发表新帖
发表新帖

What login name to use for Spring LDAP authentication

后端 未结
关注
1 1117
旧时难觅i
旧时难觅i 2021-01-03 11:41

I created a local LDAP server and added the user \"djiao\" with password \"123456

Trying to implement authentication with Spring Security with Spring Boot. My webco

相关标签:
1条回答
  • 误落风尘
    2021-01-03 11:49

    Since from your code I could identify that you're using Spring-Boot.

    This is what was working for us connecting to LDAP

    @Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder authBuilder) throws Exception {
        authBuilder
            .ldapAuthentication()
            .userSearchFilter("(sAMAccountName={0})")
            .userSearchBase("dc=some,dc=domain,dc=com")
            .groupSearchBase("ou=groups,dc=some,dc=domain,dc=com")
            .groupSearchFilter("member={0}")
            .contextSource()
                .url("ldaps://<ldap-server>")
                .port(639)
                .managerDn("cn=binduser,ou=users,dc=some,dc=domain,dc=com")
                .managerPassword("some pass")
        ;
    }
}

    So in essence going for the userSearchFilter you'd have to define different values. If you use any LDAP besides AD your filter should by "(uid={0})" or if you wan't people to be able to use the email you could also go for "(mail={0})" or a combination like "(|(uid={0})(mail={0}))" which woul allow to use both.

    If you go for ActiveDirectory – which I assume you do not based on what you have written above – it should be the sAMAccountName as stated above to allow people to just enter their ID in the domain like MYDOMAIN\myusername so the login would just be myusername.

    If you need to connect to multiple LDAP-Server who share the same information for HA purposes you can do this through the .contextSource().url() call. If they carry different ones, e.g. 'EMEA', 'US', 'AP' you can combine these calls using:

    @Autowired
public void configureGlobal(AuthenticationManagerBuilder authBuilder) throws Exception {
    authBuilder
        .ldapAuthentication()
        .userSearchFilter("(sAMAccountName={0})")
        .userSearchBase("dc=emea,dc=domain,dc=com")
        .groupSearchBase("ou=groups,dc=emea,dc=domain,dc=com")
        .groupSearchFilter("member={0}")
        .contextSource()
            .url("ldaps://<emea-ldap-server>")
            .port(639)
            .managerDn("cn=binduser,ou=users,dc=emea,dc=domain,dc=com")
            .managerPassword("some pass")
        .and()
        .and()
        .ldapAuthentication()
        .userSearchFilter("(sAMAccountName={0})")
        .userSearchBase("dc=ap,dc=domain,dc=com")
        .groupSearchBase("ou=groups,dc=ap,dc=domain,dc=com")
        .groupSearchFilter("member={0}")
        .contextSource()
            .url("ldaps://<ap-ldap-server>")
            .port(639)
            .managerDn("cn=binduser,ou=users,dc=ap,dc=domain,dc=com")
            .managerPassword("some pass")

    ;
}

    BTW: this also allows you to combine different authentication mechanisms like InMemory (Default-Admin-Backdoor) with LDAP and/or JDBC.

    0 讨论(0)
 看不清?
提交回复
热议问题