Active Directory - NamingException/error validating during authentication
matthewmrichter opened this issue · 1 comments
Hi all, I see there is someone getting a similar error to me above, but the latest fix does not seem to apply to me. I'm not super LDAP experienced and I am having a hell of a time configuring this to work with my Windows Server 2012 Active Directory. Would really appreciate an assist.
- Marathon-ldap jar 1.3
- Mesos version 1.1.0-2.0.107.centos701406
- Marathon version 1.3.7-1.0.565.el7
My AD user looks as follows:
PS AD:\cn=users,dc=domain,dc=com> Get-ADUser -Filter {Name -like "Matt Richter"}
DistinguishedName : CN=Matt Richter,CN=Users,DC=domain,DC=com
Enabled : True
GivenName : Matt
Name : Matt Richter
ObjectClass : user
ObjectGUID : 65b42d5e-f330-4a3b-9bb9-976536affdb3
SamAccountName : MRichter
SID : S-1-5-21-4183530585-134636266-2064867791-2498
Surname : Richter
UserPrincipalName : MRichter@domain.com
He is in a security group that I want to use to determine access:
PS AD:\cn=users,dc=domain,dc=com> Get-ADGroup -SearchBase "OU=Security Groups,DC=domain,DC=com" -filter {Name -like "InfrastructureGroup"}
DistinguishedName : CN=InfrastructureGroup,OU=Security Groups,DC=domain,DC=com
GroupCategory : Security
GroupScope : Global
Name : InfrastructureGroup
ObjectClass : group
ObjectGUID : 2e13cf87-1282-459b-957f-9062f6b7f2ad
SamAccountName : InfrastructureGroup
SID : S-1-5-21-4183530585-134636266-2064867791-13614
I've tried several permutations, but here's what I currently have for plugin_conf.json.
{
"plugins": {
"authorization": {
"plugin": "mesosphere.marathon.plugin.auth.Authorizer",
"implementation": "io.containx.marathon.plugin.auth.LDAPAuthorizor"
},
"authentication": {
"plugin": "mesosphere.marathon.plugin.auth.Authenticator",
"implementation": "io.containx.marathon.plugin.auth.LDAPAuthenticator",
"configuration": {
"ldap": {
"url": "ldap://$ldapserver:389",
"base": "DC=domain,DC=com",
"dn": "CN={username},CN=Users,DC=domain,DC=com",
"bindUser": "CN=$ldapbinduser,CN=Users,DC=domain,DC=com",
"bindPassword": "$ldapbindpass",
"userSearch": "(&(sAMAccountName={username})(objectClass=user))",
"userSubTree": "CN=Users",
"groupSearch": "(&(sAMAccountName={username})(objectClass=group))",
"groupSubTree": "OU=Security Groups"
},
"authorization": {
"access": [
{
"group": "InfrastructureGroup",
"permissions": [
{
"allowed": "*",
"type" : "app"
},
{
"allowed": "*",
"type" : "group"
}
]
}
]
}
}
}
}
}
I deploy and restart marathon, then log into the UI via chrome, and I get prompted for my username/password. The prompt just re-appears after entering my correct creds and I get the following in the logs:
Jan 31 07:29:22 server.domain.com marathon[5373]: [2017-01-31 07:29:22,202] ERROR LDAP NamingException during authentication: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580
Jan 31 07:29:22 server.domain.com marathon[5373]: [2017-01-31 07:29:22,202] ERROR LDAP error validating user: {} (io.containx.marathon.plugin.auth.LDAPAuthenticator:pool-3-thread-1)
Jan 31 07:29:22 server.domain.com marathon[5373]: com.google.common.cache.CacheLoader$InvalidCacheLoadException: CacheLoader returned null for key AuthKey{username=mrichter}.
Jan 31 07:29:22 server.domain.com marathon[5373]: at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2354)
Jan 31 07:29:22 server.domain.com marathon[5373]: at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2324)
Jan 31 07:29:22 server.domain.com marathon[5373]: at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286)
Jan 31 07:29:22 server.domain.com marathon[5373]: at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201)
Jan 31 07:29:22 server.domain.com marathon[5373]: at com.google.common.cache.LocalCache.get(LocalCache.java:3953)
Jan 31 07:29:22 server.domain.com marathon[5373]: at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3957)
Jan 31 07:29:22 server.domain.com marathon[5373]: at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4875)
Jan 31 07:29:22 server.domain.com marathon[5373]: at io.containx.marathon.plugin.auth.LDAPAuthenticator.doAuth(LDAPAuthenticator.java:78)
Jan 31 07:29:22 server.domain.com marathon[5373]: at io.containx.marathon.plugin.auth.LDAPAuthenticator.lambda$authenticate$4(LDAPAuthenticator.java:60)
Jan 31 07:29:22 server.domain.com marathon[5373]: at akka.dispatch.Futures$$anonfun$future$1.apply(Future.scala:97)
Jan 31 07:29:22 server.domain.com marathon[5373]: at scala.concurrent.impl.Future$PromiseCompletingRunnable.liftedTree1$1(Future.scala:24)
Jan 31 07:29:22 server.domain.com marathon[5373]: at scala.concurrent.impl.Future$PromiseCompletingRunnable.run(Future.scala:24)
Jan 31 07:29:22 server.domain.com marathon[5373]: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
Jan 31 07:29:22 server.domain.com marathon[5373]: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
Jan 31 07:29:22 server.domain.com marathon[5373]: at java.lang.Thread.run(Thread.java:745)
Would really appreciate some help! Thanks!
Please try with a group DN without spaces.