Spring Boot应用程序中的LDAP身份验证 [英] LDAP authentication in spring boot app

问题描述

我对LDAP几乎一无所知，甚至对Spring安全性一无所知，但我正在尝试配置Spring Boot应用程序以针对ldap实例进行身份验证并被卡住.

I know almost nothing about LDAP and even less about spring security but I am trying to configure a spring boot app to authenticate against an ldap instance and am stuck.

在adldap.company.com上给了我ldap服务器名称，并且dc = ad，dc = company，dc = com的基本dn

I was given the ldap server name at adldap.company.com and base dn of dc=ad,dc=company,dc=com

我有一些可以简单绑定并工作的python代码.

I have some python code that does a simple bind and works.

LDAP_USERNAME = 'username@ad.company.com'
LDAP_PASSWORD = 'password'
base_dn = 'dc=ad,dc=company,dc=com' # not used for bind I guess, only search
try:
    ldap_client = ldap.initialize('ldap://adldap.company.com')
    ldap_client.set_option(ldap.OPT_REFERRALS,0)
    ldap_client.simple_bind_s(LDAP_USERNAME, LDAP_PASSWORD)
except ldap.INVALID_CREDENTIALS as e:
    ldap_client.unbind()
    return 'Wrong username and password: %s' % e
except ldap.SERVER_DOWN:
   return 'AD server not available'

如果我运行此代码，它似乎已成功以"username@ad.company.com"和密码"password"绑定.

If I run this code, it seems to successfully bind as "username@ad.company.com" with password "password".

我也有一个WebSecurityConfig类，我认为该类应该处理auth:

I also have a WebSecurityConfig class that I think should be handling auth:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/secure")
            .authorizeRequests()
            .anyRequest().fullyAuthenticated()
            .and()
            .httpBasic();
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .ldapAuthentication()
            .userDnPatterns("uid={0}")
            .contextSource()
            .url("ldap://adldap.company.com");
            //.url("ldap://adldap.company.com/dc=ad,dc=company,dc=com");
    }
}

当我在应用程序中转到/secure时，会弹出一个基本身份验证，但是随后尝试输入的任何内容都会得到401 Unauthorized.我尝试了不带域的"username@ad.company.com"，将这些内容放入了{0}@adldap.company.com之类的userDnPatterns中，以及其他一些东西.我尝试过使用带有基本dn的不同URL.似乎没有任何作用.我想念什么?

When I go to /secure in the app, I get a basic auth pop up but then anything I try entering gets me a 401 Unauthorized. I have tried "username@ad.company.com", without the domain, putting that stuff in the userDnPatterns like {0}@adldap.company.com and a bunch of other things. I have tried using different URLs with the base dn in it or not. Nothing seems to work. What am I missing?

此外，这是对用户进行身份验证的正确方法吗?我已经阅读了绑定身份验证以及有关绑定和搜索的内容，但是服务器不允许匿名绑定，所以我想我需要某种可以绑定并执行搜索的应用程序用户"，对吗?是更好"吗?

Also, is this the right way to auth users? I've read about both bind authentication and something about binding and searching but the server doesn't allow anonyous binds so I guess I would need some kind of "app user" that could bind and do the searches, right? Is that "better"?

推荐答案

Active Directory具有自己的用于用户身份验证的非标准语法，与通常的LDAP DN绑定不同.

Active Directory has its own non-standard syntax for user authentication, different from the usual LDAP DN binding.

Spring Security为Active Directory提供了专门的AuthenticationProvider.

Spring Security provides a specialized AuthenticationProvider for Active Directory.

尝试一下:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/secure")
            .authorizeRequests()
            .anyRequest().fullyAuthenticated()
            .and()
            .httpBasic();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
    }

    @Bean
    public AuthenticationManager authenticationManager() {
        return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider()));
    }
    @Bean
    public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
        ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("adldap.company.com", "ldap://adldap.company.com");
        provider.setConvertSubErrorCodesToExceptions(true);
        provider.setUseAuthenticationRequestCredentials(true);
        return provider;
    }
}

这篇关于Spring Boot应用程序中的LDAP身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！