用于 LDAP 身份验证的 Oauth 服务 [英] Oauth service for LDAP authentication
问题描述
我们有一个场景,我们必须使用 LDAP 服务器对用户进行身份验证
We have a scenario where we have to authenticate the user with LDAP server
流程一:
client --> application server --> LDAP server
在上述流程中,客户端输入应用服务器的 LDAP 凭据,然后使用 python-ldap 我们可以直接对用户进行身份验证.由于用户 LDAP 凭据来自应用程序服务器,因此组织可能出于明显的原因不愿意接受此类流程.
In above flow the client enters LDAP credentials which comes to application server and then using python-ldap we can authenticate the user, straight forward. Since the user LDAP credentials comes to application server an organisation may not be willing for such flow for obvious reasons.
流程2:
client --> oauth2 --> LDAP server
这里最适合 Oauth 场景套件,因为用户身份验证是 oauth 的责任,而应用程序服务器不需要知道用户凭据.
Oauth scenario suites best here, since authentication of the user is responsibility of the oauth and application server do not need to know the user credentials.
有没有人遇到过这种情况,如果有,你是怎么处理的?有免费和付费的 LDAP Oauth 客户端吗?
Have anyone encountered such case, if yes, how you tackled it? Is there are any Oauth client for LDAP free and paid ?
推荐答案
如果您不希望用户凭据到达应用程序服务器,那么您需要的是外围身份验证.您需要有一个外部身份验证提供程序,例如 Oracle Access Manager,它将执行身份验证并在请求中设置某个令牌.应用服务器可以断言这个令牌并让用户访问资源.此模型也支持 SSO.
If you don't want user credentials to reach the Application server then what you need is a perimeter authentication. You need to have an external authentication provider , say Oracle Access Manager, that will perform the authentication and set a certain token in the request. The application server can assert this token and let user access resources. This model enables SSO as well.
需要授权访问的资源在 OAM 中配置为受保护的 URL.
The resources that require authorized access are configured as protected URLs in OAM.
当用户尝试访问受保护的资源时,他会被要求提供凭据.
When a user tries to access a protected resource he is challenged for credentials.
OAM 根据 LDAP 目录(在 OAM 中配置)对用户进行身份验证.
OAM authenticates the user against an LDAP directory(that is configured in OAM).
请求中设置了与已认证用户对应的令牌.还设置了 SSO cookie.
A token corresponding to the authenticated user is set in the request. Also an SSO cookie is set.
应用服务器(Weblogic)可以断言(验证)这个令牌并让用户访问资源.
Application server (Weblogic) can assert (verify) this token and let the user access the resource.
注意:Oracle Access Manager 也支持 oAuth.
Note: Oracle Access Manager supports oAuth as well.
这篇关于用于 LDAP 身份验证的 Oauth 服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
