如何使用 ldaps 身份验证配置 jasper 服务器?

How to configuring jasper server with ldaps authentication?

一段时间以来,我一直致力于使用 jasper 6.4.0 对活动目录服务器进行身份验证,但一直收到以下错误。

2017-10-16 13:39:35,145  WARN JSLdapAuthenticationProvider,http-apr-8080-exec-9:62 - [
LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ]; 
nested exception is javax.naming.AuthenticationException: 
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ]

根据我收集到的信息,data 52e 表示凭据无效。我尝试将配置中的服务帐户密码更改为 bob 以查看是否会出现相同的错误(显示绑定到 ldaps 服务器而不是我登录的测试帐户时出错),并且我做到了。

这里是 jasper 服务账户的配置。

<bean id="ldapContextSource" class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource">
    <constructor-arg value="ldaps://MyLDAPSServer:636/"/>
    <!-- manager user name and password (may not be needed)  -->
    <property name="userDn" value="dc=mydomain,dc=com,uid=MyServiceAccount"/>
    <property name="password" value="SomePasswordWithSpecialCharacters"/>
</bean>

我确信用户名和密码是正确的。我可以使用以下 Python 代码针对同一个 ldaps 服务器进行身份验证。

from ldap3 import Server, \
    Connection, \
    AUTO_BIND_NO_TLS, \
    SUBTREE, \
    ALL_ATTRIBUTES

def get_ldap_info(u):
    with Connection(Server('MyLDAPSServer', port=636, use_ssl=True),
                    auto_bind=AUTO_BIND_NO_TLS,
                    read_only=True,
                    check_names=True,
                    user='MyServiceAccount', password='SomePasswordWithSpecialCharacters') as c:

        c.search(search_base='DC=mydomain,DC=com',
                search_filter='(&(samAccountName=' + u + '))',
                search_scope=SUBTREE,
                attributes=ALL_ATTRIBUTES,
                get_operational_attributes=True)
        print(c.response_to_json())
        print(c.result)


get_ldap_info('test.user')

我能想到的一件事是,也许 jasper 不喜欢在密码中包含特殊字符?

这是 jasper 服务器配置的其余部分,以防我遗漏某些内容。

<!--
 ~ Copyright (C) 2005 - 2014 TIBCO Software Inc. All rights reserved.
 ~ http://www.jaspersoft.com.
 ~ Licensed under commercial Jaspersoft Subscription License Agreement
  -->

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">

    <!-- ############ LDAP authentication ############
      - Sample configuration of external authentication via an external LDAP server.
    -->

    <bean id="proxyAuthenticationProcessingFilter" class="com.jaspersoft.jasperserver.api.security.EncryptionAuthenticationProcessingFilter"
          parent="mtAuthenticationProcessingFilter">
        <property name="authenticationManager">
            <ref local="ldapAuthenticationManager"/>
        </property>

        <property name="authenticationSuccessHandler" ref="externalAuthSuccessHandler" />
    </bean>

    <bean id="proxyAuthenticationSoapProcessingFilter"
          class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.MTDefaultAuthenticationSoapProcessingFilter">
        <property name="authenticationManager" ref="ldapAuthenticationManager"/>
        <property name="authenticationSuccessHandler" ref="externalAuthSuccessHandler" />

        <property name="filterProcessesUrl" value="/services"/>
    </bean>

    <bean id="proxyAuthenticationRestProcessingFilter" class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.MTDefaultAuthenticationRestProcessingFilter">
        <property name="authenticationManager">
            <ref local="ldapAuthenticationManager"/>
        </property>
        <property name="authenticationSuccessHandler" ref="externalAuthSuccessHandler" />
        <property name="filterProcessesUrl" value="/rest/login"/>
    </bean>

    <bean id="proxyRequestParameterAuthenticationFilter"
          class="com.jaspersoft.jasperserver.war.util.ExternalRequestParameterAuthenticationFilter" parent="requestParameterAuthenticationFilter">
        <property name="authenticationManager">
            <ref local="ldapAuthenticationManager"/>
        </property>
        <property name="externalDataSynchronizer" ref="externalDataSynchronizer"/>
    </bean>

