Authentication using LDAP against ADAM using sprin

2020-07-10 08:17发布

站内问答 / Java
465 2 3

I am trying to get a Java app using spring-security to talk to a local ADAM instance that I have setup.

I have successfully installed ADAM and setup as follows....

  • Instance running on localhost:389
  • Root is O=Company
    • A child called OU=Company Users (orgnizationalUnit)
      • A granchild called CN=Mike Q (user)
      • uid = mike and password = welcome

Then I have setup spring-security (version 3.0.3, spring-framework 3.0.4 and spring-ldap 1.3.0). Spring file

  <security:ldap-server id="contextSource" url="ldap://localhost:389/o=Company"/>

  <security:authentication-manager>
    <security:ldap-authentication-provider user-dn-pattern="uid={0},ou=Company Users"/>
  </security:authentication-manager>

  <bean class="com.xxx.test.TestAuthentication" lazy-init="false"/>

And TestAuthentication

public class TestAuthentication
{
    @Autowired
    private AuthenticationManager authenticationManager;

    public void initialise()
    {
        Authentication authentication = new UsernamePasswordAuthenticationToken( "mike", "welcome" );
        Authentication reponseAuthentication = authenticationManager.authenticate( authentication );
    }
}

Running this I get the following error

Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C090336, comment: AcceptSecurityContext error, data 2030, vece]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:43)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:254)

If someone could point out where I'm going wrong I'd be grateful. At this point I just want to authenticate an entered user/password using LDAP, nothing more complex than that.

I'm also interested in some general points as this is my first foray into LDAP world.

  • Is LDAP case sensitive?
  • Are spaces best avoided?
  • What are the general use-cases/best practices to avoid sending the password in clear-text in the LDAP query?

2条回答
冷血范
2楼-- · 2020-07-10 08:24

OK so as I spent plenty of time solving this here's the answer.

Error code 2030 means that the DN of the user is invalid.

After some trial and error here is a config that works and does user search properly. (You can probably rewrite this using the security namespace but while I was working on this it was clearer to use the raw bean definitions).

  <bean id="contextSource"
        class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <constructor-arg value="ldap://localhost:389/cn=Sandbox,dc=ITOrg"/>
    <property name="userDn" value="cn=superuser,cn=People,cn=Sandbox,dc=ITOrg"/>
    <property name="password" value="xxxxxx"/>
  </bean>

  <bean id="ldapAuthProvider"
        class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <constructor-arg>
      <bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
        <constructor-arg ref="contextSource"/>
        <property name="userDnPatterns">
          <list>
            <value>cn={0},cn=People</value>
          </list>
        </property>
      </bean>
    </constructor-arg>
  </bean>

  <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <constructor-arg index="0" value="cn=People"/>
    <constructor-arg index="1" value="(cn={0})"/>
    <constructor-arg index="2" ref="contextSource"/>
  </bean>

The key things are

<property name="userDn" value="cn=superuser,cn=People,cn=Sandbox,dc=ITOrg"/>

When specifying the userDn in the context source it must be the FULL DN (it doesn't just append it do the base supplied in the url (constructor arg).

When using BindAuthentication

<value>cn={0},cn=People</value>

This value IS a suffix on top of the baseDn of the context source.

When configuring a UserSearch

    <constructor-arg index="0" value="cn=People"/>
    <constructor-arg index="1" value="(cn={0})"/>

I couldn't get it to work with cn=People being in the second arg but this seems to work fine. Note you can use attributes of the user e.g. (uid={0})

And here's some example code using the bean definitions...

    @Autowired
    private LdapUserSearch ldapUserSearch;

    @Autowired
    private AuthenticationProvider authenticationProvider;

    public void initialise()
    {
        DirContextOperations dirContextOperations = ldapUserSearch.searchForUser( "username" );

        Authentication authentication = authenticationProvider.authenticate( new UsernamePasswordAuthenticationToken( "username", "password" ) );    
    }

Some other random titbits...

Error 52b - Invalid password


[LDAP: error code 32 - 0000208D: NameErr: DSID-031521D2, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Sandbox,DC=ITOrg'
     - This means the user is not in the administrator role (probably)

Hope all this helps someone else.

查看更多
0人赞 添加讨论(0) 举报
够拽才男人
3楼-- · 2020-07-10 08:46

I fixed this problem by adding the user you are trying to use as a member of the administrators role in the same Base DN. Hope that helps

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(3)