2

我正在尝试在 JBOSS EAP 6.3 上使用 ActiveDirectoryLdapAuthenticationProvider 实现 Active Directory 身份验证。

如果要进行身份验证的用户 ID 被锁定/过期,我会遇到意外异常。

org.springframework.ldap.UncategorizedLdapException:
Uncategorized exception occured during LDAP processing;
nested exception is javax.naming.NamingException:
JBAS011843: Classloader ModuleClassLoader for Module
"deployment.multildap.war:main" from Service Module Loader
failed to instanciate InitialContextFactory 
com.sun.jndi.ldap.LdapCtxFactory [Root exception is
javax.naming.AuthenticationException:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9,
    comment: AcceptSecurityContext error, data 533, v1db1 ]]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217) [spring-ldap-core-1.3.2.RELEASE.jar:1.3.2.RELEASE]
at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.bindAsUser(ActiveDirectoryLdapAuthenticationProvider.java:187) [spring-security-ldap-3.2.5.RELEASE.jar:3.2.5.RELEASE]
...

我的配置如下,它适用于 Tomcat 8。

<authentication-manager alias="authenticationManager">
    <authentication-provider ref="adAuthenticationProvider" />
</authentication-manager>

<beans:bean id="adAuthenticationProvider"
    class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
    <beans:constructor-arg value="DOMAIN_NAME.COM" />
    <beans:constructor-arg value="ldap://my-comain-controller/" />
</beans:bean>

我深入研究了 ActiveDirectoryLdapAuthenticationProvider 源代码,bindAsUser 方法有以下部分:

try {
    return contextFactory.createContext(env);
} catch (NamingException e) {
    if ((e instanceof AuthenticationException) || (e instanceof OperationNotSupportedException)) {
        handleBindException(bindPrincipal, e);
        throw badCredentials(e);
    } else {
        throw LdapUtils.convertLdapException(e);
    }
}

但在 JBOSS 中,引发的 NamingException 似乎不是 AuthenticationException 或 OperationNotSupportedException 的实例。它们被包装为根本原因,异常本身是 NamingException。

快速而肮脏的解决方案可能会在 else 部分添加一些额外的行,如下所示:

Throwable rootCause = e.getRootCause();
if ((rootCause instanceof AuthenticationException) || (rootCause instanceof OperationNotSupportedException)) {
    handleBindException(bindPrincipal, (NamingException) rootCause);
    throw badCredentials(rootCause);
} else {
    throw LdapUtils.convertLdapException(e);
}

有人有类似的问题和/或有更好的解决方案吗?

4

0 回答 0