配置LDAP登录，但始终无法成功登录

[StandardStudent]

在application中，更改了如下内容

nacos.core.auth.system.type=ldap
nacos.core.auth.ldap.url=ldap://**:389
nacos.core.auth.ldap.userdn=cn={0},ou=example,dc=com,dc=cn
nacos.core.auth.enabled=true

但仍然无法正常登陆，我这边用相同的参数可以使用ldapsearch命令查到信息

[KeithTt]

Same problem. It seems only user in the root dir can be authorized, others in the subtree can not be.

Here is the exception info:

2022-03-23 16:41:07,258 ERROR login error:[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839]

2022-03-23 16:41:07,259 ERROR CONSOLE /nacos/v1/auth/users/login

java.lang.RuntimeException: login error!
	at com.alibaba.nacos.console.security.nacos.LdapAuthenticationProvider.ldapLogin(LdapAuthenticationProvider.java:145)
	at com.alibaba.nacos.console.security.nacos.LdapAuthenticationProvider.authenticate(LdapAuthenticationProvider.java:97)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:200)
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:514)
	at com.alibaba.nacos.console.security.nacos.NacosAuthManager.resolveTokenFromUser(NacosAuthManager.java:191)
	at com.alibaba.nacos.console.security.nacos.NacosAuthManager.resolveToken(NacosAuthManager.java:161)
	at com.alibaba.nacos.console.security.nacos.NacosAuthManager.login(NacosAuthManager.java:70)
	at com.alibaba.nacos.console.controller.UserController.login(UserController.java:211)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)
	at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)
	at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105)
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:892)
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:797)
	at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
	at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:652)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:97)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.boot.actuate.web.trace.servlet.HttpTraceFilter.doFilterInternal(HttpTraceFilter.java:88)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.alibaba.nacos.core.auth.AuthFilter.doFilter(AuthFilter.java:132)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:209)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:94)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:114)
	at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:104)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

[onewe]

@i will solve it@

[karsonto]

我用Docker LDAP 服务测试能正常使用
docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.3.0

docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin

添加 LDAP配置信息 到application.properties

登入nacos 用户名字 admin 密码 admin

能正常访问nacos

[onewe]

我这边也是能正常登录. 可能是 ldap 的配置问题

[onewe]

ldap 是不是启用了 SASL ？

[KeithTt]

@onewe 用根目录下的用户可以登陆，但是有多个 OU 的情况下，子目录下的用户都登陆不了。

类似这个 issue 的情况：#7099

应该不是 LDAP 的配置问题，我们有不少应用都接了 LDAP。

[StandardStudent]

@onewe @KeithTt 我这边看了具体问题，主要原因是配置文件设置的参数，并不能满足公司的ldap组织结构。所以我改了ldap的搜索方法，变为了在组织结构下去搜索相关用户。 这也是大多数软件ldap支持的方式。 这边需要我来提交相关代码么？

[StandardStudent]

我用Docker LDAP 服务测试能正常使用 docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.3.0

docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin

添加 LDAP配置信息 到application.properties

登入nacos 用户名字 admin 密码 admin

能正常访问nacos

找到了问题， 我这边公司内的结构包含多级， 且存在多个可变的量。因此配置文件中单一变量的方式不能解决我的问题，所以我从源码中更改了ldap相关方法

[karsonto]

@StandardStudent 感谢，请提交PR参考！

[StandardStudent]

@karsonto 第一次尝试这样做， 请查看 #8029

[karsonto]

感谢!

[KeithTt]

@onewe @karsonto @KomachiSion 2.0.4 upgrade to 2.1.0，升级到最新版发现数据库不兼容，字段报错，有没有升级文档

[karsonto]

你这边指的是ldap login的问题吧？配置文件参考如下
nacos.core.auth.system.type=ldap
nacos.core.auth.ldap.url=ldap://localhost:389
nacos.core.auth.ldap.basedc=dc=example,dc=org
nacos.core.auth.ldap.userDn=cn=admin,${nacos.core.auth.ldap.basedc}
nacos.core.auth.ldap.password=admin
nacos.core.auth.ldap.userdn=cn={0},dc=example,dc=org

[KeithTt]

@karsonto 感谢提供参考配置！

不过我的问题还没到 ldap 配置，我的测试环境是跑在 k8s 集群上，我把镜像版本替换成最新的 2.1.0 之后，集群起不来，看日志提示数据库字段不兼容，不知道是不是要更新数据库呢？

[karsonto]

这块我不是太s熟，你可以把代码clone下来，看看Git logs 再对比一下现有数据库的脚本修改记录就可以

[onewe]

@KeithTt 最新的版本增加配置加密功能,数据库需要增加字段,分别在config_info表,config_info_beta和his_config_info中增加encrypted_data_key字段. 详情请参考发行版中的sql文件

[KeithTt]

@karsonto @onewe 感谢两位！

通过 blame 这个文件 https://github.com/alibaba/nacos/blob/develop/distribution/conf/nacos-mysql.sql ，分别给config_info、config_info_beta和his_config_info三张表添加了encrypted_data_key字段。

再次更新镜像版本到 2.1.0 已经正常启动。遗憾的是，容器版本看起来不支持 ldap。

### The auth system to use, currently only 'nacos' is supported:
nacos.core.auth.system.type=${NACOS_AUTH_SYSTEM_TYPE:nacos}

[onewe]

@KeithTt 容器支持 ldap 有点点麻烦

[KeithTt]

@onewe Sigh... 如果是本地非容器实例的话，要怎么升级呢？

• 更新数据库添加字段
• 停掉一个实例
• 将 2.0.4 的代码备份
• 下载 2.1.0 的代码
• 修改配置
• 启动服务
• 然后轮流升级剩下的两个实例

这样操作对吗？会影响已经在使用 Nacos 的服务吗？

[onewe]

应该行吧,可以演练一下,我没升级过 @KeithTt