使用 JAAS LdapLoginModule 向 ActiveDirectory 进行身份验证时遇到 FailedLoginException [英] FailedLoginException encountered when using JAAS LdapLoginModule to authenticate with ActiveDirectory
问题描述
我正在竭尽全力尝试让 LDAP 身份验证与 Active Directory 一起使用.
我们刚刚设置了一个 SharePoint Server 2010,我们认为根据 Active Directory 对用户进行身份验证也是一个好主意,因为它已经存在于 SharePoint 中.我们的环境是 Windows Server 2008 R2 Standard.
我有一个用户名为 ahsieh@rdl.com.tw
根据这个答案
但是,我无法进行身份验证.我已经按照 LdapLoginModule API
以下是我遇到的错误:
1.搜索优先模式:
注意:我没有指定 authzIdentity,因为我在 AD 上没有该设置
JAAS 配置:
AESLogin_AD1 {com.sun.security.auth.module.LdapLoginModule 需要userProvider="ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw"userFilter="(&(uid={USERNAME})(objectClass=User))"使用 SSL=false调试=真;};结果:
[LdapLoginModule] 搜索优先模式;SSL 已禁用[LdapLoginModule] 用户提供者:ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw[LdapLoginModule] 搜索属于用户的条目:ahsieh@rdl.com.tw[LdapLoginModule] 身份验证失败[LdapLoginModule] 中止身份验证javax.security.auth.login.FailedLoginException:找不到用户的 LDAP 条目<强>2.身份验证优先模式
JAAS 配置:
AESLogin_AD2 {com.sun.security.auth.module.LdapLoginModule 需要userProvider="ldap:///CN=Users,DC=rdl,DC=com,DC=tw"authIdentity="{USERNAME}"userFilter="(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})(cn={USERNAME}))(objectClass=user))"使用 SSL=false调试=真;};结果:
[LdapLoginModule] 认证优先模式;SSL 已禁用[LdapLoginModule] 用户提供者:ldap:///CN=Users,DC=rdl,DC=com,DC=tw[LdapLoginModule] 尝试验证用户:ahsieh@rdl.com.tw[LdapLoginModule] 身份验证失败[LdapLoginModule] 中止身份验证javax.security.auth.login.FailedLoginException:无法绑定到 LDAP 服务器3.仅认证模式
注意:我没有指定 authzIdentity,因为我在 AD 上没有该设置
JAAS 配置:
AESLogin_AD3 {com.sun.security.auth.module.LdapLoginModule 需要userProvider="ldap://192.168.0.81:389"authIdentity="CN={USERNAME},CN=Users,DC=rdl,DC=com,DC=tw"使用 SSL=false调试=真;};结果:
[LdapLoginModule] 仅认证模式;SSL 已禁用[LdapLoginModule] 用户提供者:ldap://192.168.0.81:389[LdapLoginModule] 尝试验证用户:ahsieh@rdl.com.tw[LdapLoginModule] 身份验证失败[LdapLoginModule] 中止身份验证javax.security.auth.login.FailedLoginException:无法绑定到 LDAP 服务器我还根据我在互联网上遇到的一些示例尝试了另一种配置:
4.来自其他示例的配置
JAAS 配置:
AESLogin_AD4 {com.sun.security.auth.module.LdapLoginModule 需要userProvider="ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw"authIdentity="{USERNAME}"使用 SSL=false调试=真;};结果:
[LdapLoginModule] 仅认证模式;SSL 已禁用[LdapLoginModule] 用户提供者:ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw[LdapLoginModule] 尝试验证用户:ahsieh@rdl.com.tw[LdapLoginModule] 无法创建 LdapPrincipal: bad DN[LdapLoginModule] 身份验证失败[LdapLoginModule] 中止身份验证javax.security.auth.login.FailedLoginException:无法创建 LdapPrincipal注意:我的第四次试验似乎略有进展,因为至少 LDAP 绑定似乎有效,但现在问题似乎是 cannot create LdapPrincipal: bad DN
我已经查看了 LdapLoginModule 的源代码,通过匹配调试消息,这似乎是由(从第 837 行开始)引起的:
试试{ldapPrincipal = 新的 LdapPrincipal(dn);} 捕捉(InvalidNameException e){如果(调试){System.out.println(" [LdapLoginModule]" +"无法创建 LdapPrincipal: 错误的 DN");}抛出(登录异常)new FailedLoginException("无法创建 LdapPrincipal").initCause(e);}并基于 LdapPrincipal API,InvalidNameException 被抛出如果检测到语法违规,但我有不知道语法违规在哪里.
我也不知道如何调试它.
任何帮助将不胜感激!谢谢!
我在网上浏览了很多文章,终于从Bonitasoft的问答中找到了解决方案用于 Active Directory LDAP 的 JAAS 配置
JAAS 配置:
AESLogin_ADx {com.sun.security.auth.module.LdapLoginModule 需要userProvider="ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw"authIdentity="{USERNAME}@rdl.com.tw"userFilter="(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})(cn={USERNAME}))(objectClass=user))"使用 SSL=false调试=真;};结果:
[LdapLoginModule] 认证优先模式;SSL 已禁用[LdapLoginModule] 用户提供者:ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw[LdapLoginModule] 尝试对用户进行身份验证:ahsieh[LdapLoginModule] 搜索属于用户的条目:ahsieh[LdapLoginModule] 找到条目:CN=Arthur Hsieh,CN=Users,DC=rdl,DC=com,DC=tw[LdapLoginModule] 认证成功[LdapLoginModule] 将 LdapPrincipal "CN=Arthur Hsieh,CN=Users,DC=rdl,DC=com,DC=tw" 添加到主题[LdapLoginModule] 将 UserPrincipal "ahsieh" 添加到主题I'm pulling my hair out try to get LDAP authentication to work with Active Directory.
