Nexus 3.0.1-01 AD Connectivity

[Saul Alanis]

Good Day Everyone-

I got AD authentication to work although it took a couple of tries initially just kept getting this error, but managed to get it functional.

Failed to connect to LDAP Server: domain.com:636 [Caused by javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: 

Once I realized that I should have configured HTTPS first, that was the next logical step.

Couldn't get HTTPS working with the original keystore and went as far as testing with a separate one altogether. I ended up reverting the changes to get back in after sometime, however, AD auth stopped working and now am in need of a second pair of eyes.

After getting back in w/ the local user, I kept getting the same SSL/PKIX error when testing connectivity, so I created a new LDAP configuration which was successful searching for my AD account. I also created a new keystore, the first time importing the certificates using the keytool, and proceeded to using the UI to import the same certificates, all in the name of testing.

Logged off and tried logging in w/ my AD immediately but can't and now testing the server connection isn't working again and now I am back to step one.

Prior to logging off the local admin account I enabled debug to capture some logs to proof to myself that am not completely losing it; and this I was able to capture.

Testing connection to AD successful;

2016-08-07 21:21:16,082-0500 DEBUG [pool-138-thread-8] admin com.softwarementors.extjs.djn.Timer -   - Individual request #1 response data=>{"tid":36,"action":"ldap_LdapServer","method":"read","result":{"success":true,"data":[{"userBaseDn":"ou=Users and Groups","userSubtree":true,"userObjectClass":"user","userLdapFilter":"","userIdAttribute":"sAMAccountName","userRealNameAttribute":"cn","userEmailAddressAttribute":"mail","userPasswordAttribute":"","ldapGroupsAsRoles":true,"groupType":"dynamic","groupBaseDn":null,"groupSubtree":false,"groupObjectClass":null,"groupIdAttribute":null,"groupMemberAttribute":null,"groupMemberFormat":null,"userMemberOfAttribute":"memberOf","id":"34808a11-3034-49c8-97d7-60f5b507737c","order":1,"name":"ActiveDirectory","url":"ldaps://domain.com:636/dc=domain,dc=com","protocol":"ldaps","useTrustStore":false,"host":"ldap.domain.com","port":636,"searchBase":"dc=domain,dc=com","authScheme":"simple","authRealm":null,"authUsername":"someaccountnamehere","authPassword":"#~NEXUS~PLACEHOLDER~PASSWORD~#","connectionTimeout":30,"connectionRetryDelay":300,"maxIncidentsCount":3}]},"type":"rpc"}: 3.54 ms.

Ran a second test - successfully;

2016-08-07 21:21:16,095-0500 DEBUG [pool-138-thread-14] admin com.softwarementors.extjs.djn.Timer -   - Individual request #5 response data=>{"tid":40,"action":"ldap_LdapServer","method":"readTemplates","result":{"success":true,"data":[{"name":"Active Directory","userBaseDn":"cn=users","userSubtree":false,"userObjectClass":"user","userLdapFilter":null,"userIdAttribute":"sAMAccountName","userRealNameAttribute":"cn","userEmailAddressAttribute":"mail","userPasswordAttribute":null,"ldapGroupsAsRoles":true,"groupType":"dynamic","groupBaseDn":null,"groupSubtree":false,"groupObjectClass":null,"groupIdAttribute":null,"groupMemberAttribute":null,"groupMemberFormat":null,"userMemberOfAttribute":"memberOf"},{"name":"Posix with Static Groups","userBaseDn":"ou=people","userSubtree":false,"userObjectClass":"posixAccount","userLdapFilter":null,"userIdAttribute":"uid","userRealNameAttribute":"cn","userEmailAddressAttribute":"mail","userPasswordAttribute":null,"ldapGroupsAsRoles":true,"groupType":"static","groupBaseDn":"ou=groups","groupSubtree":false,"groupObjectClass":"posixGroup","groupIdAttribute":"cn","groupMemberAttribute":"memberUid","groupMemberFormat":"${username}","userMemberOfAttribute":null},{"name":"Posix with Dynamic Groups","userBaseDn":"ou=people","userSubtree":false,"userObjectClass":"posixAccount","userLdapFilter":null,"userIdAttribute":"uid","userRealNameAttribute":"cn","userEmailAddressAttribute":"mail","userPasswordAttribute":null,"ldapGroupsAsRoles":true,"groupType":"dynamic","groupBaseDn":null,"groupSubtree":false,"groupObjectClass":null,"groupIdAttribute":null,"groupMemberAttribute":null,"groupMemberFormat":null,"userMemberOfAttribute":"memberOf"},{"name":"Generic Ldap Server","userBaseDn":null,"userSubtree":false,"userObjectClass":"inetOrgPerson","userLdapFilter":null,"userIdAttribute":"uid","userRealNameAttribute":"cn","userEmailAddressAttribute":"mail","userPasswordAttribute":"userPassword","ldapGroupsAsRoles":true,"groupType":"dynamic","groupBaseDn":null,"groupSubtree":false,"groupObjectClass":null,"groupIdAttribute":null,"groupMemberAttribute":null,"groupMemberFormat":null,"userMemberOfAttribute":"memberOf"}]},"type":"rpc"}: 11.75 ms.

