我在Grails 2.4.4上,使用插件spring-security-core:2.0.0和spring-security-ldap:2.0.1。来自OpenLdap的LDAP服务。
以上工作正常,我可以从组用户的成员中推断出用户ROLE _。
但是我们有一个需求更改,现在我们需要从嵌套的LDAP组树中推断用户ROLE。
我检查了一下,spring-security-ldap:2.0.1是基于springsecurity 3.2.9的,该版本尚未包括NestedLdapAuthoritiesPopulator,所以我去了github并抓住了它和其他一些依赖项类,将它们放入其中,然后修改了我的resources.groovy以使用它,例如:
beans = {
ldapAuthProvider(org.springframework.security.ldap.authentication.LdapAuthenticationProvider,
ref("ldapAuthenticator"), // Use default
ref("myLdapAuthoritiesPopulator") // Use custom
) {}
myLdapAuthoritiesPopulator(com.ldap.NestedLdapAuthoritiesPopulator, ref("contextSource2"), application.config.grails.plugin.springsecurity.ldap.authorities.groupSearchBase ) {}
// Set up the manager to read LDAP
contextSource2(DefaultSpringSecurityContextSource, application.config.grails.plugin.springsecurity.ldap.context.server) {
userDn = application.config.grails.plugin.springsecurity.ldap.context.managerDn ?:null
password = application.config.grails.plugin.springsecurity.ldap.context.managerPassword ?:null
}
但是一旦尝试一下,我就遇到了这样的错误:
Message: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
Line | Method
->> 257 | searchForMultipleAttributeValues in com.ldap.SpringSecurityLdapTemplate$$EQx0bs0G
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 200 | performNestedSearch in com.ldap.NestedLdapAuthoritiesPopulator
| 160 | getGroupMembershipRoles . . . . in ''
| 213 | getGrantedAuthorities in com.ldap.DefaultLdapAuthoritiesPopulator$$EQx0Xl3o
| 59 | attemptAuthentication . . . . . in grails.plugin.springsecurity.web.authentication.GrailsUsernamePasswordAuthenticationFilter
| 62 | doFilter in grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter
| 59 | doFilter . . . . . . . . . . . . in grails.plugin.springsecurity.web.SecurityRequestHolderFilter
| 1145 | runWorker in java.util.concurrent.ThreadPoolExecutor
| 615 | run . . . . . . . . . . . . . . in java.util.concurrent.ThreadPoolExecutor$Worker
^ 745 | run in java.lang.Thread
Caused by AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
我错过了什么吗?或者,有没有更好的方法可以实现我想要做的事情?
[编辑20180711]
我通过在resources.goovy中添加contextContext2解决了上述问题:
contextSource2(DefaultSpringSecurityContextSource, application.config.grails.plugin.springsecurity.ldap.context.server) {
userDn = application.config.grails.plugin.springsecurity.ldap.context.managerDn ?:null
password = application.config.grails.plugin.springsecurity.ldap.context.managerPassword ?:null
authenticationSource = ref('ldapAuthenticationSource')
authenticationStrategy = ref('authenticationStrategy')
anonymousReadOnly = true
}
ldapAuthenticationSource(SimpleAuthenticationSource) {
principal = "uid=admin,dc=myCompany,dc=com"
credentials = "Admin123"
}
authenticationStrategy(GrailsSimpleDirContextAuthenticationStrategy) {
userDn = "uid=admin,dc=myCompany,dc=com"
}
现在,我可以登录并推断嵌套组为“角色”,还有其他问题-对于嵌套组中的用户,权限搜索无法找到它。
例如,如果我有一个像这样的组层次树:
Groups -> group02 -> user01
-> group01 (having member group02)
-> group03 -> group04 -> user02
如果以user01身份登录,则将角色推断为ROLE_GROUP01和ROLE_GROUP02。 但是,如果以user02身份登录,则根本不会返回任何角色。
我按如下方式使用config,但也不起作用:
grails.plugin.springsecurity.ldap.authorities.groupSearchBase = 'ou=Groups,dc=myCompany,dc=com'
grails.plugin.springsecurity.ldap.authorities.searchSubtree = true
请帮忙吗?
如果有所不同,则group01的dn为
cn=group01,ou=Groups,dc=myCompany,dc=com
而group04的dn是:
cn=group04,cn=group03,ou=Groups,dc=myCompany,dc=com
答案 0 :(得分:1)
啊nvm我也想出了我的最后一个问题-从现在开始我滚动自己的SpringSecurityLdapTemplate类(实际发生搜索的地方),“ grails.plugin.springsecurity.ldap.authorities.searchSubtree”配置没有得到传递给它... 因此,我只需要在search()调用之前的某个位置将其直接添加到它中,就像这样:
SearchControls ctls = new SearchControls();
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);,
...
search(base, formattedFilter, ctls, roleMapper);
它现在按预期工作。