    <bean id="externalAuthSuccessHandler"
          class="com.jaspersoft.jasperserver.api.security.externalAuth.JrsExternalAuthenticationSuccessHandler" parent="successHandler">
        <property name="externalDataSynchronizer">
            <ref local="externalDataSynchronizer"/>
        </property>
    </bean>

    <bean id="proxyBasicProcessingFilter"
          class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.MTExternalAuthBasicProcessingFilter" parent="mtBasicProcessingFilter">
        <property name="authenticationManager" ref="ldapAuthenticationManager"/>
        <property name="externalDataSynchronizer" ref="externalDataSynchronizer"/>
    </bean>

    <bean id="ldapAuthenticationManager" class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.JSProviderManager">
        <property name="providers">
            <list>
                <ref local="ldapAuthenticationProvider"/>
                <ref bean="${bean.daoAuthenticationProvider}"/>
                <!--anonymousAuthenticationProvider only needed if filterInvocationInterceptor.alwaysReauthenticate is set to true
                <ref bean="anonymousAuthenticationProvider"/>-->
            </list>
        </property>
    </bean>

    <bean id="ldapAuthenticationProvider" class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSLdapAuthenticationProvider">
        <constructor-arg>
            <bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSBindAuthenticator">
                <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
                <property name="userSearch" ref="userSearch"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
            <bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSDefaultLdapAuthoritiesPopulator">
                <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
                <constructor-arg index="1"><value></value></constructor-arg>
                <property name="groupRoleAttribute" value="title"/>
                <property name="groupSearchFilter" value="(uid={1})"/>
                <property name="searchSubtree" value="true"/>
                <!-- Can setup additional external default roles here  <property name="defaultRole" value="LDAP"/> -->
            </bean>
        </constructor-arg>
    </bean>

    <bean id="userSearch"
          class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSFilterBasedLdapUserSearch">
        <constructor-arg index="0">
            <value>cn=Users</value>
        </constructor-arg>
        <constructor-arg index="1">
            <!--<value>(uid={0})</value>-->
            <!--<value>(uid=test.user)</value>-->
            <value>(sAMAccountName={0})</value>
        </constructor-arg>
        <constructor-arg index="2">
            <ref local="ldapContextSource" />
        </constructor-arg>
        <property name="searchSubtree">
            <value>true</value>
        </property>
    </bean>

<bean id="ldapContextSource" class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource">
    <constructor-arg value="ldaps://MyLDAPSServer:636/"/>
    <!-- manager user name and password (may not be needed)  -->
    <property name="userDn" value="dc=mydomain,dc=com,uid=MyServiceAccount"/>
    <property name="password" value="SomePasswordWithSpecialCharacters"/>
</bean>
    <!-- ############ LDAP authentication ############ -->

    <!-- ############ JRS Synchronizer ############ -->
    <bean id="externalDataSynchronizer"
          class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.MTExternalDataSynchronizerImpl">
        <property name="externalUserProcessors">
            <list>
                <ref local="ldapExternalTenantProcessor"/>
                <ref local="mtExternalUserSetupProcessor"/>
                <!-- Example processor for creating user folder-->
                <!--<ref local="externalUserFolderProcessor"/>-->
            </list>
        </property>
    </bean>

    <bean id="abstractExternalProcessor" class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.AbstractExternalUserProcessor" abstract="true">
        <property name="repositoryService" ref="${bean.repositoryService}"/>
        <property name="userAuthorityService" ref="${bean.userAuthorityService}"/>
        <property name="tenantService" ref="${bean.tenantService}"/>
        <property name="profileAttributeService" ref="profileAttributeService"/>
        <property name="objectPermissionService" ref="objectPermissionService"/>
    </bean>

    <!--
        Multi-tenant configuration. For a JRS deployment with multiple
        organizations, modify this bean to set up your organizations. For
        single-organization deployments, comment this out and uncomment the version
        below.
    -->
    <bean id="ldapExternalTenantProcessor" class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.processors.ldap.LdapExternalTenantProcessor" parent="abstractExternalProcessor">
        <property name="ldapContextSource" ref="ldapContextSource"/>
        <property name="multiTenancyService"><ref bean="internalMultiTenancyService"/></property>
        <property name="excludeRootDn" value="false"/>
        <!--only following LDAP attributes will be used in creation of organization hierarchy.
                Eg. cn=Smith,ou=Developement,o=Jaspersoft will produce tanant Development as child of
                tenant Jaspersoft (if excludeRootDn=false) as child of default tenant organization_1-->
        <property name="organizationRDNs">
            <list>
                <value>dc</value>
                <value>c</value>
                <value>o</value>
                <value>ou</value>
                <value>st</value>
            </list>
        </property>
        <property name="rootOrganizationId" value="organization_1"/>
        <property name="tenantIdNotSupportedSymbols" value="#{configurationBean.tenantIdNotSupportedSymbols}"/>

