Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-16915

certificate errors using LDAP over SSL in HA

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.10.0
    • Fix Version/s: None
    • Component/s: HA, LDAP
    • Labels:
    • Story Points:
      3

      Description

      In a cluster configuration, if you configure a connection to an LDAP server that utilizes LDAP over SSL (an "ldaps:" connection) and attempt to store the certificate in the Nexus Truststore, only the node where the connection is created will be able to connect to the LDAP server. 

      If you attempt to click the 'Verify connection' button in the user interface of any other node, you will receive an error in the user interface and an error similar to the following in the nexus.log file:

      2018-04-19 15:59:48,225-0500 ERROR [qtp1461859206-341] admin org.sonatype.nexus.extdirect.internal.ExtDirectServlet - Failed to invoke action method: 
      ldap_LdapServer.verifyUserMapping, 
      java-method: org.sonatype.nexus.ldap.internal.ui.LdapServerComponent.verifyUserMapping
      java.lang.Exception: Failed to connect to LDAP Server: internal_hostname:636 
      [Caused by javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty] 
      [Caused by java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty] 
      [Caused by java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty]
              at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
              at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
              at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
      

      You may also see the following errors in the nexus.log when an authentication attempt is made:

      2018-04-19 15:58:40,867-0500 DEBUG [pool-24-thread-16] admin org.sonatype.nexus.ldap.internal.realms.DefaultLdapContextFactory - Initializing LDAP context using URL [ldaps://internal_hostname:636/dc=foo,dc=bar,dc=local] and username [cn=testuser1,cn=users,dc=foo,dc=bar,dc=local] with pooling [enabled] and environment {java.naming.referral=follow, java.naming.ldap.factory.socket=org.sonatype.nexus.ldap.internal.ssl.ThreadLocalSocketFactory, com.sun.jndi.ldap.connect.timeout=30000, java.naming.security.principal=cn=testuser1,cn=users,dc=foo,dc=bar,dc=local, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.connect.pool=true, java.naming.provider.url=ldaps://internal_hostname:636/dc=foo,dc=bar,dc=local, java.naming.security.credentials=***, java.naming.security.authentication=simple}
      2018-04-19 15:58:41,050-0500 WARN  [pool-24-thread-16] admin org.sonatype.nexus.ldap.internal.connector.FailoverLdapConnector - Problem connecting to LDAP server:
      org.sonatype.nexus.ldap.internal.connector.dao.LdapDAOException: Failed to retrieve ldap information for users.
              at org.sonatype.nexus.ldap.internal.connector.DefaultLdapConnector.searchUsers(DefaultLdapConnector.java:197)
              at org.sonatype.nexus.ldap.internal.connector.FailoverLdapConnector.searchUsers(FailoverLdapConnector.java:208)
      

        Attachments

          Activity

            People

            Assignee:
            mjohnson Matt Johnson
            Reporter:
            wwannemacher Wes Wannemacher
            Last Updated By:
            Peter Lynch Peter Lynch
            Team:
            NXRM - Morpheus
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title