We've just setup a SharePoint Server 2010 and we thought it would be a good idea to also authenticate users against the Active Directory given it's already there for SharePoint. Our environment is Windows Server 2008 R2 Standard.
I have one user with username of ahsieh@rdl.com.tw
According to this answer https://serverfault.com/a/130556 my provider URL should be ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw (note that instead of using the hostname of vm-sps.rdl.com.tw, I've elected to use the IP address as I've not had the time to configure DNS entry for the said server)
Just to be sure, I've run the dsquery command on the server:
However, I just can't get the authentication work. I've tried all three type of JAAS config as per LdapLoginModule API
Below are the errors I encounter:
1. Search-first mode:
NOTE: I've NOT specified authzIdentity as I don't have that setup on AD
JAAS Config:
AESLogin_AD1 {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw"
userFilter="(&(uid={USERNAME})(objectClass=User))"
useSSL=false
debug=true;
};
Result:
[LdapLoginModule] search-first mode; SSL disabled
[LdapLoginModule] user provider: ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw
[LdapLoginModule] searching for entry belonging to user: ahsieh@rdl.com.tw
[LdapLoginModule] authentication failed
[LdapLoginModule] aborted authentication
javax.security.auth.login.FailedLoginException: Cannot find user's LDAP entry
2. Authentication-first mode
JAAS Config:
AESLogin_AD2 {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldap:///CN=Users,DC=rdl,DC=com,DC=tw"
authIdentity="{USERNAME}"
userFilter="(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})(cn={USERNAME}))(objectClass=user))"
useSSL=false
debug=true;
};
Result:
[LdapLoginModule] authentication-first mode; SSL disabled
[LdapLoginModule] user provider: ldap:///CN=Users,DC=rdl,DC=com,DC=tw
[LdapLoginModule] attempting to authenticate user: ahsieh@rdl.com.tw
[LdapLoginModule] authentication failed
[LdapLoginModule] aborted authentication
javax.security.auth.login.FailedLoginException: Cannot bind to LDAP server
3. Authentication-only mode
NOTE: I've NOT specified authzIdentity as I don't have that setup on AD
JAAS Config:
AESLogin_AD3 {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldap://192.168.0.81:389"
authIdentity="CN={USERNAME},CN=Users,DC=rdl,DC=com,DC=tw"
useSSL=false
debug=true;
};
Result:
[LdapLoginModule] authentication-only mode; SSL disabled
[LdapLoginModule] user provider: ldap://192.168.0.81:389
[LdapLoginModule] attempting to authenticate user: ahsieh@rdl.com.tw
[LdapLoginModule] authentication failed
[LdapLoginModule] aborted authentication
javax.security.auth.login.FailedLoginException: Cannot bind to LDAP server
I've also tried another config based on some examples I've come across on the internet:
4. Config from other example
JAAS Config:
AESLogin_AD4 {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw"
authIdentity="{USERNAME}"
useSSL=false
debug=true;
};
Result:
[LdapLoginModule] authentication-only mode; SSL disabled
[LdapLoginModule] user provider: ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw
[LdapLoginModule] attempting to authenticate user: ahsieh@rdl.com.tw
[LdapLoginModule] cannot create LdapPrincipal: bad DN
[LdapLoginModule] authentication failed
[LdapLoginModule] aborted authentication
javax.security.auth.login.FailedLoginException: Cannot create LdapPrincipal
NOTE: My fourth trial seems to show slight progress, as at least LDAP binding seems to work but now the issues seems to be cannot create LdapPrincipal: bad DN
I've gone into the source code for LdapLoginModule and by matching the debug message, seems this was caused by (starting Line 837):
try {
ldapPrincipal = new LdapPrincipal(dn);
} catch (InvalidNameException e) {
if (debug) {
System.out.println(" [LdapLoginModule] " +
"cannot create LdapPrincipal: bad DN");
}
throw (LoginException)
new FailedLoginException("Cannot create LdapPrincipal")
.initCause(e);
}
And based on the LdapPrincipal API, InvalidNameException is thrown If a syntax violation is detected, but I have no idea where the syntax violation is.
Nor have I any idea how to debug this.
Any help will be much appreciated! Thanks!
I've gone through many more articles on the net and finally found the solution from Bonitasoft's Q&A JAAS config for Active Directory LDAP
JAAS Config:
AESLogin_ADx {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw"
authIdentity="{USERNAME}@rdl.com.tw"
userFilter="(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})(cn={USERNAME}))(objectClass=user))"
useSSL=false
debug=true;
};
Result:
[LdapLoginModule] authentication-first mode; SSL disabled
[LdapLoginModule] user provider: ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw
[LdapLoginModule] attempting to authenticate user: ahsieh
[LdapLoginModule] searching for entry belonging to user: ahsieh
[LdapLoginModule] found entry: CN=Arthur Hsieh,CN=Users,DC=rdl,DC=com,DC=tw
[LdapLoginModule] authentication succeeded
[LdapLoginModule] added LdapPrincipal "CN=Arthur Hsieh,CN=Users,DC=rdl,DC=com,DC=tw" to Subject
[LdapLoginModule] added UserPrincipal "ahsieh" to Subject
这篇关于使用 JAAS LdapLoginModule 向 ActiveDirectory 进行身份验证时遇到 FailedLoginException的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