When I attempt to log back using my AD creds a minute later I am not able to, although I could search for the account and see that I indeed still have the nxadmin role.

2016-08-07 21:22:00,684-0500 DEBUG [qtp1226738417-159] admin org.sonatype.nexus.ldap.internal.realms.DefaultLdapContextFactory - Initializing LDAP context using URL [ldaps://domain.com:636/dc=domain,dc=com] and username [someaccountnamehere with pooling [enabled] and environment {java.naming.referral=follow, com.sun.jndi.ldap.connect.timeout=30000, java.naming.security.principal=CN=userhere,OU=Default,OU=Users,OU=domain,DC=com, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldaps://domain,dccom:636/dc=domain,dc=com, java.naming.security.credentials=***, java.naming.security.authentication=simple}

2016-08-07 21:22:00,715-0500 DEBUG [qtp1226738417-159] admin org.sonatype.nexus.extdirect.internal.ExtDirectServlet - Failed to invoke action method: ldap_LdapServer.verifyLogin, java-method: org.sonatype.nexus.ldap.internal.ui.LdapServerComponent.verifyLogin

java.lang.Exception: Failed to connect to LDAP Server: User 'CN=user=Default,OU=Users,OU=domain,OU=Users and Groups,DC=domain,DC=com' cannot be authenticated. [Caused by javax.naming.CommunicationException: ad-domain:636] [Caused by javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] [Caused by sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] [Caused by sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

As I mentioned, it was working fine although a bit troublesome upfront getting it to work. Now not working at all. Hopefully this is something I may be doing incorrectly and will be an easy fix.

Appreciate all the help!

-SDA

[Brian Fox]

It seems to not like the ssl certificate offered by your ldaps connection. I wonder if you are round robbining to different servers and that's why it works sometimes. Have you imported and trusted the ssl certificate in the ssl key screen?

--mobile

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/b40e8b8f-3a4f-4b26-b924-c417d7947a8f%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.

[Saul Alanis]

Thank you Brian. I forgot to mention that we are using a VIP. I also tried adding them as you mentioned in the ssl key screen, but only got me as far as being able to capture the debug logs - though I didn't remove any that I imported previously using the keytool.

This time I deleted all of the certs (1 root, 2 issuing) and imported giving me a single issuing certificate. I tested connectivity and am now able to get back in using my AD creds.

For some reason it doesn't like having all of these ^^^ although we have other apps that are connecting fine. I noticed that in the ssl key screen when you import a certificate it prompted me to remove it if what you attempt to import is already there.

Again, thank you Brian! Looking forward to getting this all setup nicely.

-SDA 

To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.

[Peter Lynch]

Hi Saul,

On Mon, Aug 8, 2016 at 8:05 AM, Saul Alanis <sda...@gmail.com> wrote:

Thank you Brian. I forgot to mention that we are using a VIP. I also tried adding them as you mentioned in the ssl key screen, but only got me

In theory, Nexus should only need to trust the root certificate that all the VIP certificates are signed with. In that case, you'll need to get the root certificate offline and import the root certificate explicitly. Nexus does not yet have a method to extract and trust only the root cert automatically.

 

as far as being able to capture the debug logs - though I didn't remove any that I imported previously using the keytool.

This time I deleted all of the certs (1 root, 2 issuing) and imported giving me a single issuing certificate. I tested connectivity and am now able to get back in using my AD creds.

For some reason it doesn't like having all of these ^^^ although we have other apps that are connecting fine. I noticed that in the ssl key screen when you import a certificate it prompted me to remove it if what you attempt to import is already there.

So is everything working now?

 

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/CAPHnHUv71fZSQs-%2BMhgmFZCaCr1DuPpqYmb%3DEPnb6RMCAD0Q2Q%40mail.gmail.com.

[Saul Alanis]

Hey Peter,

The last attempt, I got back in by importing it from the --> loading from server in the ssl certificates - UI. I restarted this morning to enable HTTPS and AD auth broke again.

I followed your suggestion removing all and only having the root certificate which I am able to get back in using my AD credentials.

Restarted nexus a couple of times and so far so good AD and HTTPS is working fine.

Thank you for help.

Sincerely,

SDA