Spring ActiveDirectoryLdapAuthenticationProvider handleBindException - 提供的密码无效错误 [英] Spring ActiveDirectoryLdapAuthenticationProvider handleBindException - Supplied password was invalid error
问题描述
我们正在尝试使用 Spring security 对我们的企业 LDAP 进行身份验证.我正在使用 ActiveDirectoryLdapAuthenticationProvider.以下是 Spring 配置文件的片段:
We are trying to use Spring security for authenticating against our enterprise LDAP. I'm using ActiveDirectoryLdapAuthenticationProvider. Below is the snippet from the Spring config file:
<security:authentication-manager erase-credentials="true">
<security:authentication-provider ref="ldapActiveDirectoryAuthProvider"/>
</security:authentication-manager>
<bean id="ldapActiveDirectoryAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="DC=xxx,DC=ds,DC=yyy,DC=com" />
<constructor-arg value="ldap://xxx.ds.yyy.com:389" />
<property name="convertSubErrorCodesToExceptions" value="true"/>
</bean>
我得到:ActiveDirectoryLdapAuthenticationProvider handleBindException Active Directory 身份验证失败:提供的密码无效错误.
我的理解是,这是因为 LDAP 绑定在查找 userDN/凭据时失败.我们如何在配置文件中指定这些信息?
My understanding is that, this is because LDAP bind is failing as it is looking for userDN/credentials. How do we specify this information in the configuration file?
在使用 ActiveDirectoryLdapAuthenticationProvider 之前,我使用 <ldap-authentication-provider> 和 DefaultSpringSecurityContextSource 进行了这项工作.我能够在配置 DefaultSpringSecurityContextSource bean 时指定用户 DN/密码.有人能告诉我如何在使用 ActiveDirectoryLdapAuthenticationProvider 进行配置时指定 userDn 和密码吗?
Prior to using ActiveDirectoryLdapAuthenticationProvider, I had got this working using <ldap-authentication-provider> and DefaultSpringSecurityContextSource. I was able to specify the userDN/password while configuring the DefaultSpringSecurityContextSource bean. Can someone tell me how to specify the userDn and password while configuring using ActiveDirectoryLdapAuthenticationProvider?
推荐答案
看起来您可能对 ActiveDirectoryLdapAuthenticationProvider 的作用和 如何配置.它使用 user@domain.com 形式的类似电子邮件的名称进行绑定,其中 domain.com 是您在第一个构造函数中提供的参数.它不使用标准的 LDAP DN.这是特定于 Active Directory 的,而不是标准 LDAP 的一部分.您可能还想看看 该类的源代码和Javadoc.
It looks like you might be a bit confused about what ActiveDirectoryLdapAuthenticationProvider does and how to configure it. It binds using an email-like name in the form user@domain.com where domain.com is the argument you've supplied in the first constructor. It doesn't use a standard LDAP DN. This is specific to Active Directory and not part of standard LDAP.
You might also want to take a look at the source and Javadoc for the class.
如果您的设置中已经有一个标准的 LDAP 身份验证配置,那么不清楚为什么要更改.您可能最好坚持使用现有的,因为它不会与 ActiveDirectoryLdapAuthenticationProvider 直接兼容.
If you already had a standard LDAP authentication configuration working with your setup, then it's not clear why you would want to change. You're probably better sticking with what you have as it won't be directly compatible with ActiveDirectoryLdapAuthenticationProvider.
这篇关于Spring ActiveDirectoryLdapAuthenticationProvider handleBindException - 提供的密码无效错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
