Spring LDAP Auth遇到问题 [英] Trouble with Spring LDAP Auth

问题描述

所以这是我第一次与Spring合作，所以请多多包涵！

So this is my first time working with Spring so bear with me!

我很确定问题是我对DnPatterns和组搜索基础的设置不正确.

I am pretty sure the problem is that my set-up for DnPatterns and the group search base is incorrect.

我正在尝试连接一个外部AD.使用广告资源管理器，我找到了一个条目，下面是用户的dn，然后是他们通常用于登录的ID登录

There is an external AD I am trying to hook up to. Using ad explorer I've found an entry, below is the dn of the user and then the login in id they usually use to logIn

在AD Explorer视图中用户的个人资料中所听的

As listend in the profile of the user in the AD Explorer View

DN -> CN=LastName\, FirstName, OU=Users,OU=Calgary,DC=CORP,DC=DEPARTMENT,DC=com

用户名&密码用户将在登录时提供:

Username & password User will provide on login:

UserName ->  LastFirst5
Password ->  Password

在目录浏览器中访问用户信息的路径如图所示

The path to reach the user info in the Directory Explorer is as shown

DC=CORP,DC=DEPARTMENT,DC=com -> OU=Calgary -> OU=Users -> CN=LastName,FirstName

这是我的配置设置:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .anyRequest().fullyAuthenticated()
                .and()
                .formLogin();
    }


    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .ldapAuthentication()
                .userDnPatterns("DC=corp,DC=department,DC=com")
                .groupSearchBase("OU=Users,OU=Calgary,DC=CORP,DC=Department,DC=com")
                .contextSource()
                .url("ldap://corp.Ad.com/")
                .and()
                .passwordCompare()
                .passwordEncoder(new LdapShaPasswordEncoder())
                .passwordAttribute("userPassword");
    }

推荐答案

• 首先，上下文源网址应包含用于搜索和/或验证用户身份的基本DN.

  • First the context source url should include the base DN for searching and/or authenticating users.

    .contextSource()
      .url('ldap://corp.Ad.com:389/DC=CORP,DC=DEPARTMENT,DC=com')
    

  • userDnPatterns()用于匹配用户条目的RDN中显示的用户登录名-(如果显示！)-服务器将替换输入的登录名由用户使用{0}占位符，然后通过从LDAP URL附加基本dn来重新创建用户dn.问题在于，在您的目录中，用户dn不是根据其用户名而是根据其cn属性而构建的，因此它无法匹配(LastName, FirstName ≠ LastFirst5)，因此您不能使用此方法对用户进行身份验证(但是，如果用户名和cn等效，则正确的模式类似于cn={0},ou=Users).

  • userDnPatterns() is used to match the login name of a user as it appears in the RDN of your user entries - if it appears ! - the server then substitutes the login name entered by the user for the {0} placeholder, and from that recreates the user dn by appending the base dn from the LDAP url. The problem is that in your directory, a user dn is not built from its username but from its cn attribute that is different so you can't have a match (LastName, FirstName ≠ LastFirst5), hence you can't authenticate users with this method (but a correct pattern would look like cn={0},ou=Users if username and cn were equivalent).

    userSearchFilter()可用于匹配用户使用常规搜索过滤器提供的登录名.可选地，userSearchBase()可以与它一起使用，以设置可选的分支rdn，用户条目位于该分支并从中执行搜索，如果未指定，则搜索包括从LDAP URL的基本dn开始的整个目录.

    userSearchFilter() on the other hand can be used to match the login name provided by the user using a regular search filter. Optionally userSearchBase() can be used with it to set an optional branch rdn where user entries are located and from which to perform the search, if not specified the search includes your entire directory starting from the base dn of the LDAP url.

    .and()
      .userSearchBase('ou=Users,ou=Calgary')
      .userSearchFilter('(sAMAccountName={0})')
    

    请注意，如果您在其他城市(例如OU=Users,OU=OtherCity,DC=...)中有用户，则将需要另一种配置以便对他们进行身份验证，而不知道从哪个城市开始搜索.在这种情况下，您将重置搜索基础以匹配基础dn下的所有条目，并且由于只希望用户能够登录，因此可以优化过滤器 相应地:

    Note that if you have users in other cities like OU=Users,OU=OtherCity,DC=..., you will need another configuration in order to authenticate them without knowing from which city to start the search. In this case you would reset the search base to match all entries under the base dn and, since you only want users to be able to login, you would refine the filter accordingly :

    .and()
      .userSearchBase('')
      .userSearchFilter('(&(sAMAccountName={0})(objectClass=user)')
    

  • 如果没有groupSearchFilter()，则不需要groupSearchBase()，这两个仅用于授权(验证用户具有给定角色< =>是给定组的成员).

  • You don't need groupSearchBase() without groupSearchFilter(), and these 2 are needed only for authorization (to verify the user has a given role <=> is member of a given group).

    为了能够搜索&匹配用户条目，身份验证请求本身需要连接并绑定到LDAP服务器，大多数服务器不接受匿名绑定，因此您可能需要设置managerDn()和managerPassword():

    To be able to search & match a user entry, the authentication request itself needs to connect and bind to the LDAP server, most servers don't accept anonymous bindings so you may need to set managerDn() and managerPassword() :

    .contextSource()
      .url('ldap://corp.Ad.com:389/DC=CORP,DC=DEPARTMENT,DC=com')
      .managerDn('admin')
      .managerPassword('password')
    

  https://community.jaspersoft .com/documentation/jasperreports-server-authentication-cookbook/performing-ldap-user-search

  这篇关于Spring LDAP Auth遇到问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！