配置Spring Security以针对LDAP进行身份验证而无需匿名和绑定DN
[英]Configuring Spring Security to Authenticate against LDAP without anonymous and without bind DN
问题描述
Using JNDI I can successfully authenticate against our LDAP server, which has anonymous binds disabled, using only the user's username and password, like this: 
使用JNDI,我可以仅使用用户的用户名和密码,针对禁用了匿名绑定的LDAP服务器成功进行身份验证,如下所示:
Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, url);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, userName);
env.put(Context.SECURITY_CREDENTIALS, password);
DirContext ctx = new InitialDirContext(env);
Attribute groups = ctx.getAttributes(userName).get("groupMembership");
Now I would like to do the same thing using Spring Boot, Spring Security, and Spring LDAP. 现在,我想使用Spring Boot,Spring Security和Spring LDAP做同样的事情。
I can successfully configure authentication using a bind DN and password, like this: 我可以使用绑定DN和密码成功配置身份验证,如下所示:
DefaultSpringSecurityContextSource context = new DefaultSpringSecurityContextSource(ldapConfig.url);
context.setUserDn(ldapConfig.bindDn);
String bindPassword = passwordResolver.getPassword(ldapConfig.password);
context.setPassword(bindPassword);
context.afterPropertiesSet();
CustomAuthoritiesPopulator customAuthoritiesPopulator = new CustomAuthoritiesPopulator(context, ldapConfig.groupSearchBase);
String[] dnPatArr = new String[ldapConfig.userDnPatterns.size()];
ldapConfig.userDnPatterns.toArray(dnPatArr);
auth.ldapAuthentication()
.ldapAuthoritiesPopulator(customAuthoritiesPopulator)
.contextSource(context)
.userDnPatterns(dnPatArr)
.groupSearchBase(ldapConfig.groupSearchBase);
This works--the Spring Boot webapp will authenticate my users successfully. 这可以正常工作-Spring Boot Webapp将成功验证我的用户。
But I would like to do this without passing in the bind DN and bind password, just like I did with the JNDI example. 但是,我想这样做而不传递绑定DN和绑定密码,就像我对JNDI示例所做的那样。
If I simply omit setting the bind DN and password, I will get "LDAP: error code 48 - Anonymous Simple Bind Disabled.". 如果我只是忽略设置绑定DN和密码,我将得到“ LDAP:错误代码48-禁用匿名简单绑定”。
I don't want to do an anonymous bind--I want Spring to use the username and password the user provides to do a simple bind against each of my bind DN patterns until one works. 我不想进行匿名绑定-我希望Spring使用用户提供的用户名和密码对我的每个绑定DN模式进行简单绑定,直到一个可行为止。
I've read the docs but I'm having a hard time determining whether or not that is possible. 我已经阅读了文档,但是很难确定是否可行。 JNDI can do it so I figure I should be able to get Spring to do it. JNDI可以做到,所以我认为我应该能够让Spring做到这一点。 I've thought about writing my own custom Spring Security authentication provider but surely that's not necessary. 我已经考虑过编写自己的自定义Spring Security身份验证提供程序,但是肯定没有必要。
1 个解决方案
解决方案1
0 2017-01-27 15:45:48
In the JNDI, authentication information is specified in environment properties. 在JNDI中,认证信息在环境属性中指定。 Please make sure the property names are spelled correctly. 请确保属性名称拼写正确。
For example environment property for credentials is java.naming.security.credentials not java.naming.security.credential . 例如,凭证的环境属性是java.naming.security.credentials而不是java.naming.security.credential 。 Notice the missing letter 's' at the end would give 请注意,最后missing letter 's'会给出
"LDAP: error code 48 - Anonymous Simple Bind Disabled."
<bean id="jndiTemplate" class="org.springframework.jndi.JndiTemplate">
<property name="environment">
<props>
<prop key="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</prop>
<prop key="java.naming.provider.url">ldap://serverURL/jndi_ctx
</prop>
<prop key="java.naming.security.authentication">simple</prop>
<prop key="java.naming.security.principal">user_id</prop>
<prop key="java.naming.security.credentials">password</prop>
</props>
</property>
</bean>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.