Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Active Directory - NamingException/error validating during authentication #12

Open
matthewmrichter opened this issue Jan 31, 2017 · 1 comment
Open

Active Directory - NamingException/error validating during authentication #12

matthewmrichter opened this issue Jan 31, 2017 · 1 comment

Comments

@matthewmrichter
Copy link

matthewmrichter commented Jan 31, 2017
edited
Loading

Hi all, I see there is someone getting a similar error to me above, but the latest fix does not seem to apply to me. I'm not super LDAP experienced and I am having a hell of a time configuring this to work with my Windows Server 2012 Active Directory. Would really appreciate an assist.

  • Marathon-ldap jar 1.3
  • Mesos version 1.1.0-2.0.107.centos701406
  • Marathon version 1.3.7-1.0.565.el7

My AD user looks as follows:

PS AD:\cn=users,dc=domain,dc=com> Get-ADUser -Filter {Name -like "Matt Richter"}


DistinguishedName : CN=Matt Richter,CN=Users,DC=domain,DC=com
Enabled           : True
GivenName         : Matt
Name              : Matt Richter
ObjectClass       : user
ObjectGUID        : 65b42d5e-f330-4a3b-9bb9-976536affdb3
SamAccountName    : MRichter
SID               : S-1-5-21-4183530585-134636266-2064867791-2498
Surname           : Richter
UserPrincipalName : [email protected]

He is in a security group that I want to use to determine access:

PS AD:\cn=users,dc=domain,dc=com> Get-ADGroup -SearchBase "OU=Security Groups,DC=domain,DC=com" -filter {Name -like "InfrastructureGroup"}


DistinguishedName : CN=InfrastructureGroup,OU=Security Groups,DC=domain,DC=com
GroupCategory     : Security
GroupScope        : Global
Name              : InfrastructureGroup
ObjectClass       : group
ObjectGUID        : 2e13cf87-1282-459b-957f-9062f6b7f2ad
SamAccountName    : InfrastructureGroup
SID               : S-1-5-21-4183530585-134636266-2064867791-13614

I've tried several permutations, but here's what I currently have for plugin_conf.json.

{
    "plugins": {
        "authorization": {
            "plugin": "mesosphere.marathon.plugin.auth.Authorizer",
            "implementation": "io.containx.marathon.plugin.auth.LDAPAuthorizor"
        },
        "authentication": {
            "plugin": "mesosphere.marathon.plugin.auth.Authenticator",
            "implementation": "io.containx.marathon.plugin.auth.LDAPAuthenticator",
            "configuration": {
                "ldap": {
                    "url": "ldap://$ldapserver:389",
                    "base": "DC=domain,DC=com",
                    "dn": "CN={username},CN=Users,DC=domain,DC=com",
                    "bindUser": "CN=$ldapbinduser,CN=Users,DC=domain,DC=com",
                    "bindPassword": "$ldapbindpass",
                    "userSearch": "(&(sAMAccountName={username})(objectClass=user))",
                    "userSubTree": "CN=Users",
                    "groupSearch": "(&(sAMAccountName={username})(objectClass=group))",
                    "groupSubTree": "OU=Security Groups"
                },
                "authorization": {
                    "access": [
                        {
                            "group": "InfrastructureGroup",
                            "permissions": [
                                {
                                    "allowed": "*",
                                    "type"   : "app"
                                },
                                {
                                    "allowed": "*",
                                    "type"   : "group"
                                }
                            ]
                        }
                    ]
                }
            }
        }
    }
}

I deploy and restart marathon, then log into the UI via chrome, and I get prompted for my username/password. The prompt just re-appears after entering my correct creds and I get the following in the logs:

Jan 31 07:29:22 server.domain.com marathon[5373]: [2017-01-31 07:29:22,202] ERROR LDAP NamingException during authentication: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580
Jan 31 07:29:22 server.domain.com marathon[5373]: [2017-01-31 07:29:22,202] ERROR LDAP error validating user: {} (io.containx.marathon.plugin.auth.LDAPAuthenticator:pool-3-thread-1)
Jan 31 07:29:22 server.domain.com marathon[5373]: com.google.common.cache.CacheLoader$InvalidCacheLoadException: CacheLoader returned null for key AuthKey{username=mrichter}.
Jan 31 07:29:22 server.domain.com marathon[5373]:         at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2354)
Jan 31 07:29:22 server.domain.com marathon[5373]:         at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2324)
Jan 31 07:29:22 server.domain.com marathon[5373]:         at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286)
Jan 31 07:29:22 server.domain.com marathon[5373]:         at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201)
Jan 31 07:29:22 server.domain.com marathon[5373]:         at com.google.common.cache.LocalCache.get(LocalCache.java:3953)
Jan 31 07:29:22 server.domain.com marathon[5373]:         at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3957)
Jan 31 07:29:22 server.domain.com marathon[5373]:         at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4875)
Jan 31 07:29:22 server.domain.com marathon[5373]:         at io.containx.marathon.plugin.auth.LDAPAuthenticator.doAuth(LDAPAuthenticator.java:78)
Jan 31 07:29:22 server.domain.com marathon[5373]:         at io.containx.marathon.plugin.auth.LDAPAuthenticator.lambda$authenticate$4(LDAPAuthenticator.java:60)
Jan 31 07:29:22 server.domain.com marathon[5373]:         at akka.dispatch.Futures$$anonfun$future$1.apply(Future.scala:97)
Jan 31 07:29:22 server.domain.com marathon[5373]:         at scala.concurrent.impl.Future$PromiseCompletingRunnable.liftedTree1$1(Future.scala:24)
Jan 31 07:29:22 server.domain.com marathon[5373]:         at scala.concurrent.impl.Future$PromiseCompletingRunnable.run(Future.scala:24)
Jan 31 07:29:22 server.domain.com marathon[5373]:         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
Jan 31 07:29:22 server.domain.com marathon[5373]:         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
Jan 31 07:29:22 server.domain.com marathon[5373]:         at java.lang.Thread.run(Thread.java:745)

Would really appreciate some help! Thanks!
@trois-six
Copy link

Please try with a group DN without spaces.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@trois-six @matthewmrichter