在我的应用程序中,我提供了对Native AD和LDAP的支持。当我尝试使用NativeAD对用户进行身份验证时,它工作正常,但对于LDAP(我们需要在Linux上安装应用程序),我得到javax.security.auth.login.FailedLoginException:无法绑定到LDAP服务器。
错误堆栈:-
Caused by: javax.security.auth.login.FailedLoginException: Cannot bind to LDAP server
...
Caused by: javax.naming.CommunicationException: simple bind failed: mydomain.com:3269
com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
javax.naming.InitialContext.init(Unknown Source)
javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
...
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching mydomain.com found.
sun.security.ssl.Alerts.getSSLException(Unknown Source)
sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
sun.security.ssl.Handshaker.fatalSE(Unknown Source)
sun.security.ssl.Handshaker.fatalSE(Unknown Source)
sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
sun.security.ssl.Handshaker.processLoop(Unknown Source)
sun.security.ssl.Handshaker.process_record(Unknown Source)
sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
sun.security.ssl.AppOutputStream.write(Unknown Source)
java.io.BufferedOutputStream.flushBuffer(Unknown Source)
java.io.BufferedOutputStream.flush(Unknown Source)
com.sun.jndi.ldap.Connection.writeRequest(Unknown Source)
com.sun.jndi.ldap.Connection.writeRequest(Unknown Source)
com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source)
com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
javax.naming.InitialContext.init(Unknown Source)
javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
...
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching mydomain.com found.
sun.security.util.HostnameChecker.matchDNS(Unknown Source)
sun.security.util.HostnameChecker.match(Unknown Source)
sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
sun.security.ssl.Handshaker.processLoop(Unknown Source)
sun.security.ssl.Handshaker.process_record(Unknown Source)
sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
sun.security.ssl.AppOutputStream.write(Unknown Source)
java.io.BufferedOutputStream.flushBuffer(Unknown Source)
java.io.BufferedOutputStream.flush(Unknown Source)
com.sun.jndi.ldap.Connection.writeRequest(Unknown Source)
com.sun.jndi.ldap.Connection.writeRequest(Unknown Source)
com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source)
com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
javax.naming.InitialContext.init(Unknown Source)
javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)我还观察到,当我试图运行应用程序使用JRE 1.8.172相同的代码工作正常。在Windows JRE 1.8.192中也可以工作。我还mydomain.com在我的DNS中添加了www.example.com。在我的代码中添加了mydomain.com证书。
几个链接:-https://support.cloudbees.com/hc/en-us/articles/204398654-LDAP-javax-net-ssl-SSLHandshakeException-sun-security-validator-ValidatorException-PKIX-path-building-failed
FailedLoginException encountered when using JAAS LdapLoginModule to authenticate with ActiveDirectory
https://confluence.atlassian.com/confkb/java-security-cert-certificateexception-no-subject-alternative-dns-name-matching-hostname-found-452100730.html
https://confluence.atlassian.com/jirakb/java-security-cert-certificateexception-no-subject-alternative-dns-name-matching-hostname-found-297669411.html
1条答案
按热度按时间xytpbqjk1#
在Java 8更新181和更高版本中,当客户端使用SSL连接到服务器时,JNDI中的默认设置发生了变化。如果服务器的证书主机名与客户端连接到的主机不匹配,则连接将被拒绝,并显示完全相同的消息。
Java 8 update 181发行说明中描述了该问题和解决方法:
使用新的系统属性禁用端点标识:
com.sun.jndi.ldap.object.disableEndpointIdentification。定义此系统属性(或将其设置为true)以禁用端点标识算法。