0

我正在尝试针对部署在 Jboss 中的应用程序对 LDAP 用户进行身份验证。用户身份验证很好,但是对于用户字段,我必须输入全名,而用户名则不起作用。

我想知道问题是 LDAP 配置还是我在 login-config.xml 中留下了任何配置参数

这是 login-config.xml 的代码:

       <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">

            <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
            <module-option name="java.naming.provider.url">ldap://ldap-server-ip:389/</module-option>
            <module-option name="java.naming.security.authentication">simple</module-option>

            <module-option name="principalDNPrefix">CN=</module-option>
            <module-option name="principalDNSuffix">,OU=DEPT. PROGRAMARI,OU=LIMIT - CECOMASA,DC=LIMIT_CECOMASA,DC=LOCAL</module-option>

            <module-option name="baseCtxDN">ou=LIMIT - CECOMASA,dc=LIMIT_CECOMASA,dc=LOCAL</module-option>
            <module-option name="baseFilter">(sAMAccountName={0})</module-option>
            <module-option name="uidAttributeID">member</module-option>
            <module-option name="matchOnUserDN">true</module-option>

            <module-option name="rolesCtxDN">ou=LIMIT - CECOMASA,dc=LIMIT_CECOMASA,dc=LOCAL</module-option>
            <module-option name="roleFilter">(member={0})</module-option>               
            <module-option name="roleAttributeID">cn</module-option>
            <!-- module-option name="roleAttributeIsDN">true</module-option -->

            <module-option name="searchTimeLimit">10000</module-option>
            <module-option name="searchScope">SUBTREE_SCOPE</module-option>                      

        </login-module>

这是我的用户在 LDAP 服务器上的 LDIF 信息:

