简体   繁体   English

Java-Spring-LDAP-Kerberos

[英]Java-Spring-LDAP-Kerberos

I need some help delegating user authentication in my spring-based application to Active Directory that seems to be delegating this responsibility to Kerberos - I can't seem to figure out how to do this. 我需要一些帮助,以将基于Spring的应用程序中的用户身份验证委派给Active Directory,这似乎将这种责任委派给了Kerberos-我似乎无法弄清楚如何做到这一点。 Here is more of what the mess really looks like: 这是一团糟的真实样子:

I followed Spring guide on configuring Spring Security to work with an LDAP server. 我遵循有关配置Spring Security与LDAP服务器一起使用的Spring指南。 It went fine. 一切顺利。

I got host, port of my actual LDAP server. 我有主机,是实际LDAP服务器的端口。 I configure Spring Security to talk to it, it won't allow me to authenticate. 我将Spring Security配置为可以与之对话,它不允许我进行身份验证。

OK, I download jxplorer and connect to my LDAP server with it successfully. OK,我下载了jxplorer并成功连接到我的LDAP服务器。 If jxplorer can connect to LDAP only knowing HOST, PORT, USERNAME, and PASSWORD, I figure my application should be able to do the same. 如果jxplorer仅知道HOST,PORT,USERNAME和PASSWORD才能连接到LDAP,我认为我的应用程序应该能够执行此操作。

Weirdly, my LDAP does not show an OU=people. 奇怪的是,我的LDAP没有显示OU = people。 My people are scattered deeper in the tree among various OUs, an OU per department kind of way - but, most people are found equally deep inside the tree. 我的员工分散在树中的各个OU之间,这是每个部门的一种OU-但是,大多数人在树的内部同样深。

Also WEIRDLY, my actual people nodes that uniquely identify a person have no userPassword attribute. 同样奇怪的是,我唯一标识一个人的实际人节点没有userPassword属性。

For experimentation, I configure Spring Security in such a way that it tries to authenticate an individual by looking in the OU that represents my department and tell it to use as password mailNickname (using PlaintTextPasswordEncoder()) and it works fine - only on port 3268, not on 389. 为了进行实验,我以某种方式配置Spring Security,使其尝试通过查看代表我部门的OU来验证个人身份,并告诉它用作密码mailNickname(使用PlaintTextPasswordEncoder()),并且它可以正常工作-仅在端口3268上有效,而不是389。

At this point I start speculating - LDAP, is telling my spring-based app that it needs to talk to Kerberos, and I did not tell it how to do that, so that explains why my app fails to authenticate. 此时,我开始猜测-LDAP告诉基于Spring的应用程序需要与Kerberos通讯,而我没有告诉它如何执行Kerberos,因此可以解释为什么我的应用程序无法通过身份验证。 BUT, no one told jxplorer that Kerberos will authenticate it and yet it managed to get a view of the LDAP tree. 但是,没有人告诉jxplorer Kerberos将对其进行身份验证,但是它设法获得了LDAP树的视图。 Clearly, my spring-app's assumptions != jxplorer's assumptions. 显然,我的spring-app的假设!= jxplorer的假设。 I give them the exact same info yet one manages to authenticate the other not. 我给了他们完全相同的信息,但其中一个设法认证了另一个人。 Anyone any idea? 有人知道吗?

EDIT: ok, so, I still do not have this solved, but my error has changed and that is a mark of progress, I suppose. 编辑:好的,所以,我仍然没有解决这个问题,但是我想我的错误已经改变,这是进步的标志。

I configured spring according to this: link 我根据这个配置弹簧: 链接

Now, when I try to log in, if I give a wrong password or username, I get the complaint that clearly indicates that password is given wrong. 现在,当我尝试登录时,如果输入错误的密码或用户名,则会收到明显表明输入密码错误的投诉。 However, if I give the correct password, the complaint differs. 但是,如果我输入正确的密码,投诉会有所不同。

The end of stack trace includes: Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24) 堆栈跟踪的末尾包括:原因:javax.security.auth.login.LoginException:预身份验证信息无效(24)

But, the debug also indicates that the user is found in kerberos database because it says: "principal is username@correct_realm" and "Added server's keyKerberos Principal correct_user@correct_realm" and does some hex dump. 但是,调试还指示在kerberos数据库中找到了该用户,因为它说:“主要是username @ correct_realm”和“添加的服务器的密钥Kerberos主体correct_user @ correct_realm”并执行一些十六进制转储。

Because of that, I am sure that my keytab is not doing its job. 因此,我确定我的keytab不能正常工作。 I am certain that my key tab is found by Spring because it says: KeyTab is my_keytab_file (otherwise it'd say: KeyTab is null). 我确定Spring可以找到我的密钥标签,因为它说:KeyTab是my_keytab_file(否则它将说:KeyTab为空)。

If it is configured with Kerberos, you can try SPNEGO. 如果使用Kerberos配置,则可以尝试SPNEGO。 It's one of the best libraries around for Kerberos in Java. 它是Java中Kerberos最好的库之一。

READ: http://spnego.sourceforge.net/ 阅读: http : //spnego.sourceforge.net/

Sample code for Kerberos Auth: Kerberos身份验证的示例代码:

Example usage (username/password): 用法示例(用户名/密码):

public static void main(final String[] args) throws Exception {
     System.setProperty("java.security.krb5.conf", "krb5.conf");
     System.setProperty("sun.security.krb5.debug", "true");
     System.setProperty("java.security.auth.login.config", "login.conf");

     SpnegoHttpURLConnection spnego = null;

     try {
         spnego = new SpnegoHttpURLConnection("spnego-client", "dfelix", "myp@s5");
         spnego.connect(new URL("http://medusa:8080/index.jsp"));

         System.out.println(spnego.getResponseCode());

     } finally {
         if (null != spnego) {
             spnego.disconnect();
         }
     }
 }

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM