跨受信任域的Java AD身份验证

时间:2012-10-29 15:26:05

标签: java active-directory ldap

我正在尝试在Java中实现Active Directory身份验证,该身份验证将从Linux计算机上运行。我们的AD设置将包含多个彼此共享信任关系的服务器,因此对于我们的测试环境,我们有两个域控制器:

信任test1.ad1.foo.com

test2.ad2.bar.com

使用以下代码,我可以成功验证来自test1的用户,但不能test2上的用户:

public class ADDetailsProvider implements ResultSetProvider {
private String domain;
private String user;
private String password;

public ADDetailsProvider(String user, String password) {
    //extract domain name
    if (user.contains("\\")) {
        this.user = user.substring((user.lastIndexOf("\\") + 1), user.length());
        this.domain = user.substring(0, user.lastIndexOf("\\"));
    } else {
        this.user = user;
        this.domain = "";
    }

    this.password    = password;
}

    /* Test from the command line */
public static void main (String[] argv) throws SQLException {
    ResultSetProvider res = processADLogin(argv[0], argv[1]);
    ResultSet results = null;
    res.assignRowValues(results, 0);
    System.out.println(argv[0] + " " + argv[1]);
}


public boolean assignRowValues(ResultSet results, int currentRow)
    throws SQLException
{
    // Only want a single row
    if (currentRow >= 1) return false;

    try {
        ADAuthenticator adAuth = new ADAuthenticator();
        LdapContext ldapCtx = adAuth.authenticate(this.domain, this.user, this.password);
        NamingEnumeration userDetails = adAuth.getUserDetails(ldapCtx, this.user);

        // Fill the result set (throws SQLException).
        while (userDetails.hasMoreElements()) {
            Attribute attr = (Attribute)userDetails.next();
            results.updateString(attr.getID(), attr.get().toString());
        }

        results.updateInt("authenticated", 1);
        return true;

    } catch (FileNotFoundException fnf) {
        Logger.getAnonymousLogger().log(Level.WARNING,
           "Caught File Not Found Exception trying to read cris_authentication.properties");

        results.updateInt("authenticated", 0);
        return false;

    } catch (IOException ioe) {
        Logger.getAnonymousLogger().log(Level.WARNING,
            "Caught IO Excpetion processing login");

        results.updateInt("authenticated", 0);
        return false;

    } catch (AuthenticationException aex) {
        Logger.getAnonymousLogger().log(Level.WARNING,
           "Caught Authentication Exception attempting to bind to LDAP for [{0}]",
           this.user);

        results.updateInt("authenticated", 0);
        return true;

    } catch (NamingException ne) {
        Logger.getAnonymousLogger().log(Level.WARNING,
           "Caught Naming Exception performing user search or LDAP bind for [{0}]",
           this.user);
        results.updateInt("authenticated", 0);
        return true;
    }
}

public void close() {
    // nothing needed here
}

/**
 * This method is called via a Postgres function binding to access the
 * functionality provided by this class.
 */
public static ResultSetProvider processADLogin(String user, String password) {
    return new ADDetailsProvider(user, password);
}
}

public class ADAuthenticator {

public ADAuthenticator()
    throws FileNotFoundException, IOException {
    Properties props = new Properties();
    InputStream inStream = this.getClass().getClassLoader().
       getResourceAsStream("com/bar/foo/ad/authentication.properties");

    props.load(inStream);
    this.domain                = props.getProperty("ldap.domain");
    inStream.close();
}

public LdapContext authenticate(String domain, String user, String pass)
   throws AuthenticationException, NamingException, IOException {
    Hashtable env = new Hashtable();
    this.domain = domain;

    env.put(Context.INITIAL_CONTEXT_FACTORY, com.sun.jndi.ldap.LdapCtxFactory);
    env.put(Context.PROVIDER_URL, "ldap://" + test1.ad1.foo.com + ":" + 3268);
    env.put(Context.SECURITY_AUTHENTICATION, simple);
    env.put(Context.REFERRAL, follow);

    env.put(Context.SECURITY_PRINCIPAL, (domain + "\\" + user));
    env.put(Context.SECURITY_CREDENTIALS, pass);

    // Bind using specified username and password
    LdapContext ldapCtx = new InitialLdapContext(env, null);
    return ldapCtx;
}

public NamingEnumeration getUserDetails(LdapContext ldapCtx, String user)
   throws NamingException {
    // List of attributes to return from LDAP query
    String returnAttributes[] = {"ou", "sAMAccountName", "givenName", "sn", "memberOf"};

    //Create the search controls
    SearchControls searchCtls = new SearchControls();
    searchCtls.setReturningAttributes(returnAttributes);

    //Specify the search scope
    searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

    // Specify the user to search against
    String searchFilter = "(&(objectClass=*)(sAMAccountName=" + user + "))";

    //Perform the search
    NamingEnumeration answer = ldapCtx.search("dc=dev4,dc=dbt,dc=ukhealth,dc=local", searchFilter, searchCtls);

    // Only care about the first tuple
    Attributes userAttributes = ((SearchResult)answer.next()).getAttributes();
    if (userAttributes.size() <= 0) throw new NamingException();

    return (NamingEnumeration) userAttributes.getAll();
}

根据我对信任关系的理解,如果trust1收到trust2中用户的登录尝试,那么它应该将登录尝试转发给它,并且它会从用户的工作中解决域名。

这是正确的还是我遗漏了某些东西,或者使用上述方法是不可能的?

- EDIT--
来自LDAP绑定的堆栈跟踪是 {java.naming.provider.url=ldap://test1.ad1.foo.com:3268, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.authentication=simple, java.naming.referral=follow} 30-Oct-2012 13:16:02
ADDetailsProvider assignRowValues WARNING: Caught Authentication Exception attempting to bind to LDAP for [trusttest] Auth error is [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0]

1 个答案:

答案 0 :(得分:0)

据我所知,您应该将Context.REFERRAL设置为true。
这是你在代码中的意思吗?
另外,当我切换到GSSAPI / Kerberos时,
我定义了kerberos领域之间的信任关系,它对我有用。