! Em qua., 14 de fev. de 2024 às 16:34, Wei ZHOU <ustcweiz...@gmail.com> escreveu: > Can you try the workaround described in > https://github.com/apache/cloudstack/issues/8637? > > -Wei > > 在 2024年2月14日星期三,Jorge Luiz Correa <jorge.l.cor...@embrapa.br.invalid> 写道: > > > Hello! > > > > I've upgraded from 4.17.2 to 4.19.0. I'm using Ubuntu Server 22.04.3 LTS, > > Java 11.0.21 (no changes with upgrade). I'm using a LDAP server to > > authenticate users, with SSL. > > > > After the upgrade users can't authenticate anymore. The errors at the end > > of this message could be found in management.log. I've read it could be a > > problem accessing the keystore file. > > > > I've already tried to > > - regenerate the keystore (with default parameters) > > - check the password with keytool, everything is ok (no changes from > > 4.17.2, it was working) > > - change permissions from cloud.jks > > - put https.keystore.password between '...' in server.properties > > > > I appreciate any help where I can try something to restore the ldap > > authentication with SSL. > > > > Thank you! > > > > ---- errors in management.log > > > > > > *2024-02-14 15:43:58,248 DEBUG [o.a.c.l.LdapManagerImpl] > > (qtp1753127384-22:ctx-cfc59ea9) (logid:c7732509) ldap > > Exception:javax.naming.CommunicationException: ldapserver.mydomain:636 > > [Root exception is java.net.SocketException: > > java.security.NoSuchAlgorithmException: Error constructing implementation > > (algorithm: Default, provider: SunJSSE, class: > > sun.security.ssl.SSLContextImpl$DefaultSSLContext)]* > > at > > java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:252) > > at > > java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) > > at > > > java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1616) > > at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java: > > 2847) > > at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348) > > at > > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl( > > LdapCtxFactory.java:266) > > at > > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL( > > LdapCtxFactory.java:226) > > at > > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs( > > LdapCtxFactory.java:284) > > at > > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance( > > LdapCtxFactory.java:185) > > at > > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext( > > LdapCtxFactory.java:115) > > at > > java.naming/javax.naming.spi.NamingManager.getInitialContext( > > NamingManager.java:730) > > at > > java.naming/javax.naming.InitialContext.getDefaultInitCtx( > > InitialContext.java:305) > > at > > java.naming/javax.naming.InitialContext.init(InitialContext.java:236) > > at > > java.naming/javax.naming.ldap.InitialLdapContext.<init>( > > InitialLdapContext.java:154) > > at > > org.apache.cloudstack.ldap.LdapContextFactory.createInitialDirContext( > > LdapContextFactory.java:62) > > at > > org.apache.cloudstack.ldap.LdapContextFactory.createBindContext( > > LdapContextFactory.java:51) > > at > > org.apache.cloudstack.ldap.LdapContextFactory.createBindContext( > > LdapContextFactory.java:45) > > at > > org.apache.cloudstack.ldap.LdapManagerImpl.getUser( > > LdapManagerImpl.java:314) > > at > > org.apache.cloudstack.ldap.LdapAuthenticator.authenticate( > > LdapAuthenticator.java:229) > > at > > org.apache.cloudstack.ldap.LdapAuthenticator.authenticate( > > LdapAuthenticator.java:84) > > at > > com.cloud.user.AccountManagerImpl.getUserAccount( > > AccountManagerImpl.java:2656) > > at > > com.cloud.user.AccountManagerImpl.authenticateUser( > > AccountManagerImpl.java:2494) > > at > > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > > Method) > > at > > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke( > > NativeMethodAccessorImpl.java:62) > > at > > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke( > > DelegatingMethodAccessorImpl.java:43) > > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > > at > > org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection > > (AopUtils.java:344) > > at > > org.springframework.aop.framework.ReflectiveMethodInvocation. > > invokeJoinpoint(ReflectiveMethodInvocation.java:198) > > at > > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed( > > ReflectiveMethodInvocation.java:163) > > at > > org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke( > > ExposeInvocationInterceptor.java:97) > > at > > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed( > > ReflectiveMethodInvocation.java:186) > > at > > org.springframework.aop.framework.JdkDynamicAopProxy. > > invoke(JdkDynamicAopProxy.java:215) > > at com.sun.proxy.