Spring Boot应用程序中的LDAP身份验证 [英] LDAP authentication in spring boot app
问题描述
我对LDAP几乎一无所知,甚至对Spring安全性一无所知,但我正在尝试配置Spring Boot应用程序以针对ldap实例进行身份验证并被卡住.
I know almost nothing about LDAP and even less about spring security but I am trying to configure a spring boot app to authenticate against an ldap instance and am stuck.
在adldap.company.com上给了我ldap服务器名称,并且dc = ad,dc = company,dc = com的基本dn
I was given the ldap server name at adldap.company.com and base dn of dc=ad,dc=company,dc=com
我有一些可以简单绑定并工作的python代码.
I have some python code that does a simple bind and works.
LDAP_USERNAME = 'username@ad.company.com'
LDAP_PASSWORD = 'password'
base_dn = 'dc=ad,dc=company,dc=com' # not used for bind I guess, only search
try:
ldap_client = ldap.initialize('ldap://adldap.company.com')
ldap_client.set_option(ldap.OPT_REFERRALS,0)
ldap_client.simple_bind_s(LDAP_USERNAME, LDAP_PASSWORD)
except ldap.INVALID_CREDENTIALS as e:
ldap_client.unbind()
return 'Wrong username and password: %s' % e
except ldap.SERVER_DOWN:
return 'AD server not available'
如果我运行此代码,它似乎已成功以"username@ad.company.com"和密码"password"绑定.
If I run this code, it seems to successfully bind as "username@ad.company.com" with password "password".
我也有一个WebSecurityConfig类,我认为该类应该处理auth:
I also have a WebSecurityConfig class that I think should be handling auth:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/secure")
.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and()
.httpBasic();
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.ldapAuthentication()
.userDnPatterns("uid={0}")
.contextSource()
.url("ldap://adldap.company.com");
//.url("ldap://adldap.company.com/dc=ad,dc=company,dc=com");
}
}
当我在应用程序中转到/secure时,会弹出一个基本身份验证,但是随后尝试输入的任何内容都会得到401 Unauthorized.我尝试了不带域的"username@ad.company.com",将这些内容放入了{0}@adldap.company.com之类的userDnPatterns中,以及其他一些东西.我尝试过使用带有基本dn的不同URL.似乎没有任何作用.我想念什么?
When I go to /secure in the app, I get a basic auth pop up but then anything I try entering gets me a 401 Unauthorized. I have tried "username@ad.company.com", without the domain, putting that stuff in the userDnPatterns like {0}@adldap.company.com and a bunch of other things. I have tried using different URLs with the base dn in it or not. Nothing seems to work. What am I missing?
此外,这是对用户进行身份验证的正确方法吗?我已经阅读了绑定身份验证以及有关绑定和搜索的内容,但是服务器不允许匿名绑定,所以我想我需要某种可以绑定并执行搜索的应用程序用户",对吗?是更好"吗?
Also, is this the right way to auth users? I've read about both bind authentication and something about binding and searching but the server doesn't allow anonyous binds so I guess I would need some kind of "app user" that could bind and do the searches, right? Is that "better"?
推荐答案
Active Directory具有自己的用于用户身份验证的非标准语法,与通常的LDAP DN绑定不同.
Active Directory has its own non-standard syntax for user authentication, different from the usual LDAP DN binding.
Spring Security为Active Directory提供了专门的AuthenticationProvider.
Spring Security provides a specialized AuthenticationProvider for Active Directory.
尝试一下:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/secure")
.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and()
.httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
}
@Bean
public AuthenticationManager authenticationManager() {
return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider()));
}
@Bean
public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("adldap.company.com", "ldap://adldap.company.com");
provider.setConvertSubErrorCodesToExceptions(true);
provider.setUseAuthenticationRequestCredentials(true);
return provider;
}
}
这篇关于Spring Boot应用程序中的LDAP身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!