[英]Authenticate user in LDAP subtree (FilterBasedLdapUserSearch)
I am successfully authenticating and authoritating my user through LDAP:我通过 LDAP 成功地对我的用户进行身份验证和授权:
@Bean
BaseLdapPathContextSource contextSource() {
final var url = environment.getRequiredProperty("spring.ldap.url");
final var baseDn = environment.getRequiredProperty("spring.ldap.base");
final var connectionString = url + "/" + baseDn;
var contextSource = new DefaultSpringSecurityContextSource(connectionString);
contextSource.afterPropertiesSet();
contextSource.setUserDn(environment.getRequiredProperty("spring.ldap.userdn"));
contextSource.setPassword(environment.getRequiredProperty("spring.ldap.password"));
return contextSource;
}
@Bean
BindAuthenticator bindAuthenticator(
final BaseLdapPathContextSource contextSource) {
var bindAuthenticator = new BindAuthenticator(contextSource);
bindAuthenticator.setUserDnPatterns(new String[]{environment.getRequiredProperty("spring.ldap.userdnpattern")});
/*
var userSearch =
new FilterBasedLdapUserSearch(
environment.getRequiredProperty("spring.ldap.base"),
environment.getRequiredProperty("spring.ldap.searchfilter"),
contextSource);
userSearch.setSearchSubtree(true);
bindAuthenticator.setUserSearch(userSearch);
*/
bindAuthenticator.afterPropertiesSet();
return bindAuthenticator;
}
with application.properties
:与
application.properties
:
spring.ldap.url=ldap://pre-adcorp.myorg.example
spring.ldap.base=OU=IVR,OU=apps,DC=pre,DC=myorg
spring.ldap.userdnpattern=cn={0}
spring.ldap.searchfilter=(&(cn={0})(objectclass=user))
spring.ldap.roleattributes=memberOf
Now, the issue is that I am not comfortable with connecting to ldap://pre-adcord.myorg.example/OU=IVR,OU=apps,DC=pre,DC=myorg
because I think in the future I will need to authenticate other user that belong to to OU=apps but who are part of other OUs (for example, OU=ABC,OU=apps...).现在,问题是我不习惯连接到
ldap://pre-adcord.myorg.example/OU=IVR,OU=apps,DC=pre,DC=myorg
因为我认为将来我需要验证属于 OU=apps 但属于其他 OU 的其他用户(例如,OU=ABC,OU=apps...)。 So I wanto to be able to search in a subtree.所以我希望能够在子树中搜索。
I have tried with the commented source code (using FilterBasedLdapUserSearch) but then I always get a 401 Unauthorized failure, with both ldap dase "OU=IVR,OU=apps,DC=pre,DC=myorg" and "OU=apps,DC=pre,DC=myorg".我已经尝试使用注释的源代码(使用 FilterBasedLdapUserSearch),但我总是得到 401 Unauthorized 失败,ldap dase "OU=IVR,OU=apps,DC=pre,DC=myorg" 和 "OU=apps,DC =pre,DC=myorg”。 What am I doing wrong?
我究竟做错了什么?
UPDATE: I did create a wrapper for FilterBasedLdapUserSearch ;更新:我确实为FilterBasedLdapUserSearch创建了一个包装器; it turns out that when invoking searchForUser(String) it throws a binding error:
事实证明,在调用searchForUser(String)时会引发绑定错误:
org.springframework.ldap.UncategorizedLdapException: Uncategorized exception occured during LDAP processing;
org.springframework.ldap.UncategorizedLdapException:LDAP处理过程中出现未分类异常; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1];
嵌套异常是 javax.naming.NamingException:[LDAP:错误代码 1 - 000004DC:LdapErr:DSID-0C09075A,注释:为了执行此操作,必须在连接上成功绑定。,数据 0,v1db1]; remaining name 'ou=Aplicaciones,dc=pre,dc=aplssib'
剩余名称 'ou=Aplicaciones,dc=pre,dc=aplssib'
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:228) ~[spring-ldap-core-2.4.0.jar:2.4.0] at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:824) ~[spring-ldap-core-2.4.0.jar:2.4.0]在 org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:228) ~[spring-ldap-core-2.4.0.jar:2.4.0] 在 org.springframework.ldap.core.LdapTemplate.executeWithContext( LdapTemplate.java:824) ~[spring-ldap-core-2.4.0.jar:2.4.0]
[...][...]
Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1] at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3300) ~[na:na] at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3206) ~[na:na] at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2997) ~[na:na]引起:javax.naming.NamingException:[LDAP:错误代码 1 - 000004DC:LdapErr:DSID-0C09075A,注释:为了执行此操作,必须在连接上成功绑定。,数据 0,v1db1] 在 java .naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3300) ~[na:na] at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3206) ~[na:na] at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2997) ~[na:na]
Yet it is the same contextsource that I am using if I just search by setUserDnPatterns .然而,如果我只是通过setUserDnPatterns搜索,它与我使用的上下文源相同。
Answering only to avoid people wasting their time;回答只是为了避免人们浪费时间; in the end it was an issue of the bind credentials.
最后,这是绑定凭据的问题。
I still do not know how the initial solution did work.我仍然不知道最初的解决方案是如何工作的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.