用于 Spring LDAP 身份验证的登录名 [英] What login name to use for Spring LDAP authentication
问题描述
我创建了一个本地 LDAP 服务器并添加了用户djiao",密码为123456"
I created a local LDAP server and added the user "djiao" with password "123456
尝试通过 Spring Boot 使用 Spring Security 实现身份验证.我的 webconfig 类如下:
Trying to implement authentication with Spring Security with Spring Boot. My webconfig class is as follows:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin();
}
@Bean
public ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("", "ldap://localhost:10389");
provider.setConvertSubErrorCodesToExceptions(true);
provider.setConvertSubErrorCodesToExceptions(true);
provider.setUseAuthenticationRequestCredentials(true);
return provider;
}
@Bean
public LoggerListener loggerListener() {
return new LoggerListener();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
}
但是我似乎无法从登录页面登录.
However I can't seem to login from the login page.
如果我使用 djiao (cn) 或 djiao1 (uid),我会得到 500.
If I use djiao (cn) or djiao1 (uid), I will get 500.
[LDAP:错误代码 34 - 给定的 DN 不正确:djiao1 (0x64 0x6A 0x69 0x61 0x6F 0x31) 无效];嵌套异常是 javax.naming.InvalidNameException:[LDAP:错误代码 34 - 给定的 DN 不正确:djiao1 (0x64 0x6A 0x69 0x61 0x6F 0x31) 无效]
[LDAP: error code 34 - Incorrect DN given : djiao1 (0x64 0x6A 0x69 0x61 0x6F 0x31 ) is invalid]; nested exception is javax.naming.InvalidNameException: [LDAP: error code 34 - Incorrect DN given : djiao1 (0x64 0x6A 0x69 0x61 0x6F 0x31 ) is invalid]
如果我使用 dn "cn=djiao,ou=Users,dc=example,dc=com" 作为用户名,我会收到凭据错误"错误.而密码就是123456.
If I use dn "cn=djiao,ou=Users,dc=example,dc=com" as the username I will get "Bad credentials" error. And the password is simply 123456.
登录的用户名应该是什么?还是我在 websecurityconfig 类中遗漏了什么?
What should the username for login? Or am I missing something in websecurityconfig class?
推荐答案
由于从您的代码中我可以确定您正在使用 Spring-Boot.
Since from your code I could identify that you're using Spring-Boot.
这就是我们连接到 LDAP 的原因
This is what was working for us connecting to LDAP
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder authBuilder) throws Exception {
authBuilder
.ldapAuthentication()
.userSearchFilter("(sAMAccountName={0})")
.userSearchBase("dc=some,dc=domain,dc=com")
.groupSearchBase("ou=groups,dc=some,dc=domain,dc=com")
.groupSearchFilter("member={0}")
.contextSource()
.url("ldaps://<ldap-server>")
.port(639)
.managerDn("cn=binduser,ou=users,dc=some,dc=domain,dc=com")
.managerPassword("some pass")
;
}
}
所以本质上要使用 userSearchFilter 你必须定义不同的值.如果您使用除 AD 之外的任何 LDAP,您的过滤器应使用 "(uid={0})" 或者如果您不希望人们能够使用电子邮件,您也可以使用 "(mail={0})" 或 "(|(uid={0})(mail={0}))" 之类的组合,可以同时使用两者.
So in essence going for the userSearchFilter you'd have to define different values. If you use any LDAP besides AD your filter should by "(uid={0})" or if you wan't people to be able to use the email you could also go for "(mail={0})" or a combination like "(|(uid={0})(mail={0}))" which woul allow to use both.
如果你选择 ActiveDirectory——我假设你不是基于你上面写的——它应该是上面提到的 sAMAccountName 允许人们在域中输入他们的 ID,比如MYDOMAINmyusername 所以登录名就是myusername.
If you go for ActiveDirectory – which I assume you do not based on what you have written above – it should be the sAMAccountName as stated above to allow people to just enter their ID in the domain like MYDOMAINmyusername so the login would just be myusername.
如果您需要连接到共享相同信息以实现 HA 的多个 LDAP 服务器,您可以通过 .contextSource().url() 调用来实现.如果他们携带不同的,例如'EMEA'、'US'、'AP' 您可以使用以下方法组合这些调用:
If you need to connect to multiple LDAP-Server who share the same information for HA purposes you can do this through the .contextSource().url() call. If they carry different ones, e.g. 'EMEA', 'US', 'AP' you can combine these calls using:
@Autowired
public void configureGlobal(AuthenticationManagerBuilder authBuilder) throws Exception {
authBuilder
.ldapAuthentication()
.userSearchFilter("(sAMAccountName={0})")
.userSearchBase("dc=emea,dc=domain,dc=com")
.groupSearchBase("ou=groups,dc=emea,dc=domain,dc=com")
.groupSearchFilter("member={0}")
.contextSource()
.url("ldaps://<emea-ldap-server>")
.port(639)
.managerDn("cn=binduser,ou=users,dc=emea,dc=domain,dc=com")
.managerPassword("some pass")
.and()
.and()
.ldapAuthentication()
.userSearchFilter("(sAMAccountName={0})")
.userSearchBase("dc=ap,dc=domain,dc=com")
.groupSearchBase("ou=groups,dc=ap,dc=domain,dc=com")
.groupSearchFilter("member={0}")
.contextSource()
.url("ldaps://<ap-ldap-server>")
.port(639)
.managerDn("cn=binduser,ou=users,dc=ap,dc=domain,dc=com")
.managerPassword("some pass")
;
}
顺便说一句:这还允许您将不同的身份验证机制(例如 InMemory(默认-管理员-后门))与 LDAP 和/或 JDBC 结合起来.
BTW: this also allows you to combine different authentication mechanisms like InMemory (Default-Admin-Backdoor) with LDAP and/or JDBC.
这篇关于用于 Spring LDAP 身份验证的登录名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
