[英]Authentication with Spring-Security via Active Directory LDAP
I can't authenticate using a real active directory, let me explain better I tried to authenticate using the example proposed by spring.io without problem where a internal service is started without any problem.我无法使用真正的活动目录进行身份验证,让我更好地解释一下,我尝试使用 spring.io 提出的示例进行身份验证,其中内部服务启动时没有任何问题。 reference https://spring.io/guides/gs/authenticating-ldap/
参考https://spring.io/guides/gs/authenticating-ldap/
I tried to modify the code below by inserting the configuration of my active directory without success.我试图通过插入我的活动目录的配置来修改下面的代码,但没有成功。 Can you kindly guide me or show me a real case where a true connection is made without using internal services like those in the examples?
您能否指导我或向我展示一个真实的案例,即在不使用示例中的内部服务的情况下建立真正的连接? I looked on the net but found everything similar to the official example without any real case
我在网上看了看,发现都和官方的例子差不多,没有任何真实案例
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.ldapAuthentication()
.userDnPatterns("uid={0},ou=people")
.groupSearchBase("ou=groups")
.contextSource()
.url("ldap://localhost:8389/dc=springframework,dc=org")
.and()
.passwordCompare()
.passwordEncoder(new LdapShaPasswordEncoder())
.passwordAttribute("userPassword");
}
Error show: Uncategorized exception occured during LDAP processing;错误显示:LDAP处理过程中出现未分类异常; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580
嵌套异常是 javax.naming.NamingException:[LDAP:错误代码 1 - 000004DC:LdapErr:DSID-0C0907C2,注释:为了执行此操作,必须在连接上完成成功绑定。,数据 0,v2580
Yeah, authentication via LDAP that's too painful.是的,通过 LDAP 进行身份验证太痛苦了。 In order to be able to perform authentication to AD you need to use the ActiveDirectoryLdapAuthenticationProvider .
为了能够对 AD 执行身份验证,您需要使用ActiveDirectoryLdapAuthenticationProvider 。 Here is the working sample:
这是工作示例:
@Override
protected void configure(AuthenticationManagerBuilder auth) {
ActiveDirectoryLdapAuthenticationProvider adProvider =
new ActiveDirectoryLdapAuthenticationProvider("domain.com", "ldap://localhost:8389");
adProvider.setConvertSubErrorCodesToExceptions(true);
adProvider.setUseAuthenticationRequestCredentials(true);
auth.authenticationProvider(adProvider);
}
And to save your time just read the following, that's really important: AD authentication doc为了节省您的时间,请阅读以下内容,这非常重要: AD authentication doc
I found a sample over here, which was useful:我在这里找到了一个示例,这很有用:
https://github.com/sachin-awati/Mojito/tree/master/webapp/src/main/java/com/box/l10n/mojito/security https://github.com/sachin-awati/Mojito/tree/master/webapp/src/main/java/com/box/l10n/mojito/security
You can optionally implement UserDetailsContextMapperImpl
which overrides mapUserFromContext
to create the UserDetails
object if the user is not found during the Active Directory lookup - loadUserByUsername
.如果在 Active Directory 查找 -
loadUserByUsername
期间未找到用户,您可以选择实现覆盖mapUserFromContext
的UserDetailsContextMapperImpl
以创建UserDetails
object。
@Component
public class UserDetailsContextMapperImpl implements UserDetailsContextMapper {
@Override
public UserDetails mapUserFromContext(DirContextOperations dirContextOperations, String username, Collection<? extends GrantedAuthority> authorities) {
UserDetails userDetails = null;
try {
userDetails = userDetailsServiceImpl.loadUserByUsername(username);
} catch (UsernameNotFoundException e) {
String givenName = dirContextOperations.getStringAttribute("givenname");
String surname = dirContextOperations.getStringAttribute("sn");
String commonName = dirContextOperations.getStringAttribute("cn");
userDetails = userDetailsServiceImpl.createBasicUser(username, givenName, surname, commonName);
}
return userDetails;
}
Ensure you are using the ActiveDirectoryLdapAuthenticationProvider
spring security class as Active Directory has its own nuances compared to other LDAP servers.确保您使用的是
ActiveDirectoryLdapAuthenticationProvider
spring 安全性 class,因为与其他 LDAP 服务器相比,Active Directory 有其自身的细微差别。 You'll probably need to be using the @EnableGlobalAuthentication
annotation in your security configuration class as you can have multiple AuthenticationManagerBuilder
s which confuses things a lot.您可能需要在安全配置 class 中使用
@EnableGlobalAuthentication
注释,因为您可以有多个AuthenticationManagerBuilder
,这会使事情变得很混乱。
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
ActiveDirectoryLdapAuthenticationProvider adProvider =
new ActiveDirectoryLdapAuthenticationProvider("domain.com", "ldap://primarydc.domain.com:389");
adProvider.setConvertSubErrorCodesToExceptions(true);
adProvider.setUseAuthenticationRequestCredentials(true);
auth.authenticationProvider(adProvider);
}
More details here: https://github.com/spring-projects/spring-security/issues/4324 https://github.com/spring-projects/spring-security/issues/4571更多细节在这里: https://github.com/spring-projects/spring-security/issues/4324 https://github.com/spring-projects/spring-security/issues/4571
The solution is the post of Yaroslav Kiryak解决方案是 Yaroslav Kiryak 的帖子
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.