我已使用以下配置设置了ldap身份验证。我需要用户使用LDAP数据存储进行身份验证,并且我已将pwdMaxFailure设置为2.
身份验证工作正常但是每次我使用错误的密码登录时,我都会收到以下异常,而不是密码锁异常。在验证用户身份时,我不认为Spring LDAP正在检查PwdPolicy(计算密码尝试次数)。
ne =(javax.naming.AuthenticationException) javax.naming.AuthenticationException:[LDAP:错误代码49 - INVALID_CREDENTIALS:绑定失败:ERR_229无法验证用户身份 CN =管理员,OU =用户,O =组织]
我的LDIF文件
dn:cn = admin,ou = users,o = organization objectClass:inetOrgPerson
objectClass:organizationalPerson objectClass:person objectClass: top cn:admin sn:Admin uid:admin userPassword :: e1NTSEF9bEtlTUNzLy9OK1JsV2hCWEM2U2ZZNDh0Lzd0OHBlbjFrdjkxN3c9P Q ==
createTimestamp:20141003000008.689Z creatorsName: 0.9.2342.19200300.100.1.1 = admin,2.5.4.11 = system entryCSN:20141020004319.002000Z#000000#001#000000 entryDN:cn = admin,ou = users,o = organization entryParentId: 8204b2df-ff5a-413a-a063-4ac30d35bee4 entryUUID :: N2I1MTFlNjYtMDhjZS00YjA3LWIxYzItNTkyOTI3ZGE3ZTBi modifiersName: 0.9.2342.19200300.100.1.1 = admin,2.5.4.11 = system modifyTimestamp:20141020004319.002Z pwdFailureTime:20141020003207.120Z pwdHistory :: MjAxNDEwMDMwMDAwMDguNjgxWiMxLjMuNi4xLjQuMS4xNDY2LjExNS4xMjEuMS4
0MCM4I1lXUnRhVzQ9 pwdPolicySubentry: CN =默认,OU = pwdPolicy,O =组织dn:cn = default,ou = pwdPolicy,o = organization objectClass:device
objectClass:pwdPolicy objectClass:top cn:default
pwdAttribute:userPassword pwdExpireWarning:3600 pwdGraceExpire: 1 pwdLockout:TRUE pwdLockoutDuration:120 pwdMaxAge:2592000
pwdMaxFailure:2
弹簧配置文件如下
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="jdbcProviderManager" />
<authentication-provider ref="ldapProviderManager" />
</authentication-manager>
<bean id="jdbcProviderManager" class="au.com.spring.handler.DBLoginAuthentication">
<property name="userDetailsService" ref="daoAuthenticationProvider" />
</bean>
<bean id="ldapProviderManager" class="au.com.spring.handler.LDAPLoginAuthentication">
<property name="userDetailsService" ref="ldapAuthenticationProvider" />
</bean>
<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="JdbcUserDetailsManager" />
<property name="passwordEncoder" ref="encoder" />
</bean>
<bean id="ldapAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource" />
<property name="userSearch" ref="ldapUserSearch" />
</bean>
</constructor-arg>
<constructor-arg>
<bean class="au.com.spring.handler.CustomLDAPAuthoritiesPopulator">
<constructor-arg ref="contextSource" />
<constructor-arg value="${group.search}" />
<property name="groupSearchFilter" value="${group.search.filter}" />
<property name="groupRoleAttribute" value="${group.role.att}" />
<property name="rolePrefix" value="ROLE_" />
<property name="searchSubtree" value="true" />
<property name="convertToUpperCase" value="true" />
</bean>
</constructor-arg>
<property name="hideUserNotFoundExceptions" value="false" />
<property name="useAuthenticationRequestCredentials" value="true" />
<property name="userDetailsContextMapper" ref="inetOrgPersonContextMapper" />
</bean>
<bean id="inetOrgPersonContextMapper" class="org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper" />
<bean id="defaultLdapUsernameToDnMapper" class="org.springframework.security.ldap.DefaultLdapUsernameToDnMapper">
<constructor-arg value="${users.search}" />
<constructor-arg value="${uid.att}" />
</bean>
<!--<bean id="authenticationSuccessListener" class="prpa.athos.security.listener.AuthenticationSuccessListener" />-->
<!--<bean id="contextSource" class="org.springframework.security.ldap.ppolicy.PasswordPolicyAwareContextSource">-->
<bean id="contextSource" class="org.springframework.security.ldap.ppolicy.PasswordPolicyAwareContextSource">
<constructor-arg value="ldap://localhost:10389/o=organization" />
<!--<property name=""/>-->
</bean>
答案 0 :(得分:1)
我收到以下异常而不是密码锁异常。
来自LDAP password policy draft 10:
8.1.1。如果帐户被锁定则失败
如果帐户被锁定,如第7.1节所述,服务器 使用适当的resultCode失败操作(即 invalidCredentials(49)在绑定操作的情况下,compareFalse (5)在比较操作的情况下等)。服务器可以设置 错误:accountLocked(1)中的passwordPolicyResponse 控制消息的字段。
因此LDAP服务器的行为正常。
我不认为Spring LDAP在验证用户身份时正在检查PwdPolicy(计算密码尝试次数)
进行检查的是LDAP服务器。 Spring需要提供额外的请求控制,使其能够看到上述的密码锁定状态。但无论如何,你永远不想向用户透露他在登录时登录失败的原因:这是一个信息泄露。它等于告诉攻击者用户名是正确的,这是不可取的。让用户查询如果他认为他的密码是正确的,登录失败的原因,或让他通过丢失密码序列。