dn: CN=Andreu Serra,OU=DEPT. PROGRAMARI,OU=LIMIT - CECOMASA,DC=LIMIT_CECOMASA,DC=LOCAL
objectClass: user
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Andreu Serra
instanceType: 4
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=LIMIT_CECOMASA,DC=LO
 CAL
accountExpires: 9223372036854775807
badPasswordTime: 130576882951482672
badPwdCount: 0
codePage: 0
countryCode: 0
displayName: Andreu Serra
distinguishedName: CN=Andreu Serra,OU=DEPT. PROGRAMARI,OU=LIMIT - CECOMASA,D
 C=LIMIT_CECOMASA,DC=LOCAL
givenName: Andreu
homeMDB:: Q049QWxtYWPDqW4gZGVsIGJ1esOzbiAoU0VSVkVSMDApLENOPVByaW1lciBncnVwby
 BkZSBhbG1hY2VuYW1pZW50byxDTj1JbmZvcm1hdGlvblN0b3JlLENOPVNFUlZFUjAwLENOPVNlc
 nZlcnMsQ049UHJpbWVyIGdydXBvIGFkbWluaXN0cmF0aXZvLENOPUFkbWluaXN0cmF0aXZlIEdy
 b3VwcyxDTj1MSU1JVCAtIENFQ09NQVNBLENOPU1pY3Jvc29mdCBFeGNoYW5nZSxDTj1TZXJ2aWN
 lcyxDTj1Db25maWd1cmF0aW9uLERDPUxJTUlUX0NFQ09NQVNBLERDPUxPQ0FM
homeMTA: CN=Microsoft MTA,CN=SERVER00,CN=Servers,CN=Primer grupo administrat
 ivo,CN=Administrative Groups,CN=LIMIT - CECOMASA,CN=Microsoft Exchange,CN=S
 ervices,CN=Configuration,DC=LIMIT_CECOMASA,DC=LOCAL
lastLogoff: 0
lastLogon: 130578294930208368
legacyExchangeDN: /o=LIMIT - CECOMASA/ou=Primer grupo administrativo/cn=Reci
 pients/cn=andreus
logonCount: 481
mail: andreus@limit.es
mailNickname: andreus
mDBUseDefaults: TRUE
memberOf: CN=RSC_ADMIN,OU=DEPT. PROGRAMARI,OU=LIMIT - CECOMASA,DC=LIMIT_CECO
 MASA,DC=LOCAL
memberOf: CN=TerminalServer,OU=LIMIT - CECOMASA,DC=LIMIT_CECOMASA,DC=LOCAL
memberOf: CN=Dept. Programari,OU=DEPT. PROGRAMARI,OU=LIMIT - CECOMASA,DC=LIM
 IT_CECOMASA,DC=LOCAL
msExchALObjectVersion: 57
msExchHomeServerName: /o=LIMIT - CECOMASA/ou=Primer grupo administrativo/cn=
 Configuration/cn=Servers/cn=SERVER00
msExchMailboxGuid:: Xff5XoFGiUyq6szgBxtZbw==
msExchMailboxSecurityDescriptor:: AQAE77+9eAAAAO+/vQAAAAAAAAAUAAAABABkAAEAAA
 AAAhQAAwACAAEBAAAAAAAFCgAAAEkATQBJAFQAXwBDAEUAQwBPAE0AQQBTAEEALwBjAG4APQBDA
 G8AbgBmAGkAZwB1AHIAYQB0AGkAbwBuAC8AYwBuAD0AAADvv70BAQUAAAAAAAUVAAAA77+9Cu+/
 vRF877+9JA1DFwoy77+9AQAAAQUAAAAAAAUVAAAA77+9Cu+/vRF877+9JA1DFwoy77+9AQAA
msExchPoliciesIncluded: {C2EA965C-E5EE-4990-9447-1B5A7745E80C},{26491CFC-9E5
 0-4857-861B-0CB8DF22B5D7}
msExchUserAccountControl: 0
name: Andreu Serra
objectGUID:: R0ByiBmTN0WR4x/c6bruEw==
objectSid:: AQUAAAAAAAUVAAAAuwraEXzrJA1DFwoyqgcAAA==
primaryGroupID: 513
proxyAddresses: smtp:andreus@LIMIT_CECOMASA.LOCAL
proxyAddresses: X400:c=us;a= ;p=LIMIT - CECOMASA;o=Exchange;s=Serra;g=Andreu
 ;
proxyAddresses: SMTP:andreus@limit.es
pwdLastSet: 130410870859571872
sAMAccountName: andreus
sAMAccountType: 805306368
showInAddressBook: CN=Lista global de direcciones predeterminada,CN=All Glob
 al Address Lists,CN=Address Lists Container,CN=LIMIT - CECOMASA,CN=Microsof
 t Exchange,CN=Services,CN=Configuration,DC=LIMIT_CECOMASA,DC=LOCAL
showInAddressBook: CN=Todos los usuarios,CN=All Address Lists,CN=Address Lis
 ts Container,CN=LIMIT - CECOMASA,CN=Microsoft Exchange,CN=Services,CN=Confi
 guration,DC=LIMIT_CECOMASA,DC=LOCAL
sn: Serra
textEncodedORAddress: c=us;a= ;p=LIMIT - CECOMASA;o=Exchange;s=Serra;g=Andre
 u;
userAccountControl: 66048
userPrincipalName: andreus@LIMIT_CECOMASA.LOCAL
uSNChanged: 5052147
uSNCreated: 5052138
whenChanged: 20140404121211.0Z
whenCreated: 20140404121125.0Z

唯一的问题是我在身份验证弹出窗口中输入了 Andres Serra / 密码,而不是预期的 andreus / 密码。我已经为登录模块尝试了一千种组合,我希望 1001 会是好的组合。

4

2 回答 2

0

尝试

 <module-option name="matchOnUserDN">false</module-option>
 <module-option name="uidAttributeID">sAMAccountName</module-option>

-吉姆

于 2014-10-17T09:26:43.860 回答
0

发生的事情是 LDAP 配置错误。通常 LDAP 用户标识符 (uid) 用于形成 DN(可分辨名称),但在我们的 LDAP 中使用短名称。幸运的是,在按预期工作的 LDAP 客户端中。

于 2015-04-24T13:22:29.470 回答