我们正在努力使Spring Windows身份验证模块在SLES 11 SP3系统上运行。
用户身份验证似乎工作正常:
2015-07-08 08:32:02.596 DEBUG 16861 --- [io-18080-exec-3] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider
2015-07-08 08:32:02.596 DEBUG 16861 --- [io-18080-exec-3] .a.KerberosServiceAuthenticationProvider : Try to validate Kerberos Token
2015-07-08 08:32:02.966 DEBUG 16861 --- [io-18080-exec-3] .a.KerberosServiceAuthenticationProvider : Succesfully validated dummy@EXAMPLE.COM
2015-07-08 08:32:02.967 DEBUG 16861 --- [io-18080-exec-3] o.s.s.l.s.FilterBasedLdapUserSearch : Searching for user 'dummy@EXAMPLE.COM', with user search [ searchFilter: '(| (userPrincipalName={0}) (sAMAccountName={0}))', searchBase: 'OU=Users,OU=Custom,DC=example.com,DC=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ] Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat/conf/myapplication.keytab refreshKrb5Config is false principal is HTTP/myapplication.example.com@EXAMPLE.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false principal is HTTP/myapplication.example.com@EXAMPLE.COM
Will use keytab
Commit Succeeded
然后在LDAP / ActiveDirectory中搜索用户的尝试失败:
2015-07-08 08:17:02.999 DEBUG 16584 --- [io-18080-exec-3] o.s.l.c.support.AbstractContextSource : Got Ldap context on server 'ldaps://windc1.example.com:636/'
2015-07-08 08:17:03.050 DEBUG 16584 --- [io-18080-exec-3] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2015-07-08 08:17:03.050 DEBUG 16584 --- [io-18080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2015-07-08 08:17:03.056 ERROR 16584 --- [io-18080-exec-3] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception org.springframework.ldap.UncategorizedLdapException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0907 2B, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580]; remaining name 'OU=Users,OU=Custom,DC=example.com,DC=com'
我的application.yml文件如下所示:
server:
port: 18080
app:
ad-domain: EXAMPLE.COM
ad-server: ldaps://windc1.example.com:636/
service-principal: HTTP/myapplication.example.com@EXAMPLE.COM
keytab-location: /usr/share/tomcat/conf/myapplication.keytab
ldap-search-base: OU=Users,OU=Custom,DC=example.com,DC=com
ldap-search-filter: "(| (userPrincipalName={0}) (sAMAccountName={0}))"
我检查了验证service-principal和keytab以生成有效令牌,但这似乎对LDAP模块没有影响,应该从我的理解总是尝试绑定到目录。
你可能已经注意到我对这些东西很新,我很欣赏每一个建议。
很多
问候
多米尼克