-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.24.0
-
Fix Version/s: 3.25.0
-
Labels:
-
Notability:3
Set up an LDAP server using "simple authentication" authentication method. Also configure "user and group" settings. Save.
Now go to the "user and group" settings, and make a change to them, and attempt to save. This will fail with UI error shown as "connection.systemUsername".
The log shows;
2020-05-12 11:21:10,385-0500 ERROR [qtp743319359-197] admin org.sonatype.nexus.extdirect.internal.ExtDirectExceptionHandler - Failed to invoke action method: ldap_LdapServer.update, java-method: org.sonatype.nexus.ldap.internal.ui.LdapServerComponent.update
java.lang.IllegalArgumentException: connection.systemUsername
at com.google.common.base.Preconditions.checkArgument(Preconditions.java:135)
at org.sonatype.nexus.ldap.persist.internal.Validator.validate(Validator.java:53)
at org.sonatype.nexus.ldap.persist.internal.Validator.validate(Validator.java:39)
at org.sonatype.nexus.ldap.persist.internal.DefaultLdapConfigurationManager.updateLdapServerConfiguration(DefaultLdapConfigurationManager.java:167)
at org.sonatype.nexus.ldap.persist.LdapConfigurationManager$updateLdapServerConfiguration$2.call(Unknown Source)
at org.sonatype.nexus.ldap.internal.ui.LdapServerComponent.update(LdapServerComponent.groovy:137)
at com.palominolabs.metrics.guice.ExceptionMeteredInterceptor.invoke(ExceptionMeteredInterceptor.java:23)
at com.palominolabs.metrics.guice.TimedInterceptor.invoke(TimedInterceptor.java:26)
at org.sonatype.nexus.validation.internal.ValidationInterceptor.invoke(ValidationInterceptor.java:53)
at org.apache.shiro.guice.aop.AopAllianceMethodInvocationAdapter.proceed(AopAllianceMethodInvocationAdapter.java:49)
at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.invoke(AuthorizingAnnotationMethodInterceptor.java:68)
at org.apache.shiro.guice.aop.AopAllianceMethodInterceptorAdapter.invoke(AopAllianceMethodInterceptorAdapter.java:36)
at org.apache.shiro.guice.aop.AopAllianceMethodInvocationAdapter.proceed(AopAllianceMethodInvocationAdapter.java:49)
at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.invoke(AuthorizingAnnotationMethodInterceptor.java:68)
at org.apache.shiro.guice.aop.AopAllianceMethodInterceptorAdapter.invoke(AopAllianceMethodInterceptorAdapter.java:36)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
This is a regression introduced by the changes made for NEXUS-23556.
Workaround: Enter the system user password on the connection screen, do not save, go to "user and group" settings screen make change, and save.
Make a change to the "user and group" settings screen, save.
- is caused by
-
NEXUS-23556 CVE-2020-11415: LDAP system credentials can be exposed by admin user
-
- Closed
-
- is related to
-
NEXUS-23887 LDAP connection UI looks broken, constantly prompts for password
-
- Closed
-