使用SQL春LDAP / Active Directory的 [英] Spring LDAP/Active Directory with SQL
问题描述
我想同时启用JDBA和Active Directory认证,我取得了很大的进展,但目前我坚持作为一个UserDetailsService试图密码,其中不存在LdapUserDetails比较。当检查日志我看到它是能够查询用户并进行认证,获得正确的角色。
I am trying to enable both JDBA and Active Directory Authentication , i made great progress but currently i am stuck as userDetailsService is trying to compare the password in LdapUserDetails which does not exist . When checking the log i see it is able to query the user and authenticate and get the roles correctly.
我知道我应该使用bindService左右,但我无法找到到现在该怎么做。
I know i should use bindService or so , but i couldn't find till now how to do that.
下面是我做的。
在WebSecurityConfigurerAdapter
in WebSecurityConfigurerAdapter
@Autowired
public void configureGlobal(UserDetailsService userDetailsService,UserLdapRepositoryUserDetailsService userLdapRepositoryUserDetailsService,AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService).
and()
.userDetailsService(userLdapRepositoryUserDetailsService);
}
有关LDAP配置
@Bean
public BaseLdapPathContextSource contextSource() {
DefaultSpringSecurityContextSource contextSource = new DefaultSpringSecurityContextSource("ldap://XXXXX:389/dc=XXXXXX,dc=co");
//contextSource.setUserDn("CN=Ali Shahbour,OU=Users,DC=XXXXXXX,DC=co");
contextSource.setUserDn("XXXXXX");
contextSource.setPassword("XXXXXX");
return contextSource;
}
@Bean
@Autowired
public LdapUserSearch userSearch(BaseLdapPathContextSource contextSource) {
FilterBasedLdapUserSearch userSearch = new FilterBasedLdapUserSearch("", "(uid={0})", contextSource);
return userSearch;
}
@Bean
@Autowired
public LdapAuthoritiesPopulator authoritiesPopulator(BaseLdapPathContextSource contextSource) {
DefaultLdapAuthoritiesPopulator authoritiesPopulator = new DefaultLdapAuthoritiesPopulator(contextSource, "OU=CDRMonitor");
authoritiesPopulator.setGroupSearchFilter("(member={0})");
//authoritiesPopulator.setRolePrefix("ROLE");
authoritiesPopulator.setSearchSubtree(true);
//authoritiesPopulator.setConvertToUpperCase(true);
return authoritiesPopulator;
}
至于LdapUserDetailsService
As for the LdapUserDetailsService
@Service("userLdapRepositoryUserDetailsService")
public class UserLdapRepositoryUserDetailsService extends LdapUserDetailsService {
private final UserRepository userRepository;
@Autowired
public UserLdapRepositoryUserDetailsService(LdapUserSearch userSearch,
LdapAuthoritiesPopulator authoritiesPopulator,UserRepository userRepository) {
super(userSearch, authoritiesPopulator);
this.userRepository = userRepository;
}
@Override
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {
UserDetails userDetails = super.loadUserByUsername(username);
//User user = userRepository.findByEmail(username);
User user = new User();
return new LdapUserRepositoryUserDetails(user, userDetails);
}
@Override
public void setUserDetailsMapper(UserDetailsContextMapper userDetailsMapper) {
super.setUserDetailsMapper(userDetailsMapper);
}
private final static class LdapUserRepositoryUserDetails extends User implements LdapUserDetails {
private final LdapUserDetailsImpl ldapUserDetailsImpl;
private LdapUserRepositoryUserDetails(User user,UserDetails userDetails) {
super(user);
ldapUserDetailsImpl = (LdapUserDetailsImpl) userDetails;
}
private static final long serialVersionUID = 5639683223516504866L;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return ldapUserDetailsImpl.getAuthorities();
}
@Override
public String getUsername() {
// TODO Auto-generated method stub
return ldapUserDetailsImpl.getUsername();
}
@Override
public boolean isAccountNonExpired() {
return ldapUserDetailsImpl.isAccountNonExpired();
}
@Override
public boolean isAccountNonLocked() {
return ldapUserDetailsImpl.isAccountNonLocked();
}
@Override
public boolean isCredentialsNonExpired() {
return ldapUserDetailsImpl.isCredentialsNonExpired();
}
@Override
public boolean isEnabled() {
return ldapUserDetailsImpl.isEnabled();
}
@Override
public String getDn() {
return ldapUserDetailsImpl.getDn();
}
}
}
推荐答案
LDAP和SQL在认证范围内的,一般不同时使用, 因为LDAP绑定认证发送取回密码的散列值的密码发送到LDAP服务器,而不是。
LDAP and SQL in an authentication context are in general not used together, because LDAP BIND authentication sends the password to the LDAP server instead of retrieving a hash value of the password.
LDAP验证的预期过程如下:
The intended procedure of LDAP Authentication is as follows:
- 在通常弹簧安全UsernamePassword过滤器是用来拿起凭证和被激活了。例如如果我们登录表单,提交表单的时候,此过滤器拾取的凭据。
- 在接下来的LDAP身份验证提供者进行登录(LDAPBindAuthenticator)对LDAP服务器(LDAP好的ContextSource)验证凭据。
- 如果登录成功,LDAP身份验证提供搜索LDAP的用户条目。这可以通过提供一个'usersearch'的Spring bean进行定制。
- 如果找到该用户的条目中,LDAP管理局映射器将映射在Spring Security的用户进入组/角色的属性。默认情况下这都是OU属性
- 在最后一个新的认证对象是用用户名和检索组从LDAP。
如何使用Spring XML在这里解释整合LDAP验证。 http://docs.spring.io/spring -security /网站/文档/ 3.1.X /参考/ ldap.html
How to integrate LDAP Authentication using Spring XML is explained here. http://docs.spring.io/spring-security/site/docs/3.1.x/reference/ldap.html
这篇关于使用SQL春LDAP / Active Directory的的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
