Spring Boot 应用程序中的 LDAP 身份验证 [英] LDAP authentication in spring boot app

问题描述

我对 LDAP 几乎一无所知，对 spring 安全性更不了解，但我正在尝试配置一个 spring 启动应用程序以针对 ldap 实例进行身份验证，但我卡住了.

I know almost nothing about LDAP and even less about spring security but I am trying to configure a spring boot app to authenticate against an ldap instance and am stuck.

我在 adldap.company.com 获得了 ldap 服务器名称和 dc=ad,dc=company,dc=com 的基本 dn

I was given the ldap server name at adldap.company.com and base dn of dc=ad,dc=company,dc=com

我有一些 Python 代码可以进行简单的绑定并且可以工作.

I have some python code that does a simple bind and works.

LDAP_USERNAME = 'username@ad.company.com'
LDAP_PASSWORD = 'password'
base_dn = 'dc=ad,dc=company,dc=com' # not used for bind I guess, only search
try:
    ldap_client = ldap.initialize('ldap://adldap.company.com')
    ldap_client.set_option(ldap.OPT_REFERRALS,0)
    ldap_client.simple_bind_s(LDAP_USERNAME, LDAP_PASSWORD)
except ldap.INVALID_CREDENTIALS as e:
    ldap_client.unbind()
    return 'Wrong username and password: %s' % e
except ldap.SERVER_DOWN:
   return 'AD server not available'

如果我运行此代码，它似乎成功绑定为username@ad.company.com"和密码password".

If I run this code, it seems to successfully bind as "username@ad.company.com" with password "password".

我还有一个我认为应该处理身份验证的 WebSecurityConfig 类:

I also have a WebSecurityConfig class that I think should be handling auth:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/secure")
            .authorizeRequests()
            .anyRequest().fullyAuthenticated()
            .and()
            .httpBasic();
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .ldapAuthentication()
            .userDnPatterns("uid={0}")
            .contextSource()
            .url("ldap://adldap.company.com");
            //.url("ldap://adldap.company.com/dc=ad,dc=company,dc=com");
    }
}

当我在应用程序中转到/secure 时，我会弹出一个基本的身份验证，但随后我尝试输入的任何内容都会得到 401 Unauthorized.我试过username@ad.company.com"，没有域，把这些东西放在 userDnPatterns 中，比如 {0}@adldap.company.com 和一堆其他东西.我曾尝试使用不同的 URL 和其中是否包含基本 dn.似乎没有任何效果.我错过了什么?

When I go to /secure in the app, I get a basic auth pop up but then anything I try entering gets me a 401 Unauthorized. I have tried "username@ad.company.com", without the domain, putting that stuff in the userDnPatterns like {0}@adldap.company.com and a bunch of other things. I have tried using different URLs with the base dn in it or not. Nothing seems to work. What am I missing?

此外，这是对用户进行身份验证的正确方法吗?我已经阅读了有关绑定身份验证以及有关绑定和搜索的内容，但服务器不允许匿名绑定，所以我想我需要某种可以绑定和执行搜索的应用程序用户"，对吗?那是更好"吗?

Also, is this the right way to auth users? I've read about both bind authentication and something about binding and searching but the server doesn't allow anonyous binds so I guess I would need some kind of "app user" that could bind and do the searches, right? Is that "better"?

推荐答案

Active Directory 有自己的非标准语法用于用户身份验证，不同于通常的 LDAP DN 绑定.

Active Directory has its own non-standard syntax for user authentication, different from the usual LDAP DN binding.

Spring Security 为 Active Directory 提供了专门的 AuthenticationProvider.

Spring Security provides a specialized AuthenticationProvider for Active Directory.

试试这个:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/secure")
            .authorizeRequests()
            .anyRequest().fullyAuthenticated()
            .and()
            .httpBasic();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
    }

    @Bean
    public AuthenticationManager authenticationManager() {
        return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider()));
    }
    @Bean
    public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
        ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("adldap.company.com", "ldap://adldap.company.com");
        provider.setConvertSubErrorCodesToExceptions(true);
        provider.setUseAuthenticationRequestCredentials(true);
        return provider;
    }
}

这篇关于Spring Boot 应用程序中的 LDAP 身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！