用于Spring LDAP身份验证的登录名 [英] What login name to use for Spring LDAP authentication
问题描述
我创建了本地LDAP服务器,并添加了密码为"123456"的用户"djiao"
I created a local LDAP server and added the user "djiao" with password "123456
尝试使用Spring Boot的Spring Security实施身份验证.我的webconfig类如下:
Trying to implement authentication with Spring Security with Spring Boot. My webconfig class is as follows:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin();
}
@Bean
public ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("", "ldap://localhost:10389");
provider.setConvertSubErrorCodesToExceptions(true);
provider.setConvertSubErrorCodesToExceptions(true);
provider.setUseAuthenticationRequestCredentials(true);
return provider;
}
@Bean
public LoggerListener loggerListener() {
return new LoggerListener();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
}
但是我似乎无法从登录页面登录.
However I can't seem to login from the login page.
-
如果我使用djiao(cn)或djiao1(uid),我将得到500.
If I use djiao (cn) or djiao1 (uid), I will get 500.
[LDAP:错误代码34-指定的DN不正确:djiao1(0x64 0x6A 0x69 0x61 0x6F 0x31无效)];嵌套的异常是javax.naming.InvalidNameException:[LDAP:错误代码34-给出了错误的DN:djiao1(0x64 0x6A 0x69 0x61 0x6F 0x31无效)
[LDAP: error code 34 - Incorrect DN given : djiao1 (0x64 0x6A 0x69 0x61 0x6F 0x31 ) is invalid]; nested exception is javax.naming.InvalidNameException: [LDAP: error code 34 - Incorrect DN given : djiao1 (0x64 0x6A 0x69 0x61 0x6F 0x31 ) is invalid]
如果我使用dn"cn = djiao,ou = Users,dc = example,dc = com"作为用户名,我将收到错误的凭据"错误.密码就是123456.
If I use dn "cn=djiao,ou=Users,dc=example,dc=com" as the username I will get "Bad credentials" error. And the password is simply 123456.
用于登录的用户名应该是什么?还是我在websecurityconfig类中缺少什么?
What should the username for login? Or am I missing something in websecurityconfig class?
推荐答案
由于从您的代码中可以识别出您正在使用Spring-Boot.
Since from your code I could identify that you're using Spring-Boot.
这就是我们连接到LDAP的方法
This is what was working for us connecting to LDAP
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder authBuilder) throws Exception {
authBuilder
.ldapAuthentication()
.userSearchFilter("(sAMAccountName={0})")
.userSearchBase("dc=some,dc=domain,dc=com")
.groupSearchBase("ou=groups,dc=some,dc=domain,dc=com")
.groupSearchFilter("member={0}")
.contextSource()
.url("ldaps://<ldap-server>")
.port(639)
.managerDn("cn=binduser,ou=users,dc=some,dc=domain,dc=com")
.managerPassword("some pass")
;
}
}
因此从本质上讲,要使用userSearchFilter,您必须定义不同的值.如果您使用除AD以外的任何LDAP,则过滤器应按"(uid={0})"分隔,或者如果您希望人们无法使用电子邮件,则也可以使用"(mail={0})"或"(|(uid={0})(mail={0}))"之类的组合,允许同时使用两者.
So in essence going for the userSearchFilter you'd have to define different values. If you use any LDAP besides AD your filter should by "(uid={0})" or if you wan't people to be able to use the email you could also go for "(mail={0})" or a combination like "(|(uid={0})(mail={0}))" which woul allow to use both.
如果您选择ActiveDirectory(我假设您不是基于上面的内容),则应使用上述的sAMAccountName,以便人们可以在MYDOMAIN\myusername之类的域中输入其ID,因此登录名只是myusername.
If you go for ActiveDirectory – which I assume you do not based on what you have written above – it should be the sAMAccountName as stated above to allow people to just enter their ID in the domain like MYDOMAIN\myusername so the login would just be myusername.
如果出于HA的原因需要连接到共享相同信息的多个LDAP服务器,则可以通过.contextSource().url()调用进行此操作.如果它们携带不同的物品,例如'EMEA','US','AP',您可以使用以下方式组合这些呼叫:
If you need to connect to multiple LDAP-Server who share the same information for HA purposes you can do this through the .contextSource().url() call. If they carry different ones, e.g. 'EMEA', 'US', 'AP' you can combine these calls using:
@Autowired
public void configureGlobal(AuthenticationManagerBuilder authBuilder) throws Exception {
authBuilder
.ldapAuthentication()
.userSearchFilter("(sAMAccountName={0})")
.userSearchBase("dc=emea,dc=domain,dc=com")
.groupSearchBase("ou=groups,dc=emea,dc=domain,dc=com")
.groupSearchFilter("member={0}")
.contextSource()
.url("ldaps://<emea-ldap-server>")
.port(639)
.managerDn("cn=binduser,ou=users,dc=emea,dc=domain,dc=com")
.managerPassword("some pass")
.and()
.and()
.ldapAuthentication()
.userSearchFilter("(sAMAccountName={0})")
.userSearchBase("dc=ap,dc=domain,dc=com")
.groupSearchBase("ou=groups,dc=ap,dc=domain,dc=com")
.groupSearchFilter("member={0}")
.contextSource()
.url("ldaps://<ap-ldap-server>")
.port(639)
.managerDn("cn=binduser,ou=users,dc=ap,dc=domain,dc=com")
.managerPassword("some pass")
;
}
BTW:这还允许您将不同的身份验证机制(如InMemory(默认管理后门))与LDAP和/或JDBC组合在一起.
BTW: this also allows you to combine different authentication mechanisms like InMemory (Default-Admin-Backdoor) with LDAP and/or JDBC.
这篇关于用于Spring LDAP身份验证的登录名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
