使用 Active Directory LDAP 进行多个 CN 组身份验证
[英]Multiple CN groups authentication with Active Directory LDAP
问题描述
Using Active Directory with Spring for LDAP, If I specify the exact directory (base) of the search, for example String base="CN=Administrators" search/authentication finds the user, but if passed to the method .authenticate(String base="", filter, password) , where base is an empty string, then it does not find it and gives an error
将 Active Directory 与 Spring 一起用于 LDAP,如果我指定搜索的确切目录(基),例如String base="CN=Administrators"搜索/身份验证会找到用户,但如果传递给方法.authenticate(String base="", filter, password) ,其中 base 是一个空字符串,然后它没有找到它并给出错误
ldapTemplate.authenticate("", MessageFormat.format("(SamAccountName={0})", login), "password")
//error
org.springframework.ldap.PartialResultException: Unprocessed Continuation Reference(s);
nested exception is javax.naming.PartialResultException: Unprocessed Continuation Reference(s);
remaining name '/'
Moreover, if I connect to OpenLDAP and not to Active Directory, it allows me to specify an empty string LdapTemplate.authenticate(String base="", filter, password) and finds the user.此外,如果我连接到 OpenLDAP 而不是 Active Directory,它允许我指定一个空字符串LdapTemplate.authenticate(String base="", filter, password)并找到用户。 As I understand it, OpenLDAP allows to search through all groups, which is what I need.据我了解,OpenLDAP 允许搜索所有组,这正是我所需要的。
For example I have several CN Groups like CN=Administrators , CN=FreeUsers , CN=System etc with many CN users inside.例如,我有几个 CN 组,如CN=Administrators 、 CN=FreeUsers 、 CN=System等,其中有许多 CN 用户。 How to allow Active Directory search through all of them on authenticate?如何在身份验证时允许 Active Directory 搜索所有这些?
2 个解决方案
解决方案1
1 已采纳 2022-02-02 14:22:17
I solved this issue by adding configuration to LdapTemplate.我通过向 LdapTemplate 添加配置解决了这个问题。 Now template finds users in AD without specifying the base.现在模板在不指定基础的情况下在 AD 中查找用户。
was曾是
@Bean
public LdapTemplate ldapTemplate() {
LdapTemplate ldapTemplate = new LdapTemplate(contextSource());
return ldapTemplate;
}
now现在
@Bean
public LdapTemplate ldapTemplate() {
LdapTemplate ldapTemplate = new LdapTemplate(contextSource());
ldapTemplate.setIgnorePartialResultException(true);
return ldapTemplate;
}
解决方案2
0 2022-01-31 15:58:37
Active Directory doesn't like empty string unless the search scope is set to base to discover the RootDSE. Active Directory 不喜欢空字符串,除非搜索 scope 设置为 base 以发现 RootDSE。 Nevertheless Active Directory supports the LDAP_SERVER_SEARCH_OPTIONS_OID control , especially the control value SERVER_SEARCH_FLAG_PHANTOM_ROO:尽管如此,Active Directory 支持LDAP_SERVER_SEARCH_OPTIONS_OID 控件,尤其是控件值 SERVER_SEARCH_FLAG_PHANTOM_ROO:
This enables search bases such as the empty string, which would cause the server to search all of the NC replicas (except for application NCs on AD DS DCs) that it holds.
Using Spring for LDAP, you probably have to inherit from AbstractRequestControlDirContextProcessor.java .将 Spring 用于 LDAP,您可能必须从AbstractRequestControlDirContextProcessor.java继承。 You may inspire from others controls already defined and include this new control in your search.您可以从其他已定义的控件中获得灵感,并将此新控件包含在您的搜索中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.