0

我有个问题。我尝试通过 spring security 向 AD 进行身份验证,但我做不到,因为每次我看到下一个堆栈跟踪时:

2013-10-10 11:22:18.923 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.a.LdapAuthenticationProvider - Processing authentication request for user: Ivan.Ivanov
2013-10-10 11:22:18.924 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.s.FilterBasedLdapUserSearch - Searching for user 'Ivan.Ivanov', with user search [ searchFilter: '(&(sAMAccountName={0})(objectclass=user))', searchBase: 'DC=MyCompany,DC=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2013-10-10 11:22:19.104 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.SpringSecurityLdapTemplate - Searching for entry in under DN '', base = 'DC=MyCompany,DC=com', filter = '(&(sAMAccountName={0})(objectclass=user))'
2013-10-10 11:22:19.114 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.SpringSecurityLdapTemplate - Found DN: cn=Ivanov Ivan,ou=Departmant 1.1.1,ou=Depatment 1.1,ou=Department ,ou=Users,ou=MyCompany JSC,ou=MyCompany Group,dc=MyCompany,dc=com
2013-10-10 11:22:19.119 FET INFO  [http-apr-8080-exec-3] o.s.s.l.SpringSecurityLdapTemplate - Ignoring PartialResultException
2013-10-10 11:22:19.121 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.a.BindAuthenticator - Attempting to bind as cn=Ivan.Ivanov,ou=Departmant 1.1.1,ou=Depatment 1.1,ou=Department ,ou=Users,ou=MyCompany JSC,ou=MyCompany Group,dc=MyCompany,dc=com
2013-10-10 11:22:19.122 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.DefaultSpringSecurityContextSource - Removing pooling flag for user cn=Ivan Ivanov,ou=Departmant 1.1.1,ou=Depatment 1.1,ou=Department ,ou=Users,ou=MyCompany JSC,ou=MyCompany Group,dc=MyCompany,dc=com
2013-10-10 11:22:19.303 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.u.DefaultLdapAuthoritiesPopulator - Getting authorities for user cn=Ivan Ivanov,ou=Departmant 1.1.1,ou=Depatment 1.1,ou=Department ,ou=Users,ou=MyCompany JSC,ou=MyCompany Group,dc=MyCompany,dc=com

2013-10-10 11:22:19.304 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.u.DefaultLdapAuthoritiesPopulator - Searching for roles for user 'Ivan.Ivanov', DN = 'cn=Ivan Ivanov,ou=Departmant 1.1.1,ou=Depatment 1.1,ou=Department ,ou=Users,ou=MyCompany JSC,ou=MyCompany Group,dc=MyCompany,dc=com', with filter (uniqueMember={0}) in search base ''

2013-10-10 11:22:19.304 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.SpringSecurityLdapTemplate - Using filter: (uniqueMember=cn=Ivan Ivanov,ou=Departmant 1.1.1,ou=Depatment 1.1,ou=Department ,ou=Users,ou=MyCompany JSC,ou=MyCompany Group,dc=MyCompany,dc=com)
2013-10-10 11:22:19.306 FET INFO  [http-apr-8080-exec-3] o.s.l.c.LdapTemplate - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2013-10-10 11:22:19.343 FET WARN  [http-apr-8080-exec-3] o.s.s.a.e.LoggerListener - Authentication event AuthenticationFailureServiceExceptionEvent: Ivan.Ivanov; details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: D2C31B0111572159FA65357E652352D4; exception: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001E5, problem 2001 (NO_OBJECT), data 0, best match of:'' ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001E5, problem 2001 (NO_OBJECT), data 0, best match of:'' ]; remaining name ''

我的配置 *-security.xml 是:

 <authentication-manager alias="authenticationManager">
    <ldap-authentication-provider  server-ref="contextSource"
            user-search-base="OU=Deparment 1,OU=Users,OU=MyCompany JSC,OU=MyCompany Group,DC=MyCompany,DC=com"
            user-search-filter="(&amp;(sAMAccountName={0})(objectclass=user))"
            role-prefix="none">
    </ldap-authentication-provider>
</authentication-manager>

我不想检查角色,我只想检查凭据!如何关闭角色搜索?

在 AD 中,我的用户的整个路径是:

CN=Ivanov Ivan,OU=Department 1.1.1,OU=Department 1.1,OU=Department 1,OU=Users,OU=MyCompany JSC,OU=MyCompany Group,DC=MyCompany,DC=com
4

1 回答 1

0

该类LdapAuthenticationProvider使用 aDefaultLdapAuthoritiesPopulator来搜索组。您可以创建和使用不同的LdapAuthoritiesPopulator实现来分配角色,例如,通过查看数据库或仅硬编码(如果您只有一个角色)。

请参阅http://docs.spring.io/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/ldap/authentication/LdapAuthenticationProvider.html提供更多详细信息,包括如何连接的示例建立一个自定义权限填充器。

于 2013-10-10T09:48:22.493 回答