Grails Spring Security LDAP插件,带有多个Active Directory服务器 [英] Grails Spring Security LDAP plugin with multiple Active Directory servers
问题描述
我将Grails Spring Security插件连接到一台Active Directory服务器,没有任何问题。但是,我需要连接到多个服务器。我们在一台AD服务器上有一些用户,而另一台服务器上有其他用户,所以我们需要尝试在两个位置上查找用户。
例如,在Java中,我有这个工作如下:
< authentication-manager>
< authentication-provider ref =provider1/>
< authentication-provider ref =provider2/>
...
< / authentication-manager>
< ldap-server id =provider1
url =ldap://LDAPSERVER1.mycompany.intranet
manager-dn =OU = std_users,OU =用户,DC = mycompany,DC =内部网
manager-password =blah/>
< ldap-server id =provider2
url =ldap://DIFFERENT_LDAPSERVER.mycompany.intranet
manager-dn =OU = std_users,OU =外部用户,DC = mycompany,DC =内部网
manager-password =blah/>
在Grails中,我可以配置一个AD服务器,但不能解决如何配置多个服务器的问题:
// LDAP配置
grails.plugin.springsecurity.ldap.context.managerDn ='CN = blah,OU = std_users ,OU = users,DC = mycompany,DC = intranet'
grails.plugin.springsecurity.ldap.context.managerPassword ='the_password'
grails.plugin.springsecurity.ldap.context.server ='ldap ://theserver.mycompany.intranet'
grails.plugin.springsecurity.ldap.authorities.ignorePartialResultException = true //通常需要Active Directory
grails.plugin.springsecurity.ldap.search .base ='OU = std_users,OU = users,DC = mycompany,DC = intranet'
grails.plugin.springsecurity.ldap.search.filter =sAMAccountName = {0}//对于您需要的Active Directory this
grails.plugin.springsecurity.ldap.search.searchSubtree = true
grails.plugin.springsecurity.ldap.auth.hideUserNotFoundExceptions = false
<我知道你可以创建一个以空格分隔的服务器列表,但这对我来说不起作用,因为它只会在连接时尝试其中一台服务器,而我需要它尝试在两者中寻找用户。
我想我可能需要卡住resources.groovy文件,但不知道从哪里开始 - 有没有人配置了多个AD位置?
我唯一的想法是创建一个虚拟目录,将所有用户集中在一个目录中。任何人都可以提出一个这样做的好方法吗?我一直在寻找 http://myvd.sourceforge.net/usecases.html
任何帮助,将不胜感激。我一直在Google上搜索,我也没有接近解决方案。
Andrew的回答指出我正确的方向,现在我有这个工作。
这很容易使用ActiveDirectoryLdapAuthenticationProvider进行这项工作。如下所示:
在resources.groovy中:
//域1
ldapAuthProvider1(ActiveDirectoryLdapAuthenticationProvider,
mydomain.com,
ldap://mydomain.com/
)
/ / Domain 2
ldapAuthProvider2(ActiveDirectoryLdapAuthenticationProvider,
mydomain2.com,
ldap://mydomain2.com/
)
在Config.groovy中:
grails。 plugin.springsecurity.providerNames = ['ldapAuthProvider1','ldapAuthProvider2']
这是您的所有代码需要。你几乎可以删除Config.groovy中的所有其他grails.plugin.springsecurity.ldap。*设置,因为它们不适用于此AD设置。
如果您不使用AD并且需要'pure LDAP'版本:
在resources.groovy中:
//创建另一个ldap认证提供者
ldapAuthProvider2(org.springframework.security.ldap.authentication.LdapAuthenticationProvider,
ref(ldapAuthenticator2 ),
ref(ldapAuthoritiesPopulator)//使用默认
){
//可以在此设置其他auth提供程序设置
}
ldapAuthenticator2 (org.springframework.security.ldap.authentication.BindAuthentica tor,ref(contextSource2)){
userSearch = ref(ldapUserSearch2)
}
//设置管理器读取LDAP
contextSource2 DefaultSpringSecurityContextSource,grailsApplication.config.grails.plugin.springsecurity.ldap.context.server2){
userDn = grailsApplication.config.grails.plugin.springsecurity.ldap.context.managerDn2 //经理DN
password = grailsApplication.config.grails.plugin.springsecurity.ldap.context.managerPassword2
}
//用于搜索用户
的配置ldapUserSearch2(FilterBasedLdapUserSearch,grailsApplication.config.grails.plugin .springsecurity.ldap.search.base2,grailsApplication.config.grails.plugin.springsecurity.ldap.search.filter2,ref('contextSource2')){
}
然后在Config.groovy中:
// Config for second LDAP AuthenticationProvider - 用于resources.groovy
grails.plugin.springsecurity.ldap.context.managerDn2 ='CN = MANA GER_USER,OU = Users,DC = mycompany,DC = com'
grails.plugin.springsecurity.ldap.context.managerPassword2 ='manager_password'
grails.plugin.springsecurity.ldap.context.server2 = ldap://the-ldap-server.com
grails.plugin.springsecurity.ldap.search.base2 ='OU = Users,DC = mycompany,DC = com'
grails .plugin.springsecurity.ldap.search.filter2 =sAMAccountName = {0}//对于Active Directory,您需要此
//将AuthenticationProvider添加到列表
grails.plugin。 springsecurity.providerNames = ['ldapAuthProvider','ldapAuthProvider2']
这个链接对于发现非常有用如何设置:
https ://github.com/grails-plugins/grails-spring-security-ldap/blob/master/SpringSecurityLdapGrailsPlugin.groovy
I have the Grails Spring Security plugin connecting to one Active Directory server with no problems. However, I need to connect to multiple servers. We have some users on one AD server and other users on a different server, so we need to try looking for users in both locations.
