【发布时间】:2018-04-06 15:14:58
【问题描述】:
我对 Wildlfy 10/11/12 有疑问。我使用完整的 AD 身份验证成功地将 wf 设置为具有 http 管理的域模式。我无法设置远程端口 4447 以使用 AD auth。我用本地 mgmt-users.properties 和 mgmt-groups.properties 对其进行了测试,一切正常。
现在我正在测试这个:
1) Ldap 适用于http://127.0.0.1:9990/console/(我的用户拥有所有广告组)
2) Ldap 与 jconsole 服务配合使用:jmx:remote+http://127.0.0.1:9990(域控制器)
3) AD auth 不工作,使用本地 mgmt-users 一切正常: 服务:jmx:远程+http://127.0.0.1:4447 服务:jmx:remote://127.0.0.1:4447
为什么我需要这个?我需要监控每台服务器的数据源统计信息。对 HC 的监控并没有给我这些数据。此配置使用 2 个 ldap:一个用于 http 管理,另一个用于测试远程端口 (RemotingRealm)。您能帮我设置两个 ldap 都使用吗?
我使用这个方法在域模式下启用远程处理: https://kb.novaordis.com/index.php/JMX_Access_to_Domain_Mode_EAP_7_Server_Node
完整的域和主机文件:
https://tomashermanek.cz/download/domain.xml
https://tomashermanek.cz/download/host.xml
域.xml
...
<management>
<access-control provider="rbac">
<role-mapping>
<role name="SuperUser">
<include>
<group name="_wildfly_adm"/>
</include>
</role>
<role name="Administrator">
<include>
<group name="_wildfly_adm"/>
</include>
</role>
<role name="Auditor">
<include>
<group name="_wildfly_audit"/>
</include>
</role>
<role name="Deployer">
<include>
<group name="_wildfly_deploy"/>
</include>
</role>
<role name="Maintainer">
<include>
<group name="_wildfly_maintain"/>
</include>
</role>
<role name="Monitor">
<include>
<group name="_wildfly_monit"/>
</include>
</role>
<role name="Operator">
<include>
<group name="_wildfly_ops"/>
</include>
</role>
</role-mapping>
</access-control>
</management>
...
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector use-management-endpoint="false"/>
<sensitivity non-core-mbeans="true"/>
</subsystem>
<subsystem xmlns
...
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<connector name="remoting-connector" socket-binding="remoting" security-realm="RemotingRealm"/>
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>
...
<socket-binding-groups>
<socket-binding-group name="ha-sockets" default-interface="public">
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="jgroups-mping" interface="private" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
<socket-binding name="jgroups-tcp" interface="private" port="7600"/>
<socket-binding name="jgroups-udp" interface="private" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
<socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<socket-binding name="remoting" port="4447"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
host.xml
...
<security-realm name="LdapRealm">
<authentication>
<ldap connection="ldap" base-dn="DC=example,DC=com" recursive="true">
<username-filter attribute="sAMAccountName"/>
</ldap>
</authentication>
<authorization>
<ldap connection="ldap">
<group-search group-dn-attribute="cn" group-name-attribute="cn">
<group-to-principal search-by="DISTINGUISHED_NAME" base-dn="OU=Groups,OU=Corp-Restricted,DC=example,DC=internal">
<membership-filter principal-attribute="member"/>
</group-to-principal>
</group-search>
</ldap>
</authorization>
</security-realm>
<security-realm name="RemotingRealm">
<authentication>
<ldap connection="ldap" base-dn="DC=example,DC=com" recursive="true">
<username-filter attribute="sAMAccountName"/>
</ldap>
</authentication>
<authorization>
<ldap connection="ldap">
<group-search group-dn-attribute="cn" group-name-attribute="cn">
<group-to-principal search-by="DISTINGUISHED_NAME" base-dn="OU=Groups,OU=Corp-Restricted,DC=example,DC=internal">
<membership-filter principal-attribute="member"/>
</group-to-principal>
</group-search>
</ldap>
</authorization>
</security-realms>
<outbound-connections>
<ldap name="ldap" url="ldap://ldap.server.one">
<properties>
<property name="java.naming.security.principal" value="search_user"/>
<property name="java.naming.security.credentials" value="password" />
<property name="java.naming.security.authentication" value="simple" />
</properties>
</ldap>
</outbound-connections>
...
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket interface="management" port="${jboss.management.native.port:9999}"/>
</native-interface>
<http-interface security-realm="LdapRealm">
<http-upgrade enabled="true"/>
<socket interface="management" port="${jboss.management.http.port:9990}"/>
</http-interface>
</management-interfaces>
来自服务器 dev-001 的日志
2018-04-06 15:26:16,598 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = tomas.hermanek
2018-04-06 15:26:16,598 TRACE [org.jboss.as.domain.management.security] (default task-1) Non caching search for 'tomas.hermanek'
2018-04-06 15:26:16,598 TRACE [org.jboss.as.domain.management.security] (default task-1) Performing recursive search
2018-04-06 15:26:16,598 TRACE [org.jboss.as.domain.management.security] (default task-1) Searching for user 'tomas.hermanek' using filter '(sAMAccountName={0})'.
2018-04-06 15:26:16,598 TRACE [org.jboss.as.domain.management.security] (default task-1) Connecting to LDAP with properties ({java.naming.provider.url=ldap://10.1.31.10, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=ignore})
2018-04-06 15:26:16,621 TRACE [org.wildfly.security] (default task-1) Principal assigning: [tomas.hermanek], pre-realm rewritten: [tomas.hermanek@RemotingRealm], realm name: [PLAIN], post-realm rewritten: [tomas.hermanek@RemotingRealm], realm rewritten: [tomas.hermanek@RemotingRealm]
2018-04-06 15:26:16,621 TRACE [org.jboss.as.domain.management.security] (default task-1) Non caching search for 'tomas.hermanek'
2018-04-06 15:26:16,621 TRACE [org.jboss.as.domain.management.security] (default task-1) Performing recursive search
2018-04-06 15:26:16,621 TRACE [org.jboss.as.domain.management.security] (default task-1) Searching for user 'tomas.hermanek' using filter '(sAMAccountName={0})'.
2018-04-06 15:26:16,621 TRACE [org.jboss.as.domain.management.security] (default task-1) Connecting to LDAP with properties ({java.naming.provider.url=ldap://10.1.31.10, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=ignore})
2018-04-06 15:26:16,641 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: fail
2018-04-06 15:26:16,641 TRACE [org.jboss.remoting.remote.server] (default task-1) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05013: Authentication mechanism password not verified
at org.wildfly.security.sasl.plain.PlainSaslServer.evaluateResponse(PlainSaslServer.java:127)
at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:59)
at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)
at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:926)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:745)
2018-04-06 15:26:16,641 TRACE [org.jboss.remoting.remote.server] (default task-1) No more authentication attempts allowed, closing the connection
【问题讨论】:
标签: jboss ldap jmx remoting jconsole