Liberty WebApp Active Directory身份验证
[英]Liberty WebApp Active Directory authentication
问题描述
Here is the code of my little test servlet: 
这是我的小测试servlet的代码:
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
SearchResult result2 = null;
try {
if (WSSecurityHelper.isServerSecurityEnabled()) {
String testuser = "myuser";
String password = "mypassword";
UserRegistry registry = RegistryHelper.getUserRegistry("LdapRegistry");
response.getWriter().append("<p>Output: " + registry.getUserSecurityName(testuser) +"</p>");
response.getWriter().append("<p>Output: " + registry.isValidUser(testuser) +"</p>");
response.getWriter().append("<p>Output: " + registry.isValidUser(registry.getUserSecurityName(testuser)) +"</p>");
}else{
response.getWriter().append("<p>Output: No Sec Enabled</p>");
}
} catch (Exception e) {
response.getWriter().print("<p>Exception caught: " + e + " </p>");
}
}
And here is my LDAP config from my server.xml: 这是来自server.xml的LDAP配置:
<ldapRegistry baseDN="o=appsdir" bindDN="cn=user123,ou=usersbind,o=appsdir" bindPassword="mostsecurePW" host="localhost" id="drd" ldapType="Microsoft Active Directory" port="389" realm="LdapRegistry" recursiveSearch="false" returnToPrimaryServer="true">
<ldapCache>
<attributesCache size="4000"/>
<searchResultsCache resultsSizeLimit="1000" timeout="600ms"/>
</ldapCache>
<activedFilters userFilter="(&(objectClass=person)(|(uid=%v)(samAccountName=%v)(userPrincipalName=%v)))"/>
</ldapRegistry>
I think my problem is that the userFilter in the server.xml is somehow of. 我认为我的问题是server.xml中的userFilter是某种原因。 When I set it to the following:` 当我将其设置为以下内容时:
(&(objectClass=person)(|(uid=%v))) <-- on purpose to clarify what was removed
I get the output: 我得到的输出:
Output: uid=testuser,ou=testing,ou=people,o=appsdir
Output: true
Output: false
But when I add (samAccountName=%v) and/or (userPrincipalName=%v) to the filter I get the following exception right away: 但是,当我将(samAccountName=%v)和/或(userPrincipalName=%v)到过滤器时,我立即得到以下异常:
Exception caught: com.ibm.websphere.security.CustomRegistryException:
CWIML4520E: The LDAP operation could not be completed. The LDAP naming
exception javax.naming.OperationNotSupportedException: [LDAP: error code 53
- Search is not indexed]; remaining name 'o=appsdir'; resolved object
com.sun.jndi.ldap.LdapCtx@254ba79e occurred during processing.
Why is it not working while using | 为什么在使用|不起作用? (OR)? (要么)? I thought this would go through this filters until one matches. 我以为这将通过此过滤器,直到一个匹配。 Is there some documentation on how this works? 是否有一些有关其工作原理的文档?
What does Search is not indexed from the exception mean? Search is not indexed从异常中Search is not indexed什么意思?
Btw. 顺便说一句。 using the standard value for the userFilter also results in the same exception. 使用userFilter的标准值也会导致相同的异常。
1 个解决方案
解决方案1
0 2017-08-14 08:49:41
So, I played around and with the following filter the isValidUser method on a userSecurityName works: (&(|(objectcategory=person)(objectclass=person))(uid=%v)) ( amp; is needed for liberty's server.xml file, otherwise it's not necessary) 因此,我在下面的过滤器中isValidUser了一个用户userSecurityName上的isValidUser方法: (&(|(objectcategory=person)(objectclass=person))(uid=%v)) (自由服务器需要amp; (&(|(objectcategory=person)(objectclass=person))(uid=%v)) xml文件,否则没有必要)
I dont know why or how I could check this in AD, but it seems there is no objectclass=person when using userSecurityName , but there is a objectcategory=person . 我不知道为什么或如何在AD中进行检查,但是使用userSecurityName时似乎没有objectclass=person ,但是有一个objectcategory=person 。 The same, but the other way around, seems to be true when not using the userSecurityName . 不使用userSecurityName时,情况相同,但反之亦然 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.