我有问题。我尝试通过spring security来验证AD,我不能这样做,因为每次我看到下一个stacktrace:
2013-10-10 11:22:18.923 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.a.LdapAuthenticationProvider - Processing authentication request for user: Ivan.Ivanov
2013-10-10 11:22:18.924 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.s.FilterBasedLdapUserSearch - Searching for user 'Ivan.Ivanov', with user search [ searchFilter: '(&(sAMAccountName={0})(objectclass=user))', searchBase: 'DC=MyCompany,DC=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2013-10-10 11:22:19.104 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.SpringSecurityLdapTemplate - Searching for entry in under DN '', base = 'DC=MyCompany,DC=com', filter = '(&(sAMAccountName={0})(objectclass=user))'
2013-10-10 11:22:19.114 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.SpringSecurityLdapTemplate - Found DN: cn=Ivanov Ivan,ou=Departmant 1.1.1,ou=Depatment 1.1,ou=Department ,ou=Users,ou=MyCompany JSC,ou=MyCompany Group,dc=MyCompany,dc=com
2013-10-10 11:22:19.119 FET INFO [http-apr-8080-exec-3] o.s.s.l.SpringSecurityLdapTemplate - Ignoring PartialResultException
2013-10-10 11:22:19.121 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.a.BindAuthenticator - Attempting to bind as cn=Ivan.Ivanov,ou=Departmant 1.1.1,ou=Depatment 1.1,ou=Department ,ou=Users,ou=MyCompany JSC,ou=MyCompany Group,dc=MyCompany,dc=com
2013-10-10 11:22:19.122 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.DefaultSpringSecurityContextSource - Removing pooling flag for user cn=Ivan Ivanov,ou=Departmant 1.1.1,ou=Depatment 1.1,ou=Department ,ou=Users,ou=MyCompany JSC,ou=MyCompany Group,dc=MyCompany,dc=com
2013-10-10 11:22:19.303 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.u.DefaultLdapAuthoritiesPopulator - Getting authorities for user cn=Ivan Ivanov,ou=Departmant 1.1.1,ou=Depatment 1.1,ou=Department ,ou=Users,ou=MyCompany JSC,ou=MyCompany Group,dc=MyCompany,dc=com
2013-10-10 11:22:19.304 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.u.DefaultLdapAuthoritiesPopulator - Searching for roles for user 'Ivan.Ivanov', DN = 'cn=Ivan Ivanov,ou=Departmant 1.1.1,ou=Depatment 1.1,ou=Department ,ou=Users,ou=MyCompany JSC,ou=MyCompany Group,dc=MyCompany,dc=com', with filter (uniqueMember={0}) in search base ''
2013-10-10 11:22:19.304 FET DEBUG [http-apr-8080-exec-3] o.s.s.l.SpringSecurityLdapTemplate - Using filter: (uniqueMember=cn=Ivan Ivanov,ou=Departmant 1.1.1,ou=Depatment 1.1,ou=Department ,ou=Users,ou=MyCompany JSC,ou=MyCompany Group,dc=MyCompany,dc=com)
2013-10-10 11:22:19.306 FET INFO [http-apr-8080-exec-3] o.s.l.c.LdapTemplate - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2013-10-10 11:22:19.343 FET WARN [http-apr-8080-exec-3] o.s.s.a.e.LoggerListener - Authentication event AuthenticationFailureServiceExceptionEvent: Ivan.Ivanov; details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: D2C31B0111572159FA65357E652352D4; exception: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001E5, problem 2001 (NO_OBJECT), data 0, best match of:'' ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001E5, problem 2001 (NO_OBJECT), data 0, best match of:'' ]; remaining name ''
我的配置* -security.xml是:
<authentication-manager alias="authenticationManager">
<ldap-authentication-provider server-ref="contextSource"
user-search-base="OU=Deparment 1,OU=Users,OU=MyCompany JSC,OU=MyCompany Group,DC=MyCompany,DC=com"
user-search-filter="(&(sAMAccountName={0})(objectclass=user))"
role-prefix="none">
</ldap-authentication-provider>
</authentication-manager>
我不想检查角色,我只想检查凭据!如何关闭角色搜索?
在AD中,我的用户的整个路径是:
CN=Ivanov Ivan,OU=Department 1.1.1,OU=Department 1.1,OU=Department 1,OU=Users,OU=MyCompany JSC,OU=MyCompany Group,DC=MyCompany,DC=com
答案 0 :(得分:0)
LdapAuthenticationProvider
班级使用DefaultLdapAuthoritiesPopulator
搜索群组。您可以创建和使用不同的LdapAuthoritiesPopulator
实现来分配角色,例如,通过查看数据库或只需要硬编码,如果您只有一个角色。
请参阅http://docs.spring.io/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/ldap/authentication/LdapAuthenticationProvider.html,其中提供了更多详细信息,包括如何连接自定义权限填充程序的示例。