Question

我使用 dsquery 来接收有关我在AD中登录的信息，并且我收到了有关我所属的群组名称的信息。

-name

CN=Surname Name I,OU=CITY,OU=FOLDER,OU=Users,DC=domain,DC=com

- 基团

CN=Name-of-Group Using Spaces, OU=Department ,OU=Folder_two,OU=Folder_one,OU=Groups,DC=domain,DC=com

所以，我想只为我或我小组中的用户接受登录（ CN =使用空格的组名）。这是我的

Config.groovy

grails.plugin.springsecurity.ldap.context.managerDn = 'Surname Name I,OU=CITY,OU=FOLDER,OU=Users,DC=domain,DC=com'
grails.plugin.springsecurity.ldap.context.managerPassword = 'password'
grails.plugin.springsecurity.ldap.context.server = 'ldap://server:xxx/'
grails.plugin.springsecurity.ldap.authorities.ignorePartialResultException = true
grails.plugin.springsecurity.ldap.search.base = 'DC=domain,DC=com'
grails.plugin.springsecurity.ldap.search.filter="(&(sAMAccountName={0})(objectclass=user))"
grails.plugin.springsecurity.successHandler.defaultTargetUrl = '/view/index'
grails.plugin.springsecurity.ldap.search.searchSubtree = true
grails.plugin.springsecurity.ldap.auth.hideUserNotFoundExceptions= false
grails.plugin.springsecurity.providerNames=['ldapAuthProvider']
grails.plugin.springsecurity.securityConfigType = 'Annotation'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/view/index':['IS_AUTHENTICATED_FULLY']
// '/view/index':['ROLE_Name-of-Group Using Spaces'] - this is what I tryed to use also and Its not working
]

这是工作配置，但问题是来自域的任何用户都可以访问。

Answer 1

这是解决方案：

grails.plugin.springsecurity.ldap.context.managerDn = 'Surname Name I,OU=CITY,OU=FOLDER,OU=Users,DC=domain,DC=com'
grails.plugin.springsecurity.ldap.context.managerPassword = 'password'
grails.plugin.springsecurity.ldap.context.server = 'ldap://server:xxx/'
grails.plugin.springsecurity.ldap.authorities.ignorePartialResultException = true 
grails.plugin.springsecurity.ldap.search.base = 'DC=domain,DC=com'

grails.plugin.springsecurity.ldap.search.filter="(&(sAMAccountName={0})(|(memberOf=CN=Name-of-Group #1 Using Spaces, OU=Department ,OU=Folder_two,OU=Folder_one,OU=Groups,DC=domain,DC=com)(memberOf=CN=Name-of-Group #2 Using Spaces, OU=Department ,OU=Folder_two,OU=Folder_one,OU=Groups,DC=domain,DC=com)))" 

grails.plugin.springsecurity.ldap.search.searchSubtree = true    
grails.plugin.springsecurity.ldap.auth.hideUserNotFoundExceptions = false 
grails.plugin.springsecurity.providerNames=['ldapAuthProvider'] 
grails.plugin.springsecurity.securityConfigType = "Annotation" 
grails.plugin.springsecurity.controllerAnnotations.staticRules = [    
'/**': ['isFullyAuthenticated()'] 
]

仅对组“Group-of-Group＃1使用空格”和“Group-of-Group＃2使用空格”的成员进行身份验证。不需要“％20”

使用用户组的Grails Spring Security 2.0 Active Directory身份验证

1 个答案: