0

我必须在 JBoss 7.1 下配置 LDAP 身份验证,但是当我尝试使用我的凭据时遇到问题。我的配置是这样的:

<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
    <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
    <module-option name="java.naming.provider.url" value="ldap://domain.com:389"/>
    <module-option name="java.naming.security.authentication" value="simple"/>
    <module-option name="java.naming.referral" value="follow"/>
    <module-option name="baseFilter" value="(uid={0})"/>
    <module-option name="baseCtxDN" value="ou=people,dc=domain,dc=com"/>
    <module-option name="throwValidateError" value="true"/>
    <module-option name="principalDNPrefix" value="suid="/>
    <module-option name="principalDNSuffix" value=",ou=people,dc=domain,dc=com"/>
    <module-option name="searchTimeLimit" value="5000"/>
    <module-option name="searchScope" value="ONELEVEL"/>
</login-module>

“uid”表示用于登录的用户名(“姓氏”),“suid”表示唯一的 id。因此,当我尝试在我的 Java 类中使用 LDAP 时,它可以工作:

Hashtable env = new Hashtable();
env.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
env.put("java.naming.provider.url", "ldap://domain.com:389");
env.put("java.naming.security.authentication", "simple");
env.put("java.naming.security.principal", "suid=123456789001234,ou=people,dc=st,dc=com");
env.put("java.naming.referral", "follow");
env.put("java.naming.security.credentials", "123456");
DirContext directoryContext = new InitialDirContext(env);

但是,我无法配置 JBoss 如何将 uid 转换为 suid(例如,“姓氏”转换为“123456789001234”)。

4

2 回答 2

0

我设法连接到这个,使用jldap:

LDAPConnection conn = new LDAPConnection();
conn.connect("ldap.mycompany.com",389);
LDAPSearchResults searchResults = conn.search("ou=people,dc=mycompany,dc=com",
    LDAPConnection.SCOPE_ONE, "cn=Surname Name", null, false);
LDAPEntry entry = searchResults.next();
if (entry != null) {
    // the username is valid, lets pull out the CN from the attributes
    String cnValue = null;
    LDAPAttributeSet attrSet = entry.getAttributeSet();

    Iterator<LDAPAttribute> allAttrs = attrSet.iterator();
    while (allAttrs.hasNext()) {
        LDAPAttribute attr = allAttrs.next();
        String attrName = attr.getName();
        System.out.println(attrName);
        if (attrName.equalsIgnoreCase("suid")) {  // we got the CN
            cnValue = (String) attr.getStringValues().nextElement();
            System.out.println(cnValue);
        } else {
            continue;
        }
    }

    if (cnValue == null) {
        // return auth failed, the username doesn't exist
    }

    // attempt a bind with CN and given password
    LDAPConnection tmp = new LDAPConnection();
    tmp.connect("ldap.mycompany.com", 389);
    tmp.bind("suid=" + cnValue + "," + "ou=people,dc=mycompany,dc=com", "MYPASSWORD"); 

    // <password> came from the user trying to login*/
    // return auth successful, username and password are valid
    // an LDAPException is thrown if the credentials are invalid
}

但我没有设法将它用于我的 jboss 配置。

编辑,这适用于Java:

String username = "surname name";

Hashtable<String, String> env = new Hashtable<String, String>(11);

boolean b = false;

env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://ldap.mycompany.com:389");
env.put(Context.SECURITY_AUTHENTICATION, "none");
env.put(Context.SECURITY_PRINCIPAL, "uid="+ username +",ou=people,dc=mycompany,dc=com");
env.put(Context.SECURITY_CREDENTIALS, "PASS");

try {
    // Create initial context
    DirContext ctx = new InitialDirContext(env);

    // Close the context when we're done
    b = true;
    ctx.close();

} catch (NamingException e) {
    b = false;
    e.printStackTrace();
}finally{
    if(b){
        System.out.print("Success");
    }else{
        System.out.print("Failure");
    }
}
于 2013-07-29T16:17:14.483 回答
0

在您的 LDAP 服务器中创建下一个层次结构:

+ o=your-organization-name (partition) 
   + ou=users (organizationalUnit) 
      - uid=your-id-user (inetOrgPerson), add userPassword attribute 
   + ou=groups (organizationalUnit) 
      - cn=your-user-role (groupOfNames), add the uid before created

JBoss 7.1 (standalone.xml) 上的安全域:

