使用其他帐户绑定到LDAP,然后在LDAP服务器中使用密码搜索用户
[英]Bind to LDAP with other account and then search user with password in LDAP server
问题描述
I have a service account by which i bind LDAP connection , i am using JAAS LdapLoginModule to authenticate the account. 
我有一个用于绑定LDAP连接的服务帐户,我正在使用JAAS LdapLoginModule对该帐户进行身份验证。 Once LDAP bind succeeds, I need to search or authenticate or search other normal user with its user name and password. LDAP绑定成功后,我需要使用其用户名和密码来搜索或认证或搜索其他普通用户。
So how I am supposed to approach because i did not find any search query with password for user and LDAP bind permission is not allowed for this normal user. 因此,由于我没有找到具有用户密码的任何搜索查询而该普通用户不允许使用LDAP绑定权限,因此应该如何处理。 I am able to retrieve all the groups and users inside them but i could not find password. 我能够检索其中的所有组和用户,但找不到密码。
3 个解决方案
解决方案1
0 2017-09-28 08:50:51
LDAP directory in its "normal" way of using it as authentication provider do not allow any user to read the password attribute to avoid leaking it. LDAP目录以其“正常”方式用作身份验证提供程序,不允许任何用户读取密码属性,以免泄漏它。
What it is normally done is to allow anybody to authenticate on this attribute only, ie : the attribute can be used by anybody to try a bind operation. 通常要做的是只允许任何人对此属性进行身份验证,即:任何人都可以使用该属性来尝试绑定操作。
So 2 ways of dealing with your case : 因此,有两种处理您的案件的方式:
- [not recommended] : modify the access right to allow the user used to search to read the password attribute (=> create a possible security issue) [不推荐]:修改访问权限,以允许用于搜索的用户读取密码属性(=>创建可能的安全问题)
- allow anonymous connection to only bind on the password attribute 允许匿名连接仅绑定密码属性
EDIT : To answer question in comment : 编辑:要回答评论中的问题:
As I stated previously, to compare and/or read (as in LDAP operation of the protocol) the password attribute of another user than your master account, you have to allow the master account to do it, but it is not recommended. 如前所述,要比较和/或读取(如在协议的LDAP操作中)主帐户以外的另一个用户的密码属性,必须允许主帐户执行此操作,但不建议这样做。
How to allow it, it depends of the LDAP implementation you use (ie. which directory : OpenLDAP, AD, ApacheDS, etc.) 如何允许它,取决于您使用的LDAP实现(即哪个目录:OpenLDAP,AD,ApacheDS等)
Or you allow everyone to bind on the directory, which is the standart way of doing this : 或者您允许每个人都绑定到目录,这是这样做的标准方法:
- Bind with master password 与主密码绑定
- Search the DN of the user which try to bind 搜索尝试绑定的用户的DN
- Re-bind with the DN of the user and the password he provided : 重新绑定用户的DN和他提供的密码:
- Bind OK : correct password 绑定确定:正确的密码
- Bind KO : invalid credential 绑定KO:凭证无效
- Bind OK : correct password
解决方案2
0 2017-09-28 10:20:59
You need to: 你需要:
- Bind to the directory as the admin user with permission to search. 以具有搜索权限的管理员用户身份绑定到目录。
- Search for the user given whatever attribute you have that is unique, for example, screen name, email, etc. 根据给定的具有唯一属性的用户搜索用户,例如,屏幕名称,电子邮件等。
- Attempt to bind as that user with the password he supplied. 尝试使用该用户提供的密码绑定该用户。
If all this succeeds, the user attribute and password were correct. 如果所有操作都成功,则用户属性和密码正确。 If not, not. 如果没有,那就没有。
解决方案3
0 2018-06-19 10:07:53
If you want to authenticate only without any authorization using JAAS then do not use complete DN in security principle just pass the username like below. 如果您只想使用JAAS进行未经身份验证的身份验证,则不要出于安全性原则使用完整的DN,只需传递如下用户名即可。 it will get authenticated but not authorized 它将获得认证,但未经授权
Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.PROVIDER_URL, providerUrl);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "admin");
env.put(Context.SECURITY_CREDENTIALS, "passWord");
Like this if you want authorization then there is some other way 这样,如果您想要授权,那么还有其他方法
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.