Grails Spring安全性和LDAP身份验证失败
[英]Grails Spring Security & LDAP Auth Failure
问题描述
ISSUE: Grails ADMIN logs in via LDAP but no other account does. 
问题:Grails ADMIN通过LDAP登录,但没有其他帐户登录。 System = Win 7, grails 2.2.1, Active Dir lightweight 系统= Win 7,grails 2.2.1,Active Dir轻量级
I have created a simple grails default application, installed the latest grails spring security and ldap plugins. 我创建了一个简单的grails默认应用程序,安装了最新的grails spring安全性和ldap插件。 I then followed the following tutorial to configure the spring security setup. 然后,我按照以下教程配置spring安全设置。 Tutorial located at http://blog.springsource.com/2010/08/11/simplified-spring-security-with-grails/ 教程位于http://blog.springsource.com/2010/08/11/simplified-spring-security-with-grails/
Anyway got spring security working fairly fast, next step was setting up LDAP to use the anonymousAuthenticationProvider so my grails app would log in without checking its own DB for passwords, only LDAP. 无论如何,春季安全性工作得相当快,下一步是将LDAP设置为使用anonymousAuthenticationProvider,这样我的grails应用程序就可以登录而无需检查其自己的DB中是否只有密码,只有LDAP。 I am using windows Active Directory. 我正在使用Windows Active Directory。 Anyway, followed this configuration setup http://grails-plugins.github.io/grails-spring-security-ldap/docs/manual/guide/2.%20Usage.html . 无论如何,请遵循此配置设置http://grails-plugins.github.io/grails-spring-security-ldap/docs/manual/guide/2.%20Usage.html 。 All seems to start fine, except the only user that seems to log in correctly is admin, no other user works. 似乎一切正常,除了似乎正确登录的唯一用户是admin,其他用户没有工作。 I get a can not find user with that username / password error. 我得到一个找不到该用户名/密码错误的用户。 I have added error, warn and info log output for spring security but does not seem to give much info at all except for the admin account which actually works. 我已经添加了错误,警告和信息日志输出以确保春季安全,但除了实际起作用的管理员帐户外,似乎根本没有提供太多信息。 I verified it works as I gave the spring security db password a different password to the ldap password, and once the ldap was configured the only password that worked for the admin was the ldap one. 我验证了它的工作原理,因为我为spring security db密码指定了与ldap密码不同的密码,并且一旦配置了ldap,唯一适用于管理员的密码就是ldap。 Unfortunately no other users worked though. 不幸的是,没有其他用户在工作。
Here is my grails config: 这是我的grails配置:
// Added by the Spring Security Core plugin:
grails.plugins.springsecurity.userLookup.userDomainClassName = 'org.example.SecUser'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'org.example.SecUserSecRole'
grails.plugins.springsecurity.authority.className = 'org.example.SecRole'
grails.plugins.springsecurity.ldap.context.managerDn = 'CN=admin,OU=people,OU=imApp,DC=example,DC=org'
grails.plugins.springsecurity.ldap.context.managerPassword = 'password'
grails.plugins.springsecurity.ldap.context.server = 'ldap://localhost:55000/'
grails.plugins.springsecurity.ldap.authorities.ignorePartialResultException = true
grails.plugins.springsecurity.ldap.search.base = 'OU=people,OU=imApp,DC=example,DC=org'
grails.plugins.springsecurity.ldap.search.filter='uid={0}' //ad use sAMAccountName instead of uid
grails.plugins.springsecurity.ldap.search.searchSubtree =true
grails.plugins.springsecurity.ldap.auth.hideUserNotFoundExceptions= false
grails.plugins.springsecurity.ldap.search.derefLink = true
// specify this when you want to skip attempting to load from db and only use LDAP
grails.plugins.springsecurity.providerNames = ['ldapAuthProvider', 'anonymousAuthenticationProvider']
grails.plugins.springsecurity.conf.ldap.authorities.retrieveGroupRoles = false
grails.plugins.springsecurity.conf.ldap.authorities.retrieveDatabaseRoles = false
//grails.plugins.springsecurity.ldap.authorities.groupSearchBase = 'ou=groups,ou=imApp,dc=mcommunity,dc=org'
//role specific ldap config
grails.plugins.springsecurity.ldap.useRememberMe = false
I have tried a few variations of this config, for example it says Active Dir requires sAMAccountName as the search.filter but when I use this no accounts work, if i comment it out completely it works as already memntioned, admin logs in but no other account does. 我已经尝试了此配置的一些变体,例如,它说Active Dir要求sAMAccountName作为search.filter,但是当我使用它时,没有帐户有效,如果我完全注释掉它,则它已经存在,管理员可以登录,但没有其他功能帐户。 If I remove the springsecurity.providerNames the app starts but uses DB as password auth provider. 如果我删除springsecurity.providerNames,则应用程序启动,但使用DB作为密码身份验证提供程序。 I came across some blogs mentioned removing password for model class and db, or making it null-able which I tried but had no effect on outcome. 我遇到了一些博客,提到删除模型类和数据库的密码,或者使之成为可空值(我尝试过但对结果没有影响)。
My Active Dir structure is as follows: 我的活动目录结构如下:
DC=example,dc=org
OU=imApp
OU=groups
OU=people
CN=admin user CN=admin,OU=people,OU=imApp,DC=example,DC=org
CN=user1 user CN=user1,OU=people,OU=imApp,DC=example,DC=org
CN=LostAndFound
CN= NTDS Quotas
CN=Roles
I have given each account a LDAP password, and added a parameter uid matching that of their username (CN). 我给每个帐户一个LDAP密码,并添加了一个与用户名(CN)相匹配的参数uid。 I have not used a Custom UserDetailsContextMapper, just default. 我没有使用自定义UserDetailsContextMapper,只是默认设置。 However, I did try a Custom UserDetailsContextMapper and just came across the same issue, so reverted back to using just standard. 但是,我确实尝试了一个Custom UserDetailsContextMapper,并且遇到了同样的问题,因此又恢复为仅使用标准。 Also I noticed Active Dir has a lower case dc for org so I tried using same lower case dc in Grails config but has same result. 我也注意到Active Dir对组织有一个小写的dc,所以我尝试在Grails配置中使用相同的小写dc,但是结果相同。
Has anyone come across this issue or know where I may be going worng? 有没有人遇到过这个问题或知道我可能要去哪里? Any help appreciated. 任何帮助表示赞赏。
Best, Marklw16 最好,Marklw16
1 个解决方案
解决方案1
0 2013-06-11 16:46:34
Try these settings: 尝试以下设置:
grails.plugins.springsecurity.ldap.authorities.groupSearchBase ='DC=example,dc=org'
grails.plugins.springsecurity.ldap.authorities.groupSearchFilter = 'member={0}'
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.