堆栈内存溢出
  简体   繁体   English

角色不适用于(LDAP)活动目录

[英]Role does not work with (LDAP) Active directory

 原文  2018-06-07 14:02:42       ldap/ debian/ ecm/ openkm

问题描述

I have successfully installed openkmcommunity edition (Version 6.3.6, Tomcat-8.5.24, PostgeSQL 9.4.15 and Debian 8.2.0) with MS AD (windows 2012 R2) using advanced configuration and best practices in docs : 我已经使用docs中的高级配置和最佳实践成功安装了带有MS AD(windows 2012 R2)的openkmcommunity版本(版本6.3.6,Tomcat-8.5.24,PostgeSQL 9.4.15和Debian 8.2.0):

https://docs.openkm.com/kcenter/view/okm-6.3-com/active-directory-advanced-configuration.html https://docs.openkm.com/kcenter/view/okm-6.3-com/ldap-best-practices-for-filtering-users-and-roles.html https://docs.openkm.com/kcenter/view/okm-6.3-com/active-directory-advanced-configuration.html https://docs.openkm.com/kcenter/view/okm-6.3-com/ldap -best-practices-for-filtering-users-and-roles.html

But with these docs, I had two problems the user ID was a trigram (sAMAccountName) and the user ID in Role was a First Name and Last Name (CN). 但是对于这些文档,我有两个问题,用户ID是三字组(sAMAccountName),角色中的用户ID是名字和姓氏(CN)。 With the option Principal.ldap.users.from.roles on True, I could see openKm creates users with ID First Name and Last Name (CN). 通过在True上使用Principal.ldap.users.from.roles选项,我可以看到openKm创建具有ID名和姓(CN)的用户。

For one user, I had two accounts: 对于一个用户,我有两个帐户: 

ID = MLE Name= Mi** Lenormand  Mail= **            Roles = ROLE_USER ROLE_TEST

ID = Mi** Lenormand   Name=Mi** Lenormand   Mail = (empty)   Roles = (empty)

The second account have Roles empty but present in the role (ex: ROLE_USER) when I filter. 第二个帐户的“角色”为空,但在我过滤时以角色显示(例如:ROLE_USER)。

I think the problem comes from: 我认为问题来自: 

principal.ldap.users.by.role.attribute  member
principal.ldap.users.by.role.search.base    OU=IT,OU=CDG,OU=SDA,DC=*,DC=**
principal.ldap.users.by.role.search.filter  (&(objectClass=group)(cn={0}))

We can't filter by sAMAccountName because in member there is no sAMAccountName: 我们无法按sAMAccountName进行过滤,因为在成员中没有sAMAccountName:

https://image.ibb.co/f9MktT/exemple_Forum.png https://image.ibb.co/f9MktT/exemple_Forum.png

The second problems is role does not work when I logging with MLE. 第二个问题是我使用MLE登录时角色不起作用。 (in Log, I can't logging with ID = Mi** Lenormand) (在日志中,我无法使用ID = Mi ** Lenormand登录)

After many manipulation I have solve the first problem, I am logging with CN and password. 经过多次操作,我解决了第一个问题,我使用CN和密码登录。 But the second problem is always present. 但是第二个问题始终存在。

In administration TAB 在管理中 

[code]system.login.lowercase=true
principal.adapter=com.openkm.principal.LdapPrincipalAdapter

principal.ldap.server=ldap://sd01cdg***:389
principal.ldap.security.principal=CN=OpenKm,OU=Compte de Service,OU=SDA,DC=***,DC=***
principal.ldap.security.credentials=*******************

principal.ldap.user.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.user.search.filter=objectclass=person
principal.ldap.user.attribute=CN

principal.ldap.role.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=cn=OpenKM_ROLE,ou=cdg,ou=sda,dc=sid,dc=afi))
principal.ldap.role.attribute=cn

principal.ldap.mail.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.mail.search.filter=(&(objectClass=person)(cn={0}))
principal.ldap.mail.attribute=mail

principal.ldap.username.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.username.search.filter=(&(objectClass=person)(cn={0}))
principal.ldap.username.attribute=cn

principal.ldap.users.by.role.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0}))
principal.ldap.users.by.role.attribute=member

principal.ldap.users.from.roles=true 

principal.ldap.roles.by.user.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(cn={0}))
principal.ldap.roles.by.user.attribute=memberOf

principal.ldap.referral=follow[/code]