$Proxy128.authenticateUser(Unknown Source) > > at com.cloud.api.ApiServer.loginUser(ApiServer.java:1111) > > at > > com.cloud.api.auth.DefaultLoginAPIAuthenticatorCmd.authenticate( > > DefaultLoginAPIAuthenticatorCmd.java:156) > > at > > com.cloud.api.ApiServlet.processRequestInContext(ApiServlet.java:257) > > at com.cloud.api.ApiServlet$1.run(ApiServlet.java:154) > > at > > org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call( > > DefaultManagedContext.java:55) > > at > > org.apache.cloudstack.managed.context.impl.DefaultManagedContext. > > callWithContext(DefaultManagedContext.java:102) > > at > > org.apache.cloudstack.managed.context.impl.DefaultManagedContext. > > runWithContext(DefaultManagedContext.java:52) > > at com.cloud.api.ApiServlet.processRequest(ApiServlet.java:151) > > at com.cloud.api.ApiServlet.doPost(ApiServlet.java:110) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:665) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:665) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) > > at > > org.eclipse.jetty.servlet.ServletHolder$NotAsync. > > service(ServletHolder.java:1450) > > at > > org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799) > > at > > > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:554) > > at > > org.eclipse.jetty.server.handler.ScopedHandler.handle( > > ScopedHandler.java:143) > > at > > org.eclipse.jetty.security.SecurityHandler.handle( > > SecurityHandler.java:600) > > at > > org.eclipse.jetty.server.handler.HandlerWrapper.handle( > > HandlerWrapper.java:127) > > at > > org.eclipse.jetty.server.handler.ScopedHandler. > > nextHandle(ScopedHandler.java:235) > > at > > org.eclipse.jetty.server.session.SessionHandler. > > doHandle(SessionHandler.java:1624) > > at > > org.eclipse.jetty.server.handler.ScopedHandler. > > nextHandle(ScopedHandler.java:233) > > at > > org.eclipse.jetty.server.handler.ContextHandler. > > doHandle(ContextHandler.java:1440) > > at > > org.eclipse.jetty.server.handler.ScopedHandler. > > nextScope(ScopedHandler.java:188) > > at > > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505) > > at > > org.eclipse.jetty.server.session.SessionHandler. > > doScope(SessionHandler.java:1594) > > at > > org.eclipse.jetty.server.handler.ScopedHandler. > > nextScope(ScopedHandler.java:186) > > at > > org.eclipse.jetty.server.handler.ContextHandler. > > doScope(ContextHandler.java:1355) > > at > > org.eclipse.jetty.server.handler.ScopedHandler.handle( > > ScopedHandler.java:141) > > at > > org.eclipse.jetty.server.handler.gzip.GzipHandler. > > handle(GzipHandler.java:772) > > at > > org.eclipse.jetty.server.handler.HandlerCollection. > > handle(HandlerCollection.java:146) > > at > > org.eclipse.jetty.server.handler.HandlerWrapper.handle( > > HandlerWrapper.java:127) > > at org.eclipse.jetty.server.Server.handle(Server.java:516) > > at > > > org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487) > > at > > org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732) > > at org.eclipse.jetty.server.HttpChannel.handle( > > HttpChannel.java:479) > > at > > org.eclipse.jetty.server.HttpConnection.onFillable( > > HttpConnection.java:277) > > at > > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded( > > AbstractConnection.java:311) > > at org.eclipse.jetty.io.FillInterest.fillable( > > FillInterest.java:105) > > at > > org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) > > at > > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob( > > QueuedThreadPool.java:883) > > at > > org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run( > > QueuedThreadPool.java:1034) > > at java.base/java.lang.Thread.run(Thread.java:829) > > > > *Caused by: java.net.SocketException: > > java.security.NoSuchAlgorithmException: Error constructing implementation > > (algorithm: Default, provider: SunJSSE, class: > > sun.security.ssl.SSLContextImpl$DefaultSSLContext)* at > > java.base/javax.net.ssl.DefaultSSLSocketFactory.throwException( > > SSLSocketFactory.java:263) > > at > > java.base/javax.net.ssl.DefaultSSLSocketFactory. > > createSocket(SSLSocketFactory.java:277) > > at > > > java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:321) > > ... 74 more > > > > *Caused by: java.security.NoSuchAlgorithmException: Error constructing > > implementation (algorithm: Default, provider: SunJSSE, class: > > sun.security.ssl.SSLContextImpl$DefaultSSLContext)* at > > java.base/java.security.Provider$Service.newInstance(Provider.java:1901) > > at > > java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236) > > at > > java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164) > > ... 82 more > > > > *Caused by: java.security.KeyStoreException: problem accessing trust > > store* > > at > > java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit( > > TrustManagerFactoryImpl.java:73) > > at > > java.base/javax.net.ssl.TrustManagerFactory.init( > > TrustManagerFactory.java:278) > > at > > java.base/sun.security.ssl.SSLContextImpl$DefaultManagersHolder. > > getTrustManagers(SSLContextImpl.java:1036) > > ... 92 more > > > > *Caused by: java.io.IOException: keystore password was incorrect* > at > > java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad( > > PKCS12KeyStore.java:2092) > > at > > java.base/sun.security.util.KeyStoreDelegator.engineLoad( > > KeyStoreDelegator.java:222) > > at java.base/java.security.KeyStore.load(KeyStore.java:1479) > > ... 98 more > > > > *Caused by: java.security.UnrecoverableKeyException: failed to decrypt > > safe > > contents entry: javax.crypto.BadPaddingException: Given final block not > > properly padded. Such issues can arise if a bad key is used during > > decryption.* at > > java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad( > > PKCS12KeyStore.java:2092) > > at > > java.base/sun.security.util.KeyStoreDelegator.engineLoad( > > KeyStoreDelegator.java:222) > > at java.base/java.security.KeyStore.load(KeyStore.java:1479) > > ... 98 more > > 2024-02-14 15:43:58,254 DEBUG [o.a.c.l.LdapAuthenticator] > > (qtp1753127384-22:ctx-cfc59ea9) (logid:c7732509) No users matching: No > > Ldap > > User found for username: myuser in group: > > cn=cloudstack-hpc,ou=app,ou=authorization of type: GROUP > > > > > > -- > > Jorge Luiz Corrêa > > Embrapa Agricultura Digital > > > > echo "CkpvcmdlIEx1aXogQ29ycmVhCkFu > > YWxpc3RhIGRlIFJlZGVzIGUgU2VndXJhbm > > NhCkVtYnJhcGEgQWdyaWN1bHR1cmEgRGln > > aXRhbCAtIE5USQpBdi4gQW5kcmUgVG9zZW > > xsbywgMjA5IChCYXJhbyBHZXJhbGRvKQpD > > RVAgMTMwODMtODg2IC0gQ2FtcGluYXMsIF > > NQClRlbGVmb25lOiAoMTkpIDMyMTEtNTg4 > > Mgpqb3JnZS5sLmNvcnJlYUBlbWJyYXBhLm > > JyCgo="|base64 -d > > > > -- > > __________________________ > > Aviso de confidencialidade > > > > Esta mensagem da > > Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), empresa publica > > federal regida pelo disposto na Lei Federal no. 5.851, de 7 de > dezembro > > de 1972, e enviada exclusivamente a seu destinatario e pode conter > > informacoes confidenciais, protegidas por sigilo profissional. Sua > > utilizacao desautorizada e ilegal e sujeita o infrator as penas da lei. > > Se voce a recebeu indevidamente, queira, por gentileza, reenvia-la ao > > emitente, esclarecendo o equivoco. > > > > Confidentiality note > > > > This message from > > Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), a government > > company established under Brazilian law (5.851/72), is directed > > exclusively to its addressee and may contain confidential data, > > protected under professional secrecy rules. Its unauthorized use is > > illegal and may subject the transgressor to the law's penalties. If you > > are not the addressee, please send it back, elucidating the failure. > > > -- __________________________ Aviso de confidencialidade Esta mensagem da Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), empresa publica federal regida pelo disposto na Lei Federal no. 5.851, de 7 de dezembro de 1972, e enviada exclusivamente a seu destinatario e pode conter informacoes confidenciais, protegidas por sigilo profissional. Sua utilizacao desautorizada e ilegal e sujeita o infrator as penas da lei. Se voce a recebeu indevidamente, queira, por gentileza, reenvia-la ao emitente, esclarecendo o equivoco. Confidentiality note This message from Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), a government company established under Brazilian law (5.851/72), is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you are not the addressee, please send it back, elucidating the failure.