[英]Bind to LDAP with other account and then search user with password in LDAP server
I have a service account by which i bind LDAP connection , i am using JAAS LdapLoginModule
to authenticate the account. 我有一个用于绑定LDAP连接的服务帐户,我正在使用JAAS
LdapLoginModule
对该帐户进行身份验证。 Once LDAP bind succeeds, I need to search or authenticate or search other normal user with its user name and password. LDAP绑定成功后,我需要使用其用户名和密码来搜索或认证或搜索其他普通用户。
So how I am supposed to approach because i did not find any search query with password for user and LDAP bind permission is not allowed for this normal user. 因此,由于我没有找到具有用户密码的任何搜索查询而该普通用户不允许使用LDAP绑定权限,因此应该如何处理。 I am able to retrieve all the groups and users inside them but i could not find password.
我能够检索其中的所有组和用户,但找不到密码。
LDAP directory in its "normal" way of using it as authentication provider do not allow any user to read the password attribute to avoid leaking it. LDAP目录以其“正常”方式用作身份验证提供程序,不允许任何用户读取密码属性,以免泄漏它。
What it is normally done is to allow anybody to authenticate on this attribute only, ie : the attribute can be used by anybody to try a bind operation. 通常要做的是只允许任何人对此属性进行身份验证,即:任何人都可以使用该属性来尝试绑定操作。
So 2 ways of dealing with your case : 因此,有两种处理您的案件的方式:
EDIT : To answer question in comment : 编辑:要回答评论中的问题:
As I stated previously, to compare and/or read (as in LDAP operation of the protocol) the password attribute of another user than your master account, you have to allow the master account to do it, but it is not recommended. 如前所述,要比较和/或读取(如在协议的LDAP操作中)主帐户以外的另一个用户的密码属性,必须允许主帐户执行此操作,但不建议这样做。
How to allow it, it depends of the LDAP implementation you use (ie. which directory : OpenLDAP, AD, ApacheDS, etc.) 如何允许它,取决于您使用的LDAP实现(即哪个目录:OpenLDAP,AD,ApacheDS等)
Or you allow everyone to bind on the directory, which is the standart way of doing this : 或者您允许每个人都绑定到目录,这是这样做的标准方法:
You need to: 你需要:
If all this succeeds, the user attribute and password were correct. 如果所有操作都成功,则用户属性和密码正确。 If not, not.
如果没有,那就没有。
If you want to authenticate only without any authorization using JAAS then do not use complete DN in security principle just pass the username like below. 如果您只想使用JAAS进行未经身份验证的身份验证,则不要出于安全性原则使用完整的DN,只需传递如下用户名即可。 it will get authenticated but not authorized
它将获得认证,但未经授权
Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.PROVIDER_URL, providerUrl);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "admin");
env.put(Context.SECURITY_CREDENTIALS, "passWord");
Like this if you want authorization then there is some other way 这样,如果您想要授权,那么还有其他方法
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.