Spring Security LDAP身份验证错误 - 身份验证例外而不是密码锁定

时间:2014-10-20 03:35:57

标签: spring-security ldap spring-security-ldap

我已使用以下配置设置了ldap身份验证。我需要用户使用LDAP数据存储进行身份验证,并且我已将pwdMaxFailure设置为2.

身份验证工作正常但是每次我使用错误的密码登录时,我都会收到以下异常,而不是密码锁异常。在验证用户身份时,我不认为Spring LDAP正在检查PwdPolicy(计算密码尝试次数)。

  

ne =(javax.naming.AuthenticationException)   javax.naming.AuthenticationException:[LDAP:错误代码49 -   INVALID_CREDENTIALS:绑定失败:ERR_229无法验证用户身份   CN =管理员,OU =用户,O =组织]

我的LDIF文件

  

dn:cn = admin,ou = users,o = organization objectClass:inetOrgPerson
  objectClass:organizationalPerson objectClass:person objectClass:   top cn:admin sn:Admin uid:admin userPassword ::   e1NTSEF9bEtlTUNzLy9OK1JsV2hCWEM2U2ZZNDh0Lzd0OHBlbjFrdjkxN3c9P Q ==
  createTimestamp:20141003000008.689Z creatorsName:   0.9.2342.19200300.100.1.1 = admin,2.5.4.11 = system entryCSN:20141020004319.002000Z#000000#001#000000 entryDN:cn = admin,ou = users,o = organization entryParentId:   8204b2df-ff5a-413a-a063-4ac30d35bee4 entryUUID ::   N2I1MTFlNjYtMDhjZS00YjA3LWIxYzItNTkyOTI3ZGE3ZTBi modifiersName:   0.9.2342.19200300.100.1.1 = admin,2.5.4.11 = system modifyTimestamp:20141020004319.002Z pwdFailureTime:20141020003207.120Z pwdHistory ::   MjAxNDEwMDMwMDAwMDguNjgxWiMxLjMuNi4xLjQuMS4xNDY2LjExNS4xMjEuMS4
  0MCM4I1lXUnRhVzQ9 pwdPolicySubentry:   CN =默认,OU = pwdPolicy,O =组织

     

dn:cn = default,ou = pwdPolicy,o = organization objectClass:device
  objectClass:pwdPolicy objectClass:top cn:default
  pwdAttribute:userPassword pwdExpireWarning:3600 pwdGraceExpire:   1 pwdLockout:TRUE pwdLockoutDuration:120 pwdMaxAge:2592000
  pwdMaxFailure:2

弹簧配置文件如下



 
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
  <authentication-provider ref="jdbcProviderManager" />
  <authentication-provider ref="ldapProviderManager" />      
</authentication-manager>

<bean id="jdbcProviderManager" class="au.com.spring.handler.DBLoginAuthentication">
  <property name="userDetailsService" ref="daoAuthenticationProvider" />
</bean>

<bean id="ldapProviderManager" class="au.com.spring.handler.LDAPLoginAuthentication">
  <property name="userDetailsService" ref="ldapAuthenticationProvider" />
</bean>

<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
  <property name="userDetailsService" ref="JdbcUserDetailsManager" />
  <property name="passwordEncoder" ref="encoder" />
</bean>

<bean id="ldapAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <constructor-arg>
    <bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <constructor-arg ref="contextSource" />
      <property name="userSearch" ref="ldapUserSearch" />
    </bean>
  </constructor-arg>
  <constructor-arg>
    <bean class="au.com.spring.handler.CustomLDAPAuthoritiesPopulator">
      <constructor-arg ref="contextSource" />
      <constructor-arg value="${group.search}" />
      <property name="groupSearchFilter" value="${group.search.filter}" />
      <property name="groupRoleAttribute" value="${group.role.att}" />
      <property name="rolePrefix" value="ROLE_" />
      <property name="searchSubtree" value="true" />
      <property name="convertToUpperCase" value="true" />
    </bean>
  </constructor-arg>
  <property name="hideUserNotFoundExceptions" value="false" />
  <property name="useAuthenticationRequestCredentials" value="true" />
  <property name="userDetailsContextMapper" ref="inetOrgPersonContextMapper" />
</bean>

<bean id="inetOrgPersonContextMapper" class="org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper" />

<bean id="defaultLdapUsernameToDnMapper" class="org.springframework.security.ldap.DefaultLdapUsernameToDnMapper">
  <constructor-arg value="${users.search}" />
  <constructor-arg value="${uid.att}" />
</bean>
<!--<bean id="authenticationSuccessListener" class="prpa.athos.security.listener.AuthenticationSuccessListener" />-->

<!--<bean id="contextSource" class="org.springframework.security.ldap.ppolicy.PasswordPolicyAwareContextSource">-->
<bean id="contextSource" class="org.springframework.security.ldap.ppolicy.PasswordPolicyAwareContextSource">
  <constructor-arg value="ldap://localhost:10389/o=organization" />
  <!--<property name=""/>-->
</bean>
&#13;
&#13;
&#13;

1 个答案:

答案 0 :(得分:1)

  

我收到以下异常而不是密码锁异常。

来自LDAP password policy draft 10

  

8.1.1。如果帐户被锁定则失败

     

如果帐户被锁定,如第7.1节所述,服务器      使用适当的resultCode失败操作(即      invalidCredentials(49)在绑定操作的情况下,compareFalse      (5)在比较操作的情况下等)。服务器可以设置      错误:accountLocked(1)中的passwordPolicyResponse      控制消息的字段。

因此LDAP服务器的行为正常。

  

我不认为Spring LDAP在验证用户身份时正在检查PwdPolicy(计算密码尝试次数)

进行检查的是LDAP服务器。 Spring需要提供额外的请求控制,使其能够看到上述的密码锁定状态。但无论如何,你永远不想向用户透露他在登录时登录失败的原因:这是一个信息泄露。它等于告诉攻击者用户名是正确的,这是不可取的。让用户查询如果他认为他的密码是正确的,登录失败的原因,或让他通过丢失密码序列。

相关问题
最新问题