Spring Boot LDAP认证 [英] Spring Boot LDAP Authentication

问题描述

我正在尝试使用Spring Boot测试Active Directory身份验证.我有一个Active Directory，并且我可以通过LDAP浏览器为具有该用户dn的管理员用户访问它:

I am trying to test Active Directory authentication with Spring Boot. I have an Active Directory working and I can access to it via LDAP browsers for my admin user with that user dn:

CN=Administrator,CN=Users,DC=contoso,DC=com 

我想在我的应用程序中使用LDAP作为身份验证管理器.来自文档的简单示例如下:

I want to use LDAP as authentication manager at my application. Simple example from docs is as follows:

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth
            .ldapAuthentication()
            .userDnPatterns("CN={0},CN=Users,DC=contoso,DC=com")
            .groupSearchBase("ou=groups")
            .contextSource()
            .managerDn("CN=Administrator,CN=Users,DC=contoso,DC=com")
            .managerPassword("myadminpassword")
            .url("ldap://192.168.1.1:389");
}

首先，我应该提供管理员密码来连接Active Directory这样的登录名吗?

First of all, should I provide admin password to connect Active Directory such a login?

第二，我应该提供groupSearchBase和userDnPatterns吗?

Secondly, should I provide groupSearchBase and userDnPatterns and how?

推荐答案

1. 否.为了从您的应用程序访问LDAP/Active Directory，您应该在用户目录中创建一个浏览用户".浏览用户的DN和密码不应进行硬编码，而应例如在您应用程序的配置文件中.

1. No. For accessing LDAP / Active Directory from your application, you should create a "browse user" in your user directory. The DN and password of the browse user should not be hardcoded, but e.g. in a configuration file of your application.

这主要取决于您的LDAP/AD设置.在Active Directory中，用户名通常存储在属性"sAMAccountName"中，该属性不属于用户DN，因此userDnPatterns将不起作用.而是提供一个用户搜索过滤器，例如.userSearchFilter("(sAMAccountName={0})")(很可能您将需要更多，但是目录的管理员应该能够告诉您).另外的userSearchBase可能也有帮助.但这不是特定于Spring的，而是特定于LDAP的.再次，请咨询您的LDAP管理员以获取有关可能的配置项目的建议值.

This mainly depends on your LDAP / AD setup. In an Active Directory, the user names are usually stored in the attribute "sAMAccountName", which is not part of the user's DN, so userDnPatterns will not work. Instead, provide a user search filter, e.g. .userSearchFilter("(sAMAccountName={0})") (most probably you will need more, but the administrator of the directory should be able to tell you that). An additional userSearchBase may be helpful as well. But this is all not Spring-, but LDAP specific. Again, refer to your LDAP administrator for recommended values for the possible configuration items.

这篇关于Spring Boot LDAP认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！