LDAP验证的Oauth服务 [英] Oauth service for LDAP authentication

问题描述

我们有一种方案，必须通过LDAP服务器对用户进行身份验证

We have a scenario where we have to authenticate the user with LDAP server

流程1:

client --> application server --> LDAP server

在上述流程中，客户端输入到达应用程序服务器的LDAP凭据，然后使用python-ldap我们可以直接对用户进行身份验证.由于用户LDAP凭据进入了应用服务器，因此，出于明显的原因，组织可能不愿意这样做.

In above flow the client enters LDAP credentials which comes to application server and then using python-ldap we can authenticate the user, straight forward. Since the user LDAP credentials comes to application server an organisation may not be willing for such flow for obvious reasons.

流程2:

client --> oauth2 --> LDAP server

Oauth方案在这里最适合，因为用户身份验证是oauth的责任，并且应用程序服务器不需要知道用户凭据.

Oauth scenario suites best here, since authentication of the user is responsibility of the oauth and application server do not need to know the user credentials.

有人遇到过这种情况吗?如果是，您如何解决? 是否有任何免费的LDAP Oauth客户端?

Have anyone encountered such case, if yes, how you tackled it? Is there are any Oauth client for LDAP free and paid ?

推荐答案

如果您不希望用户凭据到达应用程序服务器，那么您需要的是外围身份验证.您需要有一个外部身份验证提供程序，例如Oracle Access Manager，它将执行身份验证并在请求中设置某个令牌.应用程序服务器可以声明此令牌，并允许用户访问资源.该模型也支持SSO.

If you don't want user credentials to reach the Application server then what you need is a perimeter authentication. You need to have an external authentication provider , say Oracle Access Manager, that will perform the authentication and set a certain token in the request. The application server can assert this token and let user access resources. This model enables SSO as well.

1. 需要授权访问的资源在OAM中配置为受保护的URL.

1. The resources that require authorized access are configured as protected URLs in OAM.

当用户尝试访问受保护的资源时，系统会要求他提供凭据.

When a user tries to access a protected resource he is challenged for credentials.

OAM通过LDAP目录(在OAM中配置)对用户进行身份验证.

OAM authenticates the user against an LDAP directory(that is configured in OAM).

在请求中设置与已认证用户相对应的令牌.还会设置一个SSO Cookie.

A token corresponding to the authenticated user is set in the request. Also an SSO cookie is set.

应用程序服务器(Weblogic)可以断言(验证)此令牌，并让用户访问资源.

Application server (Weblogic) can assert (verify) this token and let the user access the resource.

注意:Oracle Access Manager也支持oAuth.

Note: Oracle Access Manager supports oAuth as well.

这篇关于LDAP验证的Oauth服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！