0

我对使用 LDAP 的 Spring Security 相当陌生,我正在尝试对 LDAP 服务器(FreeIPA)上密码过期的用户进行身份验证。

我似乎无法触发任何密码过期异常等。密码策略响应控件始终返回 null....

这是我的代码,也许我做错了什么。如何处理密码策略错误?他们目前根本不开火。

<bean id="freeIpaContextSource" class="org.springframework.security.ldap.ppolicy.PasswordPolicyAwareContextSource">
    <constructor-arg value="${logon.freeipa.zone.ldap.connection.url}"/>
    <property name="base" value="${logon.freeipa.zone.user.dn.base}"/>
</bean>

<bean id="freeIpaLdapTemplate" class="org.springframework.security.ldap.SpringSecurityLdapTemplate">
    <constructor-arg name="contextSource" ref="freeIpaContextSource"/>
</bean>

我在下面有一个自定义的 LdapAuthenticator,它使用 ldaptemplate 对用户进行身份验证。

@Override
public DirContextOperations authenticate(Authentication authentication) {
    checkForIllegalStateDuringAuthentication(authentication);
    logger.info(String.format("*** Beginning to authenticate against LDAP zone %s ***", authorizationZone.getName()));
    zoneAuthenticationService.saveRequestDataInSession((UsernamePasswordAuthenticationToken) authentication, authorizationZone.getName());
    CollectingAuthenticationErrorCallback errorCallback = new CollectingAuthenticationErrorCallback();
    boolean isAuthenticated = false;
    String userName = authentication.getName();
    String password = authentication.getCredentials().toString();
    String filterLookup = buildLDAPFilterLookupString(userName);
    if (StringUtils.isNotBlank(password)) {
        logger.info(String.format("*** Attempting authentication for user %s ***", userName));
        try {
            isAuthenticated = ldapTemplate.authenticate(StringUtils.EMPTY, filterLookup, password, errorCallback);

        } catch (Exception exception) {
            errorCallback.execute(exception);
        }
    }
    if (!isAuthenticated) {
        if (errorCallback.getError() == null) {
            errorCallback.execute(new AuthenticationException(null));
        }
        //Any LDAP exception caught are stored inside the errorCallBack for use later to display an appropriate error.
        logger.error(String.format("*** Authentication for user %s has failed. Exception has occurred while system performed LDAP authentication. ***", userName), errorCallback.getError());
        throw new LdapAuthenticationException(errorCallback.getError().getMessage(), errorCallback.getError());
    }
    logger.info(String.format("*** Authentication for user %s has succeeded ***", userName));
    return new DirContextAdapter(buildAuthenticatedDN(userName));
}

无论我做什么,我都无法返回任何密码策略错误。据我了解,您需要在尝试进行身份验证时使用 PasswordPolicyControl 设置请求控件,但我从未收到来自服务器的任何响应控件。我已经尝试实现类似下面的东西,但没有任何运气。

LdapContext context = (LdapContext)ldapTemplate.getContextSource().getContext(buildAuthenticatedDN(userName).toString(), password);
Control[] rctls = new Control[]{new PasswordPolicyControl(false)};
context.reconnect(rctls);
PasswordPolicyResponseControl ctrl = PasswordPolicyControlExtractor.extractControl(context);
//ctrl is always null
 if (ctrl.isExpired()) {
                throw new 
PasswordPolicyException(ctrl.getErrorStatus());
            }

我究竟做错了什么?我为此苦苦挣扎,任何帮助将不胜感激。

4

1 回答 1

0

如果您的客户确实发送了正确的响应控制,您可能会遇到这个问题(开放 7 年):

#1539 [RFE] 添加代码以检查 ldap 绑定上的密码过期

IIRC FreeIPA仅在 Kerberos pre-authc (kinit) 期间强制密码过期。

于 2018-09-19T00:11:02.497 回答