For example, in Java I have this working as below:
<authentication-manager>
<authentication-provider ref="provider1"/>
<authentication-provider ref="provider2"/>
...
</authentication-manager>
<ldap-server id="provider1"
url="ldap://LDAPSERVER1.mycompany.intranet"
manager-dn="OU=std_users,OU=users,DC=mycompany,DC=intranet"
manager-password="blah"/>
<ldap-server id="provider2"
url="ldap://DIFFERENT_LDAPSERVER.mycompany.intranet"
manager-dn="OU=std_users,OU=external_users,DC=mycompany,DC=intranet"
manager-password="blah"/>
In Grails I can configure one AD server but cannot work out how to configure more than one:
// LDAP config
grails.plugin.springsecurity.ldap.context.managerDn = 'CN=blah,OU=std_users,OU=users,DC=mycompany,DC=intranet'
grails.plugin.springsecurity.ldap.context.managerPassword = 'the_password'
grails.plugin.springsecurity.ldap.context.server = 'ldap://theserver.mycompany.intranet'
grails.plugin.springsecurity.ldap.authorities.ignorePartialResultException = true // typically needed for Active Directory
grails.plugin.springsecurity.ldap.search.base = 'OU=std_users,OU=users,DC=mycompany,DC=intranet'
grails.plugin.springsecurity.ldap.search.filter="sAMAccountName={0}" // for Active Directory you need this
grails.plugin.springsecurity.ldap.search.searchSubtree = true
grails.plugin.springsecurity.ldap.auth.hideUserNotFoundExceptions = false
I know that you can create a space-separated list of servers but this won't work for me as it will only try one of the servers once it has a connection, whereas I need it to try looking for users in both.
I think I probably need to get stuck into the resources.groovy file but don't know where to start with this - has anyone configured multiple AD locations?
The only other idea I have is to create a virtual directory which brings together all the users in one directory. Can anyone suggest a good way of doing this? I have been looking at http://myvd.sourceforge.net/usecases.html
Any help would be appreciated. Have been googling all day and I am no closer to a solution.
Andrew's answer pointed me in the right direction and I now have this working.
It was A LOT easier to make this work using ActiveDirectoryLdapAuthenticationProvider. This is done as below:
In resources.groovy:
// Domain 1
ldapAuthProvider1(ActiveDirectoryLdapAuthenticationProvider,
"mydomain.com",
"ldap://mydomain.com/"
)
// Domain 2
ldapAuthProvider2(ActiveDirectoryLdapAuthenticationProvider,
"mydomain2.com",
"ldap://mydomain2.com/"
)
In Config.groovy:
grails.plugin.springsecurity.providerNames = ['ldapAuthProvider1', 'ldapAuthProvider2']
This is all the code you need. You can pretty much remove all other grails.plugin.springsecurity.ldap.* settings in Config.groovy as they don't apply to this AD setup.
For documentation, see: http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ldap-active-directory
If you aren't using AD and want the 'pure LDAP' version:
In resources.groovy:
// Create another ldap authentication provider
ldapAuthProvider2(org.springframework.security.ldap.authentication.LdapAuthenticationProvider,
ref("ldapAuthenticator2"),
ref("ldapAuthoritiesPopulator") // Use default
) {
// Can set other auth provider settings here
}
ldapAuthenticator2(org.springframework.security.ldap.authentication.BindAuthenticator, ref("contextSource2")) {
userSearch = ref("ldapUserSearch2")
}
// Set up the manager to read LDAP
contextSource2(DefaultSpringSecurityContextSource, grailsApplication.config.grails.plugin.springsecurity.ldap.context.server2) {
userDn = grailsApplication.config.grails.plugin.springsecurity.ldap.context.managerDn2 // Manager DN
password = grailsApplication.config.grails.plugin.springsecurity.ldap.context.managerPassword2
}
// Configuration for searching for user
ldapUserSearch2(FilterBasedLdapUserSearch, grailsApplication.config.grails.plugin.springsecurity.ldap.search.base2, grailsApplication.config.grails.plugin.springsecurity.ldap.search.filter2, ref('contextSource2')) {
}
And then in Config.groovy:
// Config for second LDAP AuthenticationProvider - used in resources.groovy
grails.plugin.springsecurity.ldap.context.managerDn2 = 'CN=MANAGER_USER,OU=Users,DC=mycompany,DC=com'
grails.plugin.springsecurity.ldap.context.managerPassword2 = 'manager_password'
grails.plugin.springsecurity.ldap.context.server2 = "ldap://the-ldap-server.com"
grails.plugin.springsecurity.ldap.search.base2 = 'OU=Users,DC=mycompany,DC=com'
grails.plugin.springsecurity.ldap.search.filter2 = "sAMAccountName={0}" // for Active Directory you need this
// Add the AuthenticationProvider to the list
grails.plugin.springsecurity.providerNames = ['ldapAuthProvider', 'ldapAuthProvider2']
This link was very useful for finding out how to set this up: https://github.com/grails-plugins/grails-spring-security-ldap/blob/master/SpringSecurityLdapGrailsPlugin.groovy
这篇关于Grails Spring Security LDAP插件,带有多个Active Directory服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
