组成员身份(AD)LDAP领域 [英] group memberships in (AD) ldap Realm
问题描述
我用的是JAAS框架在Java EE企业应用程序的鉴别和授权过程。我用的GlassFish作为应用服务器。我的领域配置是这样的:
I use the JAAS Framework for the authentification and authorization process in a java ee enterprise application. I use GlassFish as the application server. My realm configuration looks like:
<auth-realm name="ads-realm" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
<property name="jaas-context" value="ldapRealm" />
<property name="base-dn" value="CN=Users,DC=company,DC=intern" />
<property name="directory" value="ldap://ad.company.intern:389" />
<property name="search-filter" value="(&(objectClass=user)(sAMAccountName=%s))" />
<property name="search-bind-password" value="****" />
<property name="search-bind-dn" value="ldapSvc@company.intern" />
</auth-realm>
这配置能正常工作在我的环境。请参见下面的日志条目:
This configuration works fine in my environment. See following log entries:
FEIN: JAAS login complete.
FEIN: JAAS authentication committed.
FEIN: Password login succeeded for xyz
但我不从我的Active Directory中收到一个LDAP组成员(S)
but i don't receive a LDAP Group membership(s) from my Active Directory
FEIN: LDAP: Group memberships found:
FEIN: LDAP: login succeeded for: xyz
哪个配置/项/映射有我做的,从AD获得组成员?
Which configuration/entry/mapping have I to do, to receive a group membership from AD?
当然,我可以添加属性
<property name="assign-groups" value="Users" />
我的GlassFish的配置,但是这不正是我想要的。
to my GlassFish configuration, but that is not exactly what i want.
推荐答案
您需要添加这个额外的属性:
You need to add this extra property:
组搜索过滤器
搜索过滤器来查找组成员的用户。默认值是uniquemember =%d个(%D扩展到用户元件DN)。在Active Directory中的情况下,这应该是件=%D
group-search-filter
Search filter to find group memberships for the user. The default value is uniquemember=%d (%d expands to the user element DN). In the case of Active Directory this should be member=%d
这篇关于组成员身份(AD)LDAP领域的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!