如何在公司环境中使用LDAP身份验证 [英] How to use LDAP Authentication in a corporate environment

问题描述

我希望用户使用他们的公司用户名/密码组合登录到我的Spring-Boot应用程序(这样我就可以使用AD身份验证，并且(也可以)使用该AD查询活动用户).

I'd like users to log into my Spring-Boot application with their corporate username/password-combination (so I can use AD authentication and (maybe also) use that AD to query active users).

所以我做了nslookup -type=srv _ldap._tcp.MY.DOMAIN这导致了结果:

So I did nslookup -type=srv _ldap._tcp.MY.DOMAIN which resulted in the outcome:

Server: Servername.MY.DOMAIN
Address: 1.1.1.1

_ldap._tcp.MY.DOMAIN       SRV service location
      priority             = 0
      weight               = 50
      port                 = 389
      svr hostname         = a_host.MY.DOMAIN
//... a few more of these
a_host.MY.DOMAIN  internet address = 5.5.5.5

然后我使用了此VBS:

Then I used this VBS:

set objSysInfo = CreateObject("ADSystemInfo")
set objUser = GetObject("LDAP://" & objSysInfo.UserName)
wscript.echo "DN: " & objUser.distinguishedName

返回的

:

DN: CN=Lastname\, Firstname,OU=OU1,OU=OU2,OU=OU3,DC=MY,DC=DOMAIN

现在我尝试(按照第一个答案的建议)使用这篇文章:

and now I tried (as suggested in the first answer) to configure my Spring Boot application using this class for that login refering to this post:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/secure")
            .authorizeRequests()
            .anyRequest().fullyAuthenticated()
            .and()
            .httpBasic();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
    }

    @Bean
    public AuthenticationManager authenticationManager() {
        return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider()));
    }
    @Bean
    public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
        ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("MY.COMPANY", "ldap://a_host.MY.DOMAIN:389");
        provider.setConvertSubErrorCodesToExceptions(true);
        provider.setUseAuthenticationRequestCredentials(true);
        return provider;
    }
}

不幸的是，当我启动应用程序并将公司凭据插入Spring-Boot-Security-Login-UI时，无法登录该应用程序.同样，路径/secure不能通过http://localhost:8080/secure访问(结果404).现在，当我启用Spring-Boot-Security调试时，在插入凭据时会得到以下输出:

Sadly when I start the application and insert my company credentials into my Spring-Boot-Security-Login-UI, I can not login to the application. Also, the path /secure is not accessible via http://localhost:8080/secure (results in 404). Now when I enable debugging for Spring-Boot-Security I get the following output on inserting my credentials:

2018-12-17 11:47:12.793 DEBUG 13232 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : /login at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-12-17 11:47:16.510 DEBUG 13232 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : /login at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-12-17 11:47:27.462 DEBUG 13232 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : /login at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : /login at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@28db75a9. A new one will be created.
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@28db75a9. A new one will be created.
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : /login at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : /login at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : /login at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : /login at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : /login at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : /login at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/logout'
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/logout'
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : /login at position 6 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : /login at position 6 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/login'
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/login'
2018-12-17 11:47:27.466 DEBUG 13232 --- [io-8080-exec-10] w.a.UsernamePasswordAuthenticationFilter : Request is to process authentication
2018-12-17 11:47:27.466 DEBUG 13232 --- [nio-8080-exec-9] w.a.UsernamePasswordAuthenticationFilter : Request is to process authentication
2018-12-17 11:47:27.470 DEBUG 13232 --- [io-8080-exec-10] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2018-12-17 11:47:27.470 DEBUG 13232 --- [nio-8080-exec-9] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2018-12-17 11:47:27.534 DEBUG 13232 --- [io-8080-exec-10] o.s.s.a.dao.DaoAuthenticationProvider    : User '%my_user%' not found
2018-12-17 11:47:27.534 DEBUG 13232 --- [nio-8080-exec-9] o.s.s.a.dao.DaoAuthenticationProvider    : User '%my_user%' not found
2018-12-17 11:47:27.534 DEBUG 13232 --- [io-8080-exec-10] w.a.UsernamePasswordAuthenticationFilter : Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Ung³ltige Anmeldedaten

org.springframework.security.authentication.BadCredentialsException: Ung³ltige Anmeldedaten
        at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:151) ~[spring-security-core-5.1.2.RELEASE.jar!/:5.1.2.RELEASE]
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) ~[spring-security-core-5.1.2.RELEASE.jar!/:5.1.2.RELEASE]
//...
2018-12-17 11:47:27.538 DEBUG 13232 --- [nio-8080-exec-9] w.a.UsernamePasswordAuthenticationFilter : Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Ung³ltige Anmeldedaten
org.springframework.security.authentication.BadCredentialsException: Ung³ltige Anmeldedaten

因此，由于他没有找到我的用户(我也尝试过使用Username @ DOMAIN，DOMAIN \ username ...)，似乎我错误地配置了url或使用了错误的格式来插入我的登录数据(我通过Spring-Boot-Security启动应用程序时使用了启动页.

So as he is not finding my User (I also tried with Username@DOMAIN, DOMAIN\username ...) it seems like I either missconfigured the url or used the wrong form to insert my login-data (I used the startup page when launching the application with Spring-Boot-Security).

更新:

我确保提供的用户名％my_user％等于我的UPN，所以这似乎是一个配置问题，因为spring boot security指出找不到它.

I ensured that the provided username %my_user% is equal to my UPN, so it seems to be a configuration problem, since spring boot security says that it cannot be found.

UPDATE2:

由于@GabrielLuci，我将把这篇文章更新为最终解决方案.问题解决了:)

I am going to update this post to the very final solution we came to thanks to @GabrielLuci . The problem is solved :)

推荐答案

该文档显示了在....普通" LDAP目录(例如OpenLDAP)上使用的配置. Active Directory有其自身的怪癖，因此其行为方式与LDAP世界的其余部分并不完全相同.

That documentation shows the configuration to use on a.... "normal" LDAP directory (like say OpenLDAP). Active Directory has its own quirks, so it doesn't quite behave the same way as the rest of the LDAP world.

Spring确实具有此答案具有在WebSecurityConfig类中如何使用它的示例:

Spring does have an ActiveDirectoryLdapAuthenticationProvider class just for this purpose. This answer has an example of how to make use of it in your WebSecurityConfig class:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/secure")
            .authorizeRequests()
            .anyRequest().fullyAuthenticated()
            .and()
            .httpBasic();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
    }

    @Bean
    public AuthenticationManager authenticationManager() {
        return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider()));
    }
    @Bean
    public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
        ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("adldap.company.com", "ldap://adldap.company.com");
        provider.setConvertSubErrorCodesToExceptions(true);
        provider.setUseAuthenticationRequestCredentials(true);
        return provider;
    }
}

这篇关于如何在公司环境中使用LDAP身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！