[英]LDAP authentication in JAVA web application
I'm trying to authenticate userid and password of user from LDAP here is my java code 我正在尝试从LDAP验证用户的用户名和密码,这是我的Java代码
Hashtable<Object, String> props = new Hashtable<Object, String>();
//props.put(Context.SECURITY_AUTHENTICATION, "simple");
props.put(Context.SECURITY_PRINCIPAL,
"uid=muhammad.zafar,ou=IT Operations,ou=Information Systems,dc=bi,dc=com,dc=pk");
props.put(Context.SECURITY_CREDENTIALS, "Passw0rd");
DirContext context;
try {
context = com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance("ldap://ldap.bi.com.pk:389/dc=bi,dc=com,dc=pk" + '/', props);
context.close();
} catch (Exception e) {
throw new BadCredentialsException("Invalid Username or Password");
}
it works great as user muhammad.zafar exists in IT Operation "ou". 它可以很好地与用户muhammad.zafar一起使用,它存在于IT操作“ ou”中。 But I don't want to validate user with its ou so I tried many settings for SECURITY_PRINCIPAL and none of them worked for me
但是我不想用它的用户名来验证用户,因此我尝试了SECURITY_PRINCIPAL的许多设置,但没有一个对我有用
props.put(Context.SECURITY_PRINCIPAL,
"uid=muhammad.zafar");
it throws the exception "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]" even I tried to put in 即使我尝试放入异常,它也会引发异常“ javax.naming.AuthenticationException:[LDAP:错误代码49-无效凭据]”
props.put(Context.SECURITY_AUTHENTICATION, "simple");
none of them worked for me. 他们都没有为我工作。 I hope my question is clear as I don't have every user "ou" within my application.
我希望我的问题很清楚,因为我的应用程序中没有每个用户“ ou”。
尝试此解决方案,希望它对您可行
It's not a question of whether you want to authenticate with the ou
or without it. 这是您是否要通过
ou
进行身份验证的问题。
The fact is that the LDAP protocol and JNDI in simple
authentication mode (See doc ) require you to put as SECURITY_PRINCIPAL
the dn of the user. 事实是,在
simple
身份验证模式下的LDAP协议和JNDI(请参阅doc )要求您将用户的dn设置为SECURITY_PRINCIPAL
。
So you have 2 ways to deal with that : 因此,您有2种方法可以解决该问题:
Use a technical account to search for the DN of the user which tries to authenticate and after that do the authentication with the dn previously found 使用技术帐户搜索尝试进行身份验证的用户的DN,然后使用先前找到的dn进行身份验证
Do not use simple
authentication mechanism, but a SASL one supported by your Directory which allows you to use other value than the dn. 不要使用
simple
身份验证机制,而是使用目录支持的SASL身份验证机制,该机制允许您使用dn以外的其他值。
See this for more informations : https://docs.oracle.com/javase/tutorial/jndi/ldap/sasl.html 请参阅此以获取更多信息: https : //docs.oracle.com/javase/tutorial/jndi/ldap/sasl.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.