In [Tomcat-8.5.24]/OpenKM.xml 在[Tomcat-8.5.24] /OpenKM.xml中 

[code]
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:amq="http://activemq.apache.org/schema/core"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">


<security:authentication-manager alias="authenticationManager">
     <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://sd01cdgdc:389"/>
  <beans:property name="userDn" value="CN=OpenKm,OU=Compte de Service,OU=SDA,DC=***,DC=***"/>
  <beans:property name="password" value="******************"/>
  <beans:property name="baseEnvironmentProperties">
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="OU=IT,OU=CDG,OU=SDA,DC=*****,DC=***"/>
      <beans:property name="groupSearchFilter" value="member={0}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
     <!-- <beans:property name="rolePrefix" value="ROLE_" /> -->
      <beans:property name="rolePrefix" value="" />
      <beans:property name="defaultRole" value="ROLE_ADMIN" />
     <!-- <beans:property name="defaultRole" value="ROLE_USER" /> -->
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="OU=CDG,OU=SDA,DC=*****,DC=**" />
  <beans:constructor-arg index="2" ref="contextSource" />
<!--  <beans:constructor-arg index="1" value="sAMAccountName={0}" /> -->
  <beans:constructor-arg index="1" value="CN={0}" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

 </beans:beans>
[/code]

If I don't use <beans:property name="defaultRole" value="ROLE_ADMIN" /> , i can't logging in ROLE_ADMIN 如果我不使用<beans:property name="defaultRole" value="ROLE_ADMIN" /> ,则无法登录ROLE_ADMIN

Here are the results that make me think that I'm on the right track: 以下是使我认为自己走在正确轨道上的结果:

https://image.ibb.co/nuyODT/Forum1.png https://image.ibb.co/nuyODT/Forum1.png

https://image.ibb.co/icMAtT/Forum2.png https://image.ibb.co/icMAtT/Forum2.png

https://image.ibb.co/kguftT/Forum3.png https://image.ibb.co/kguftT/Forum3.png

https://image.ibb.co/f4p8f8/Forum4.png https://image.ibb.co/f4p8f8/Forum4.png

Do you have any idea for this problem? 您有这个问题的主意吗?

1 个解决方案

解决方案1
 0  2018-11-03 10:05:43

This section should be: 本节应为:

The mistake is the value of bean contructor where you should use the base DC=company,DC=com and not all the distinguised name until the organization unit. 错误是bean构造器的值,在该值之前,应使用基本DC = company,DC = com,而不是组织单位之前的所有专有名称。 

    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="DC=company,DC=com"/>
<beans:property name="groupSearchFilter" value="member={0}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="false" />
<beans:property name="rolePrefix" value="" />
</beans:bean>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Sonarqube 5.6 LTS和LDAP 2插件Active Directory配置不起作用 - Sonarqube 5.6 LTS & LDAP 2 plugin Active Directory configuration does not work loopback-component-passport对ldap /活动目录不起作用 - loopback-component-passport does not work for ldap/ active directory Active Directory LDAP示例 - Active Directory LDAP sample 活动目录和LDAP库 - Active directory and LDAP libraries Active Directory的LDAP路径 - LDAP path for Active Directory 在Active Directory上进行LDAP搜索 - LDAP Search on Active Directory Active Directory,LDAP UserPrincipal - Active Directory, LDAP UserPrincipal LDAP Active Directory路径 - LDAP Active Directory path 如何转换grails 2 LDAP Active Directory值以使用Spring Boot - How to translate grails 2 LDAP Active Directory values to work with Spring Boot 配置Spring Security Ldap 3.0与Active Directory LDS一起使用 - Configuring Spring Security Ldap 3.0 to work with Active Directory LDS
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM