使用JAAS LdapLoginModule通过ActiveDirectory进行身份验证时遇到FailedLoginException [英] FailedLoginException encountered when using JAAS LdapLoginModule to authenticate with ActiveDirectory
问题描述
我正在努力尝试使LDAP身份验证与Active Directory一起使用.
I'm pulling my hair out try to get LDAP authentication to work with Active Directory.
我们刚刚设置了SharePoint Server 2010,并且考虑到Active Directory已经存在于Active Directory中,因此认为对Active Directory进行用户身份验证也是一个好主意.我们的环境是Windows Server 2008 R2 Standard.
We've just setup a SharePoint Server 2010 and we thought it would be a good idea to also authenticate users against the Active Directory given it's already there for SharePoint. Our environment is Windows Server 2008 R2 Standard.
我有一个用户,用户名为ahsieh@rdl.com.tw
I have one user with username of ahsieh@rdl.com.tw
根据此答案 https://serverfault.com/a/130556 我的提供商网址应为ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw
(请注意而不是使用vm-sps.rdl.com.tw的主机名,我选择使用IP地址,因为我没有时间为该服务器配置DNS条目)
According to this answer https://serverfault.com/a/130556 my provider URL should be ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw
(note that instead of using the hostname of vm-sps.rdl.com.tw, I've elected to use the IP address as I've not had the time to configure DNS entry for the said server)
可以肯定的是,我已经在服务器上运行了dsquery命令:
Just to be sure, I've run the dsquery command on the server:
However, I just can't get the authentication work. I've tried all three type of JAAS config as per LdapLoginModule API
以下是我遇到的错误:
1.搜索优先模式:
注意:我尚未指定authzIdentity,因为我没有在AD上进行设置
NOTE: I've NOT specified authzIdentity as I don't have that setup on AD
JAAS配置:
AESLogin_AD1 {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw"
userFilter="(&(uid={USERNAME})(objectClass=User))"
useSSL=false
debug=true;
};
结果:
[LdapLoginModule] search-first mode; SSL disabled
[LdapLoginModule] user provider: ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw
[LdapLoginModule] searching for entry belonging to user: ahsieh@rdl.com.tw
[LdapLoginModule] authentication failed
[LdapLoginModule] aborted authentication
javax.security.auth.login.FailedLoginException: Cannot find user's LDAP entry
2.身份验证优先模式
JAAS配置:
AESLogin_AD2 {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldap:///CN=Users,DC=rdl,DC=com,DC=tw"
authIdentity="{USERNAME}"
userFilter="(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})(cn={USERNAME}))(objectClass=user))"
useSSL=false
debug=true;
};
结果:
[LdapLoginModule] authentication-first mode; SSL disabled
[LdapLoginModule] user provider: ldap:///CN=Users,DC=rdl,DC=com,DC=tw
[LdapLoginModule] attempting to authenticate user: ahsieh@rdl.com.tw
[LdapLoginModule] authentication failed
[LdapLoginModule] aborted authentication
javax.security.auth.login.FailedLoginException: Cannot bind to LDAP server
3.仅限身份验证模式
注意:我尚未指定authzIdentity,因为我没有在AD上进行设置
NOTE: I've NOT specified authzIdentity as I don't have that setup on AD
JAAS配置:
AESLogin_AD3 {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldap://192.168.0.81:389"
authIdentity="CN={USERNAME},CN=Users,DC=rdl,DC=com,DC=tw"
useSSL=false
debug=true;
};
结果:
[LdapLoginModule] authentication-only mode; SSL disabled
[LdapLoginModule] user provider: ldap://192.168.0.81:389
[LdapLoginModule] attempting to authenticate user: ahsieh@rdl.com.tw
[LdapLoginModule] authentication failed
[LdapLoginModule] aborted authentication
javax.security.auth.login.FailedLoginException: Cannot bind to LDAP server
我还根据我在互联网上遇到的一些示例尝试了另一种配置:
I've also tried another config based on some examples I've come across on the internet:
4.从其他示例进行配置
JAAS配置:
AESLogin_AD4 {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw"
authIdentity="{USERNAME}"
useSSL=false
debug=true;
};
结果:
[LdapLoginModule] authentication-only mode; SSL disabled
[LdapLoginModule] user provider: ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw
[LdapLoginModule] attempting to authenticate user: ahsieh@rdl.com.tw
[LdapLoginModule] cannot create LdapPrincipal: bad DN
[LdapLoginModule] authentication failed
[LdapLoginModule] aborted authentication
javax.security.auth.login.FailedLoginException: Cannot create LdapPrincipal
注意:我的第四次试验似乎显示了一些进展,因为至少LDAP绑定似乎可行,但现在的问题似乎是cannot create LdapPrincipal: bad DN
NOTE: My fourth trial seems to show slight progress, as at least LDAP binding seems to work but now the issues seems to be cannot create LdapPrincipal: bad DN
我已经进入了LdapLoginModule
的源代码,并且通过匹配调试消息,似乎这是由于(从第837行开始)引起的:
I've gone into the source code for LdapLoginModule
and by matching the debug message, seems this was caused by (starting Line 837):
try {
ldapPrincipal = new LdapPrincipal(dn);
} catch (InvalidNameException e) {
if (debug) {
System.out.println("\t\t[LdapLoginModule] " +
"cannot create LdapPrincipal: bad DN");
}
throw (LoginException)
new FailedLoginException("Cannot create LdapPrincipal")
.initCause(e);
}
And based on the LdapPrincipal API, InvalidNameException
is thrown If a syntax violation is detected, but I have no idea where the syntax violation is.
我也不知道如何调试它.
Nor have I any idea how to debug this.
任何帮助将不胜感激!谢谢!
Any help will be much appreciated! Thanks!
推荐答案
我在网上浏览了许多其他文章,最后从Bonitasoft的Q& A
I've gone through many more articles on the net and finally found the solution from Bonitasoft's Q&A JAAS config for Active Directory LDAP
JAAS配置:
AESLogin_ADx {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw"
authIdentity="{USERNAME}@rdl.com.tw"
userFilter="(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})(cn={USERNAME}))(objectClass=user))"
useSSL=false
debug=true;
};
结果:
[LdapLoginModule] authentication-first mode; SSL disabled
[LdapLoginModule] user provider: ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw
[LdapLoginModule] attempting to authenticate user: ahsieh
[LdapLoginModule] searching for entry belonging to user: ahsieh
[LdapLoginModule] found entry: CN=Arthur Hsieh,CN=Users,DC=rdl,DC=com,DC=tw
[LdapLoginModule] authentication succeeded
[LdapLoginModule] added LdapPrincipal "CN=Arthur Hsieh,CN=Users,DC=rdl,DC=com,DC=tw" to Subject
[LdapLoginModule] added UserPrincipal "ahsieh" to Subject
这篇关于使用JAAS LdapLoginModule通过ActiveDirectory进行身份验证时遇到FailedLoginException的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!