具有多个用户OU和多个访问CN的Spring LDAP认证 [英] Spring LDAP authentication with multiple user OU and multiple access CNs

问题描述

如何尽可能使用Spring Security/LDAP解决以下LDAP身份验证情况.

How do I solve the following LDAP authentication situation using Spring Security/LDAP as much as possible.

• 用户属于两个LDAP组织单位( ou )之一:客户或员工

用户属于3个访问组( cn-唯一名称组)或其子组( cn )

User belongs to one of 3 access groups (cn - groupofuniquenames) or their subgroups (cn)

所以基本上是这样:

1. 在LDAP(客户或员工)中查找用户的DN

1. Finding user's DN in LDAP (client or employee)

绑定用户以检查密码

在所有3个访问组及其子组中一对一搜索，以找到具有用户DN的uniquename属性.

Searching one by one through all 3 access groups and their subgroups to find uniquename attribute with user's DN.

我研究了各种教程和示例，但是它们似乎都没有关系，因此无法将它们组合在一起.如果访问组是组织单位会更容易，但不是.

I have looked into various tutorials and examples but none of them seem to relate and I was unable to combine them. It would be easier if access group was an Organizational Unit, but it's not.

整个页面及其所有servlet都应该落后于身份验证.

The entire page and all of it's servlets are supposed to be behind authentication.

问题有点具体，但希望对社区有用.任何想法或建议都是最欢迎的.

Question is a bit specific but hopefully useful for community. Any ideas or suggestions are most welcome.

我当前使用的代码是spring文档的修改版本.

The code I currently use is modified version from spring documentation.

<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
    <property name="rolePrefix" value=""></property>
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <constructor-arg name="decisionVoters" ref="roleVoter" />
</bean>

<security:http authentication-manager-ref="ldap-auth" access-decision-manager-ref="accessDecisionManager">
    <security:intercept-url pattern="/site/**" access="LDAP-Access-Group" />
    <security:form-login 
        login-page="/login" 
        authentication-failure-url="/denied"
        username-parameter="username" 
        password-parameter="password"
        default-target-url="/site/main" />
    <security:logout 
        invalidate-session="true" 
        logout-success-url="/login" 
        logout-url="/j_spring_security_logout" />
    <security:access-denied-handler error-page="/denied" />
    <security:session-management invalid-session-url="/login">
        <security:concurrency-control max-sessions="1" expired-url="/login" />            
    </security:session-management>
</security:http>

<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <constructor-arg value="ldap://server:389/o=company,c=com"/>
</bean>

<security:authentication-manager id="ldap-auth">            
    <security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>

<bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
    <bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
        <constructor-arg ref="contextSource"/>
        <property name="userDnPatterns">
            <list>
                <value>uid={0},ou=Employees</value>
                <value>uid={0},ou=Clients</value>
            </list>
        </property>
    </bean>
</constructor-arg>
<constructor-arg>
    <bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
        <constructor-arg ref="contextSource"/>
        <constructor-arg value="ou=Access"/>
        <property name="searchSubtree" value="true"/>
        <property name="groupRoleAttribute" value="cn" />
    </bean>
</constructor-arg>
</bean>

上面的代码似乎没有返回授权.有没有一种方法可以将输出发送到调试控制台?无法读取LDAP日志.

The above code doesn't seem to return authorities. Is there a way to send the output to debug console? Can't read LDAP logs.

此外，如果我注释掉AuthoritiesPopulator，则在使用安全标签(即<sec:authorize access="isAuthenticated()">logged in</sec:authorize>)进行检查时，身份验证似乎可以正常工作，但是由于某些原因，拦截URL阻止了我使用<security:intercept-url pattern="/site/**" access="isAuthenticated()" />进入站点.我不明白.

Also, if I comment out the AuthoritiesPopulator, then the authentication seems to work when checking with security tags, i.e. <sec:authorize access="isAuthenticated()">logged in</sec:authorize>, but for some reason intercept-url prevent me from entering site using <security:intercept-url pattern="/site/**" access="isAuthenticated()" />. I don't understand it.

推荐答案

似乎主要的问题是在DefaultLdapAuthoritiesPopulator中指定了搜索基本参数.在DefaultLdapAuthoritiesPopulator bean中将值更改为"解决了该问题，并开始返回用户权限.

It appears the main problem was with specifying search base argument in DefaultLdapAuthoritiesPopulator. Changing value to "" in DefaultLdapAuthoritiesPopulator bean solved the problem and started returning user's authorities.

<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <constructor-arg value="ldap://server:389/o=company,c=com"/>
    <property name="anonymousReadOnly" value="true"/>
</bean>

<bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <constructor-arg>
        <bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
            <constructor-arg ref="contextSource"/>
            <property name="userDnPatterns">
                <list>
                    <value>uid={0},ou=Employees</value>
                    <value>uid={0},ou=Clients</value>
                </list>
            </property>         
        </bean>
    </constructor-arg>
    <constructor-arg>
        <bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
            <constructor-arg ref="contextSource"/>
            <constructor-arg value=""/>
            <property name="searchSubtree" value="true"/>
            <property name="groupRoleAttribute" value="cn"/>
            <property name="groupSearchFilter" value="uniquemember={0}"/>   
        </bean>
    </constructor-arg>
</bean>

这篇关于具有多个用户OU和多个访问CN的Spring LDAP认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！