        <!-- User credentials are setup in js.externalAuth.properties-->
        <property name="externalTenantSetupUsers">
            <list>
                <bean class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.processors.MTAbstractExternalProcessor.ExternalTenantSetupUser">
                    <property name="username" value="${new.tenant.user.name.1}"/>
                    <property name="fullName" value="${new.tenant.user.fullname.1}"/>
                    <property name="password" value="${new.tenant.user.password.1}"/>
                    <property name="emailAddress" value="${new.tenant.user.email.1}"/>
                    <property name="roleSet">
                        <set>
                            <value>ROLE_ADMINISTRATOR</value>
                            <value>ROLE_USER</value>
                        </set>
                    </property>
                </bean>
            </list>
        </property>
    </bean>

    <!--
        Single tenant configuration. For a JRS deployment with a single
        organization, uncomment this bean and configure it to set up your organization.
        Comment out the multi-tenant version of ldapExternalTenantProcessor above
    -->
    <!--<bean id="ldapExternalTenantProcessor" class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.processors.ldap.LdapExternalTenantProcessor" parent="abstractExternalProcessor">
        <property name="ldapContextSource" ref="ldapContextSource"/>
        <property name="multiTenancyService"><ref bean="internalMultiTenancyService"/></property>
        <property name="excludeRootDn" value="true"/>
        <property name="defaultOrganization" value="organization_1"/>
    </bean>-->

    <bean id="mtExternalUserSetupProcessor" class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.processors.MTExternalUserSetupProcessor" parent="abstractExternalProcessor">
        <!--Default permitted role characters; others are removed. Change regular expression to allow other chars.
                    <property name="permittedExternalRoleNameRegex" value="[A-Za-z0-9_]+"/>-->

        <property name="userAuthorityService">
            <ref bean="${bean.internalUserAuthorityService}"/>
        </property>
        <property name="defaultInternalRoles">
            <list>
                <value>ROLE_USER</value>
            </list>
        </property>

        <property name="organizationRoleMap">
            <map>
                <!-- Example of mapping customer roles to JRS roles -->
                <entry>
                    <key>
                        <value>ROLE_ADMIN_EXTERNAL_ORGANIZATION</value>
                    </key>
                    <!-- JRS role that the <key> external role is mapped to-->
                    <value>ROLE_ADMINISTRATOR</value>
                </entry>
            </map>
        </property>
    </bean>

    <!-- EXAMPLE Processor
    <bean id="externalUserFolderProcessor"
          class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.ExternalUserFolderProcessor"
          parent="abstractExternalProcessor">
        <property name="repositoryService" ref="${bean.unsecureRepositoryService}"/>
    </bean>
    -->
    <!-- ############ JRS Synchronizer ############ -->
</beans>

对于将来像我一样为此苦苦挣扎的任何人,问题是我 ldapContextSource 中的 userDn。

正确的 userDn

<property name="userDn" value="CN=myserviceaccount,OU=my ou,DC=mydomain,DC=com"/>

我发现通过 运行 这个 python 脚本并查看输出:

from ldap3 import Server, \
    Connection, \
    AUTO_BIND_NO_TLS, \
    SUBTREE, \
    ALL_ATTRIBUTES

def get_ldap_info(u):
    with Connection(Server('MyLDAPSServer', port=636, use_ssl=True),
                    auto_bind=AUTO_BIND_NO_TLS,
                    read_only=True,
                    check_names=True,
                    user='MyServiceAccount', password='SomePasswordWithSpecialCharacters') as c:


        c.search(search_base='DC=mydomain,DC=com',
                search_filter='(&(samAccountName=' + u + '))',
                search_scope=SUBTREE,
                attributes=ALL_ATTRIBUTES,
                get_operational_attributes=True)
        print(c.response_to_json())
        print(c.result)


get_ldap_info('myserviceaccount')