如何使用userName而不是CN对使用LDAP的Jboss中的用户进行身份验证

时间:2014-10-15 10:54:52

标签: java authentication jboss ldap login-config.xml

我尝试针对部署在Jboss中的应用程序针对LDAP对用户进行身份验证。用户身份验证正常,但对于用户字段,我必须输入全名,使用用户名不起作用。

我想知道问题是LDAP配置还是我在login-config.xml中留下任何配置参数

这是login-config.xml的代码:

       <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">

            <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
            <module-option name="java.naming.provider.url">ldap://ldap-server-ip:389/</module-option>
            <module-option name="java.naming.security.authentication">simple</module-option>

            <module-option name="principalDNPrefix">CN=</module-option>
            <module-option name="principalDNSuffix">,OU=DEPT. PROGRAMARI,OU=LIMIT - CECOMASA,DC=LIMIT_CECOMASA,DC=LOCAL</module-option>

            <module-option name="baseCtxDN">ou=LIMIT - CECOMASA,dc=LIMIT_CECOMASA,dc=LOCAL</module-option>
            <module-option name="baseFilter">(sAMAccountName={0})</module-option>
            <module-option name="uidAttributeID">member</module-option>
            <module-option name="matchOnUserDN">true</module-option>

            <module-option name="rolesCtxDN">ou=LIMIT - CECOMASA,dc=LIMIT_CECOMASA,dc=LOCAL</module-option>
            <module-option name="roleFilter">(member={0})</module-option>               
            <module-option name="roleAttributeID">cn</module-option>
            <!-- module-option name="roleAttributeIsDN">true</module-option -->

            <module-option name="searchTimeLimit">10000</module-option>
            <module-option name="searchScope">SUBTREE_SCOPE</module-option>                      

        </login-module>

这是我在LDAP服务器上的用户的LDIF信息:

