JAVA Web应用程序中的LDAP身份验证

Question

I'm trying to authenticate userid and password of user from LDAP here is my java code

Hashtable<Object, String> props = new Hashtable<Object, String>();
//props.put(Context.SECURITY_AUTHENTICATION, "simple");
props.put(Context.SECURITY_PRINCIPAL,
        "uid=muhammad.zafar,ou=IT Operations,ou=Information Systems,dc=bi,dc=com,dc=pk");  
props.put(Context.SECURITY_CREDENTIALS, "Passw0rd");
DirContext context;

try {

    context = com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance("ldap://ldap.bi.com.pk:389/dc=bi,dc=com,dc=pk" + '/', props);
    context.close();
} catch (Exception e) {
    throw new BadCredentialsException("Invalid Username or Password");
}

it works great as user muhammad.zafar exists in IT Operation "ou". But I don't want to validate user with its ou so I tried many settings for SECURITY_PRINCIPAL and none of them worked for me

props.put(Context.SECURITY_PRINCIPAL,
                "uid=muhammad.zafar");

it throws the exception "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]" even I tried to put in

props.put(Context.SECURITY_AUTHENTICATION, "simple");

none of them worked for me. I hope my question is clear as I don't have every user "ou" within my application.

Answer 1

尝试此解决方案，希望它对您可行

Answer 2

It's not a question of whether you want to authenticate with the ou or without it.

The fact is that the LDAP protocol and JNDI in simple authentication mode (See doc ) require you to put as SECURITY_PRINCIPAL the dn of the user.

So you have 2 ways to deal with that :

• Use a technical account to search for the DN of the user which tries to authenticate and after that do the authentication with the dn previously found

• Do not use simple authentication mechanism, but a SASL one supported by your Directory which allows you to use other value than the dn.

  See this for more informations : https://docs.oracle.com/javase/tutorial/jndi/ldap/sasl.html