 <subsystem xmlns="urn:jboss:domain:security:1.1">
            <security-domains>
             ...
 <security-domain name="SecurityRealm" cache-type="default">
                    <authentication>
                        <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                            <module-option name="java.naming.provider.url" value="ldap://host-ldap-server:port-ldap-server/"/>
                            <module-option name="java.naming.security.authentication" value="simple"/>
                            <module-option name="principalDNPrefix" value="uid="/>
                            <module-option name="principalDNSuffix" value=",ou=users,o=your-organization-name"/>
                            <module-option name="rolesCtxDN" value="ou=groups,o=your-organization-name"/>
                            <module-option name="uidAttributeID" value="member"/>
                            <module-option name="matchOnUserDN" value="true"/>
                            <module-option name="roleAttributeID" value="cn"/>
                            <module-option name="roleAttributeIsDN" value="false"/>
                        </login-module>
                    </authentication>
                </security-domain>
            </security-domains>

在你的 jboss-web.xml

<security-domain>SecurityRealm</security-domain>

最重要的是:是否允许用户访问此页面?(web.xml):

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">

    <!-- Protected Areas -->
    <security-constraint>
         <display-name>Protected</display-name>
        <web-resource-collection>              
            <url-pattern>url-pages-you-want-protect</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>your-user-role</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <!-- Validation By Form -->
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>your-login-page</form-login-page>
            <form-error-page>your-error-page</form-error-page>
        </form-login-config>
    </login-config>

    <!-- Allowed Roles -->
    <security-role>
        <role-name>your-user-role</role-name>
    </security-role>
</web-app>

测试连接使用这个:

public class LoginModulesTestCase extends TestCase
{
   static
   {
      try
      {
         Configuration.setConfiguration(new TestConfig());
         System.out.println("Installed TestConfig as JAAS Configuration");
      }
      catch(Exception e)
      {
         e.printStackTrace();
      }
   }
   /** Hard coded login configurations for the test cases. The configuration
    name corresponds to the unit test function that uses the configuration.
    */
   static class TestConfig extends Configuration
   {
      public void refresh()
      {
      }

      public AppConfigurationEntry[] getAppConfigurationEntry(String name)
      {
         AppConfigurationEntry[] entry = null;
         try
         {
            Class[] parameterTypes = {};
            Method m = getClass().getDeclaredMethod(name, parameterTypes);
            Object[] args = {};
            entry = (AppConfigurationEntry[]) m.invoke(this, args);
         }
         catch(Exception e)
         {
         }
         return entry;
      }

      AppConfigurationEntry[] testLdapExample1()
      {
         String name = "org.jboss.security.auth.spi.LdapLoginModule";
         HashMap options = new HashMap();
         options.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
         options.put("java.naming.provider.url", "ldap://host-ldap-server:port-ldap-server/");
         options.put("java.naming.security.authentication", "simple");
         options.put("principalDNPrefix", "uid=");
         options.put("principalDNSuffix", ",ou=users,o=your-organization-name");         
         options.put("rolesCtxDN", "ou=groups,o=your-organization-name");
         options.put("uidAttributeID", "member");
         options.put("matchOnUserDN", "true");
         options.put("roleAttributeID", "cn");
         options.put("roleAttributeIsDN", "false");
         AppConfigurationEntry ace = new AppConfigurationEntry(name,
         AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options);
         AppConfigurationEntry[] entry = {ace};
         return entry;
      }
   }

   public LoginModulesTestCase(String testName)
   {
      super(testName);
   }

   @Test
   public void testLdapExample1() throws Exception
   {
      System.out.println("testLdapExample1");
      UsernamePasswordHandler handler = new UsernamePasswordHandler("your-uid", "your-uid-password".toCharArray());
      LoginContext lc = new LoginContext("testLdapExample1", handler);
      lc.login();

      Subject subject = lc.getSubject();
      System.out.println("Subject: "+subject);

      Set groups = subject.getPrincipals(Group.class);
      assertTrue("Principals contains your-uid", subject.getPrincipals().contains(new SimplePrincipal("your-uid")));
      Group roles = (Group) groups.iterator().next();
      assertTrue("your-uid-role is a role", roles.isMember(new SimplePrincipal("your-uid-role")));

      lc.logout();
   }

}

嘿,我要问你一件事:

  • 您的 ldap 主机 = domain.com 吗?
  • 你的 ldap 端口 = 389?
  • 你的 ldap 服务器安装在哪里?
  • 是您组织的 ldap 分区 ou=people,dc=domain,dc=com?
  • 不要使用 suid,使用 uid 就像我向您展示的示例一样,uid 是唯一的
  • 您的 uid 是否位于 ou=people,dc=domain,dc=com 上?
  • 此代码是示例副本吗?
  • 我在自己的机器上使用 Apache Directory 服务器作为 lpad 服务器,你的服务器是谁?
  • 你的服务器在哪里?

如果你想我可以帮你配置 Apache Directory Server,你只需要问一个 stackoverflow 问题并添加 jboss 7.x 和 ldap stackoverflow 标签

于 2013-01-12T18:42:18.573 回答