dn: CN=Andreu Serra,OU=DEPT. PROGRAMARI,OU=LIMIT - CECOMASA,DC=LIMIT_CECOMASA,DC=LOCAL
objectClass: user
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Andreu Serra
instanceType: 4
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=LIMIT_CECOMASA,DC=LO
 CAL
accountExpires: 9223372036854775807
badPasswordTime: 130576882951482672
badPwdCount: 0
codePage: 0
countryCode: 0
displayName: Andreu Serra
distinguishedName: CN=Andreu Serra,OU=DEPT. PROGRAMARI,OU=LIMIT - CECOMASA,D
 C=LIMIT_CECOMASA,DC=LOCAL
givenName: Andreu
homeMDB:: Q049QWxtYWPDqW4gZGVsIGJ1esOzbiAoU0VSVkVSMDApLENOPVByaW1lciBncnVwby
 BkZSBhbG1hY2VuYW1pZW50byxDTj1JbmZvcm1hdGlvblN0b3JlLENOPVNFUlZFUjAwLENOPVNlc
 nZlcnMsQ049UHJpbWVyIGdydXBvIGFkbWluaXN0cmF0aXZvLENOPUFkbWluaXN0cmF0aXZlIEdy
 b3VwcyxDTj1MSU1JVCAtIENFQ09NQVNBLENOPU1pY3Jvc29mdCBFeGNoYW5nZSxDTj1TZXJ2aWN
 lcyxDTj1Db25maWd1cmF0aW9uLERDPUxJTUlUX0NFQ09NQVNBLERDPUxPQ0FM
homeMTA: CN=Microsoft MTA,CN=SERVER00,CN=Servers,CN=Primer grupo administrat
 ivo,CN=Administrative Groups,CN=LIMIT - CECOMASA,CN=Microsoft Exchange,CN=S
 ervices,CN=Configuration,DC=LIMIT_CECOMASA,DC=LOCAL
lastLogoff: 0
lastLogon: 130578294930208368
legacyExchangeDN: /o=LIMIT - CECOMASA/ou=Primer grupo administrativo/cn=Reci
 pients/cn=andreus
logonCount: 481
mail: andreus@limit.es
mailNickname: andreus
mDBUseDefaults: TRUE
memberOf: CN=RSC_ADMIN,OU=DEPT. PROGRAMARI,OU=LIMIT - CECOMASA,DC=LIMIT_CECO
 MASA,DC=LOCAL
memberOf: CN=TerminalServer,OU=LIMIT - CECOMASA,DC=LIMIT_CECOMASA,DC=LOCAL
memberOf: CN=Dept. Programari,OU=DEPT. PROGRAMARI,OU=LIMIT - CECOMASA,DC=LIM
 IT_CECOMASA,DC=LOCAL
msExchALObjectVersion: 57
msExchHomeServerName: /o=LIMIT - CECOMASA/ou=Primer grupo administrativo/cn=
 Configuration/cn=Servers/cn=SERVER00
msExchMailboxGuid:: Xff5XoFGiUyq6szgBxtZbw==
msExchMailboxSecurityDescriptor:: AQAE77+9eAAAAO+/vQAAAAAAAAAUAAAABABkAAEAAA
 AAAhQAAwACAAEBAAAAAAAFCgAAAEkATQBJAFQAXwBDAEUAQwBPAE0AQQBTAEEALwBjAG4APQBDA
 G8AbgBmAGkAZwB1AHIAYQB0AGkAbwBuAC8AYwBuAD0AAADvv70BAQUAAAAAAAUVAAAA77+9Cu+/
 vRF877+9JA1DFwoy77+9AQAAAQUAAAAAAAUVAAAA77+9Cu+/vRF877+9JA1DFwoy77+9AQAA
msExchPoliciesIncluded: {C2EA965C-E5EE-4990-9447-1B5A7745E80C},{26491CFC-9E5
 0-4857-861B-0CB8DF22B5D7}
msExchUserAccountControl: 0
name: Andreu Serra
objectGUID:: R0ByiBmTN0WR4x/c6bruEw==
objectSid:: AQUAAAAAAAUVAAAAuwraEXzrJA1DFwoyqgcAAA==
primaryGroupID: 513
proxyAddresses: smtp:andreus@LIMIT_CECOMASA.LOCAL
proxyAddresses: X400:c=us;a= ;p=LIMIT - CECOMASA;o=Exchange;s=Serra;g=Andreu
 ;
proxyAddresses: SMTP:andreus@limit.es
pwdLastSet: 130410870859571872
sAMAccountName: andreus
sAMAccountType: 805306368
showInAddressBook: CN=Lista global de direcciones predeterminada,CN=All Glob
 al Address Lists,CN=Address Lists Container,CN=LIMIT - CECOMASA,CN=Microsof
 t Exchange,CN=Services,CN=Configuration,DC=LIMIT_CECOMASA,DC=LOCAL
showInAddressBook: CN=Todos los usuarios,CN=All Address Lists,CN=Address Lis
 ts Container,CN=LIMIT - CECOMASA,CN=Microsoft Exchange,CN=Services,CN=Confi
 guration,DC=LIMIT_CECOMASA,DC=LOCAL
sn: Serra
textEncodedORAddress: c=us;a= ;p=LIMIT - CECOMASA;o=Exchange;s=Serra;g=Andre
 u;
userAccountControl: 66048
userPrincipalName: andreus@LIMIT_CECOMASA.LOCAL
uSNChanged: 5052147
uSNCreated: 5052138
whenChanged: 20140404121211.0Z
whenCreated: 20140404121125.0Z

唯一的问题是我在身份验证弹出窗口中输入了Andres Serra /密码,而不是正常情况下的andreus /密码。我已经为登录模块尝试了一千种组合,我希望1001会是最好的。

2 个答案:

答案 0 :(得分:0)

尝试

 <module-option name="matchOnUserDN">false</module-option>
 <module-option name="uidAttributeID">sAMAccountName</module-option>

-Jim

答案 1 :(得分:0)

发生的事情是LDAP配置错误。通常,LDAP用户标识符(uid)用于形成DN(专有名称),但在我们的LDAP短名称中使用。幸运的是,在充当假设的LDAP客户端中。

相关问题
最新问题