Nexus3 - cannot login via LDAP or admin

[Samuli Saarinen]

Hi,

 

I'm having trouble with Nexus 3 (OSS 3.0.3-02) login. I have configured authentication against our internal AD instance and it was working fine. But last time when I tried to login it just gives me the  login failed warning. For every login attempt the following line is printed

 

2016-10-31 06:50:59,551+0000 WARN  [qtp355642296-10421] *UNKNOWN org.sonatype.nexus.ldap.internal.connector.FailoverLdapConnector - Problem connecting to LDAP server: org.sonatype.nexus.ldap.internal.connector.dao.LdapDAOException: Failed to retrieve ldap information for users.

 

This happens also with the "admin" account that should be (afaik) stored in Nexus.

 

Is there a way to some how get access back without the need to reinstall the whole thing from scratch?

 

Br,

 

Samuli

[Fraser Goffin]

Is it possible that your AD bind account password has changed ?

Fraser.

> --
> You received this message because you are subscribed to the Google Groups
> "Nexus Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to nexus-users...@glists.sonatype.com.
> To post to this group, send email to nexus...@glists.sonatype.com.
> To view this discussion on the web visit
> https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/d39b6550-6aac-40cf-ad13-50f23fc7e425%40glists.sonatype.com.
> For more options, visit
> https://groups.google.com/a/glists.sonatype.com/d/optout.
>

[Peter Lynch]

Hi Samuli,

The original cause of this can be a number of things - certainly our expectation is that one would not need a complete reinstall to get this working again.

I will send you the instructions to reset the admin user privately for now as it involves some database instructions we have opted to not yet make public.

If you want us to take a closer look at the original issue, open an issue at https://issues.sonatype.com/browse/NEXUS and upload a support zip there. By default this issue will only be visible to the development team and you.

-Peter

On Mon, Oct 31, 2016 at 5:40 AM, Fraser Goffin <gof...@gmail.com> wrote:

Is it possible that your AD bind account password has changed ?

Fraser.

On 31/10/2016, Samuli Saarinen <samuli....@gmail.com> wrote:
>
>
> Hi,
>
>
>
> I'm having trouble with Nexus 3 (OSS 3.0.3-02) login. I have configured
> authentication against our internal AD instance and it was working fine.
> But last time when I tried to login it just gives me the  login failed
> warning. For every login attempt the following line is printed
>
>
>
> 2016-10-31 06:50:59,551+0000 WARN  [qtp355642296-10421] *UNKNOWN
> org.sonatype.nexus.ldap.internal.connector.FailoverLdapConnector - Problem
> connecting to LDAP server:
> org.sonatype.nexus.ldap.internal.connector.dao.LdapDAOException: Failed to
> retrieve ldap information for users.
>
>
>
> This happens also with the "admin" account that should be (afaik) stored in
>
> Nexus.
>
>
>
> Is there a way to some how get access back without the need to reinstall
> the whole thing from scratch?
>
>
>
> Br,
>
>
>
> Samuli
>
> --
> You received this message because you are subscribed to the Google Groups
> "Nexus Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to nexus-users+unsubscribe@glists.sonatype.com.

> To post to this group, send email to nexus...@glists.sonatype.com.
> To view this discussion on the web visit
> https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/d39b6550-6aac-40cf-ad13-50f23fc7e425%40glists.sonatype.com.
> For more options, visit
> https://groups.google.com/a/glists.sonatype.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.

To post to this group, send email to nexus...@glists.sonatype.com.

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/CAJ6jfGEi%3DaRRVSN%3Dw_PbNCNzOEnbuPNByrKFn3bie5rw3gODBA%40mail.gmail.com.

[Jody Shumaker]

It's frustrating hearing those instructions are not yet made public, I've spent the past hour trying to find them.

I'm trying to an upgrade from 2 to 3, after importing settings, my ldap login is working, but my user account lost admin privileges. I'm locked out from admin operations.

I need some way to get admin back, or the upgrade is never going to work. Admin login isn't working either. In the past the go-to was to edit server.xml, change to only xml, and potentially reset the password, then start back up and try to get things working with ldap correctly again.

Can I get these instructions as well, and can you strongly consider posting these publicly, or giving some alternative method of accomplishing this that doesn't involve directly mucking with the database?

