Spring 安全 LDAP 身份验证引发 NO_ATTRIBUTE_OR_VAL 错误
Spring Security LDAP Authentication throws NO_ATTRIBUTE_OR_VAL error
在遵循 spring.io 指南时,我无法针对真正的 LDAP/AD 进行身份验证:https://spring.io/guides/gs/authenticating-ldap/
我在再次验证 real AD/LADP 时遇到的问题是:
org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 16 - 00002080: AtrErr: DSID-03080155, #1:
0: 00002080: DSID-03080155, problem 1001 (NO_ATTRIBUTE_OR_VAL), data 0, Att 23 (userPassword)
]; nested exception is javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00002080: AtrErr: DSID-03080155, #1:
0: 00002080: DSID-03080155, problem 1001 (NO_ATTRIBUTE_OR_VAL), data 0, Att 23 (userPassword)
]; remaining name 'CN=olahell,OU=Consultants,OU=Production,OU=Company'
下面是我的 java 授权配置:
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication()
.userSearchFilter("(&(objectClass=user)(sAMAccountName={0}))")
.contextSource()
.url("ldap://company-dc02.company.local:389/dc=company,dc=local")
.managerDn("CN=olahell,OU=Consultants,OU=Production,OU=Company,DC=company,DC=local")
.managerPassword("myPassword")
.and()
.passwordCompare()
.passwordEncoder(new LdapShaPasswordEncoder())
.passwordAttribute("userPassword");
}
我需要做的是使用BindAuthenticator,LDAP 应该配置如下:
@Bean
public AuthenticationProvider ldapAuthenticationProvider() throws Exception {
String ldapServerUrl = "ldap://company-dc02.bergsala.local:389/dc=company,dc=local";
DefaultSpringSecurityContextSource contextSource = new DefaultSpringSecurityContextSource(ldapServerUrl);
String ldapManagerDn = "CN=olahell,OU=Consultants,OU=Production,OU=Company,DC=company,DC=local";
contextSource.setUserDn(ldapManagerDn);
String ldapManagerPassword = "myPassword";
contextSource.setPassword(ldapManagerPassword);
contextSource.setReferral("follow");
contextSource.afterPropertiesSet();
LdapUserSearch ldapUserSearch = new FilterBasedLdapUserSearch("", "(&(objectClass=user)(sAMAccountName={0}))", contextSource);
BindAuthenticator bindAuthenticator = new BindAuthenticator(contextSource);
bindAuthenticator.setUserSearch(ldapUserSearch);
LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator, new EmsLdapAuthoritiesPopulator(contextSource, ""));
return ldapAuthenticationProvider;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(ldapAuthenticationProvider());
}
注意:EmsLdapAuthoritiesPopulator 扩展 DefaultLdapAuthoritiesPopulator 并覆盖 #getAdditionalRoles 以使我能够为用户设置额外的角色。
在遵循 spring.io 指南时,我无法针对真正的 LDAP/AD 进行身份验证:https://spring.io/guides/gs/authenticating-ldap/
我在再次验证 real AD/LADP 时遇到的问题是:
org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 16 - 00002080: AtrErr: DSID-03080155, #1:
0: 00002080: DSID-03080155, problem 1001 (NO_ATTRIBUTE_OR_VAL), data 0, Att 23 (userPassword)
]; nested exception is javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00002080: AtrErr: DSID-03080155, #1:
0: 00002080: DSID-03080155, problem 1001 (NO_ATTRIBUTE_OR_VAL), data 0, Att 23 (userPassword)
]; remaining name 'CN=olahell,OU=Consultants,OU=Production,OU=Company'
下面是我的 java 授权配置:
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication()
.userSearchFilter("(&(objectClass=user)(sAMAccountName={0}))")
.contextSource()
.url("ldap://company-dc02.company.local:389/dc=company,dc=local")
.managerDn("CN=olahell,OU=Consultants,OU=Production,OU=Company,DC=company,DC=local")
.managerPassword("myPassword")
.and()
.passwordCompare()
.passwordEncoder(new LdapShaPasswordEncoder())
.passwordAttribute("userPassword");
}
我需要做的是使用BindAuthenticator,LDAP 应该配置如下:
@Bean
public AuthenticationProvider ldapAuthenticationProvider() throws Exception {
String ldapServerUrl = "ldap://company-dc02.bergsala.local:389/dc=company,dc=local";
DefaultSpringSecurityContextSource contextSource = new DefaultSpringSecurityContextSource(ldapServerUrl);
String ldapManagerDn = "CN=olahell,OU=Consultants,OU=Production,OU=Company,DC=company,DC=local";
contextSource.setUserDn(ldapManagerDn);
String ldapManagerPassword = "myPassword";
contextSource.setPassword(ldapManagerPassword);
contextSource.setReferral("follow");
contextSource.afterPropertiesSet();
LdapUserSearch ldapUserSearch = new FilterBasedLdapUserSearch("", "(&(objectClass=user)(sAMAccountName={0}))", contextSource);
BindAuthenticator bindAuthenticator = new BindAuthenticator(contextSource);
bindAuthenticator.setUserSearch(ldapUserSearch);
LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator, new EmsLdapAuthoritiesPopulator(contextSource, ""));
return ldapAuthenticationProvider;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(ldapAuthenticationProvider());
}
注意:EmsLdapAuthoritiesPopulator 扩展 DefaultLdapAuthoritiesPopulator 并覆盖 #getAdditionalRoles 以使我能够为用户设置额外的角色。