Thanks,

Jody

> email to nexus-users...@glists.sonatype.com.

> To post to this group, send email to nexus...@glists.sonatype.com.
> To view this discussion on the web visit
> https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/d39b6550-6aac-40cf-ad13-50f23fc7e425%40glists.sonatype.com.
> For more options, visit
> https://groups.google.com/a/glists.sonatype.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.

To post to this group, send email to nexus...@glists.sonatype.com.

[Rich Seddon]

You can find the instructions here:

https://support.sonatype.com/hc/en-us/articles/213467158-How-to-reset-a-default-password-in-Nexus-3-x-using-the-Karaf-Console

Regards,

Rich

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/837ca22e-e447-4b0b-9121-0fbcd55248c7%40glists.sonatype.com.

[Samuli Saarinen]

FWIW I tried the instructions but was still not able to gain access back.

I'll leave it to Peter to pass the instructions to you to see if those can help in your situation.

Br, Samuli

You received this message because you are subscribed to a topic in the Google Groups "Nexus Users" group.
To unsubscribe from this topic, visit https://groups.google.com/a/glists.sonatype.com/d/topic/nexus-users/oVhoE_9yRsE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to nexus-users+unsubscribe@glists.sonatype.com.

To post to this group, send email to nexus...@glists.sonatype.com.

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/837ca22e-e447-4b0b-9121-0fbcd55248c7%40glists.sonatype.com.

[Jody Shumaker]

Much appreciated making it public. It didn't fully allow me to reconnect, but the link to orientdb reference and seeing what was being done did put me on the right path.

I first confirmed the default realms were there and in appropriate order:

orient:select from realm

+----+-----+------+----------------------------------------------------------------------+

|#   |@RID |@CLASS|realm_names                                                           |

+----+-----+------+----------------------------------------------------------------------+

|0   |#15:0|realm |[NexusAuthenticatingRealm,NexusAuthorizingRealm,LdapRealm,NuGetApiKey]|

+----+-----+------+----------------------------------------------------------------------+

Then I took a look at the admin user and noticed the problem:

orient:select 'from user where id="admin"'

+----+-----+------+--------+---------+---------+----------+------------------+---------------------------------------------------------------------------------+

|#   |@RID |@CLASS|status  |id       |firstName|lastName  |email             |password                                                                         |

+----+-----+------+--------+---------+---------+----------+------------------+---------------------------------------------------------------------------------+

|0   |#11:0|user  |disabled|admin    |Admini...|User      |changeme@yourco...|$shiro1$SHA-512$1024$NE+wqQq/TmjZMvfI7ENh/g==$V4yPw8T64UQ6GfJfxYq2hLsVrBY8D1v+...|

+----+-----+------+--------+---------+---------+----------+------------------+---------------------------------------------------------------------------------+

User was disabled, after doing this:

orient:update 'user SET status="active" UPSERT WHERE id="admin"'

I was able to successfully log in!, you might want to consider adding this for other users.

The confusing thing is in Nexus 2 where I imported from, admin user is active. It looks like the import changed it to disabled.  I probably could have only activated it and my old password would have worked.

Samuli, if you still have any need for this, it might help solve your problem.

Rich and Peter, there might be a bug with the import where it disables the admin account?

It also did not import Nexus 2 settings for LDAP users I had set in Nexus, which explains why my account no longer had admin. This wasn't listed under "What Is Not Upgraded", which leads me to believe it is a bug. The LDAP role mappings were imported which is why I was able to log in. We had however only set certain users as admins directly in Nexus instead of mapping an LDAP group

Thanks,

Jody

[Jody Shumaker]

Sorry, ignore this part:

> It also did not import Nexus 2 settings for LDAP users I had set in Nexus, which explains why my account no longer had admin. This wasn't listed under "What Is Not Upgraded", which leads me to believe it is a bug. The LDAP role mappings were imported which is why I was able to log in. We had however only set certain users as admins directly in Nexus instead of mapping an LDAP group

For some reason this is all working correctly now, not sure why it wasn't before. Looking through users now i saw the accounts I expected with privileges I expected, and without any changes besides the admin activation and password shuffling, my LDAP account has admin again.

Thanks, Jody