Spring Boot LDAP Auth NameNotFoundException

时间:2018-03-06 23:26:04

标签: java spring spring-boot ldap

我正在尝试使用spring boot设置ldap身份验证。我已经在另一个项目上做了这个,然后通过tomcat上下文文件设置授权。所以我已经有了一个工作设置来引用,只是没有弹簧启动格式。

在我的SecurityConfiguration中添加

@Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .ldapAuthentication()
                .userSearchBase("OU=users,DC=dom,DC=company,DC=com")
                .userSearchFilter("(sAMAccountName={0})")
                .contextSource()
                    .url("ldaps://ldap.company.com:424")
                    .managerDn("CN=managerUser,OU=services,DC=dom,DC=company,DC=com")
                    .managerPassword("password");
    }

现在当应用程序启动时,我转到安全资源,输入基本身份验证凭据,我在控制台窗口中打印出来,看起来一切正常。它找到了用户。然后它就完成了这个错误。

2018-03-06 17:40:22.632 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.w.a.www.BasicAuthenticationFilter  : Basic Authentication Authorization header found for user 'user'
2018-03-06 17:40:22.632 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.ldap.authentication.Lda
pAuthenticationProvider
2018-03-06 17:40:22.632 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: user
2018-03-06 17:40:22.632 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.l.s.FilterBasedLdapUserSearch      : Searching for user 'user', with user search [ searchFilter: '(sAMAccountName={0})', searchBase: 'DC=dom,DC=company,DC=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2018-03-06 17:40:22.671 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.ldap.SpringSecurityLdapTemplate    : Searching for entry under DN '', base = 'DC=dom,DC=company,DC=com', filter = '(sAMAccountName={0})'
2018-03-06 17:40:22.690 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.ldap.SpringSecurityLdapTemplate    : Found DN: CN=user\, lname.,OU=AAA,OU=BBBB,OU=users,DC=dom,DC=company,DC=com
2018-03-06 17:40:22.694 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.l.a.BindAuthenticator              : Attempting to bind as cn=user\, lname.,OU=AAA,OU=BBBB,OU=users,DC=dom,DC=company,DC=com
2018-03-06 17:40:22.695 DEBUG 7308 --- [nio-8080-exec-5] s.s.l.DefaultSpringSecurityContextSource : Removing pooling flag for user cn=user\, lname.,OU=AAA,OU=BBBB,OU=users,DC=dom,DC=company,DC=com
2018-03-06 17:40:22.717 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.l.a.BindAuthenticator              : Retrieving attributes...
2018-03-06 17:40:22.719 DEBUG 7308 --- [nio-8080-exec-5] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Getting authorities for user cn=user\, lname.,OU=AAA,OU=BBBB,OU=users,DC=dom,DC=company,DC=com
2018-03-06 17:40:22.720 DEBUG 7308 --- [nio-8080-exec-5] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Searching for roles for user 'user', DN = 'cn=user\, lname.,OU=AAA,OU=BBBB,OU=users,DC=dom,DC=company,DC=com', with filter (uniqueMember={0}) in search base ''
2018-03-06 17:40:22.721 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.ldap.SpringSecurityLdapTemplate    : Using filter: (uniqueMember=cn=user\5c, lname.,OU=AAA,OU=BBBB,OU=users,DC=dom,DC=company,DC=com)
2018-03-06 17:40:22.760 DEBUG 7308 --- [nio-8080-exec-5] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2018-03-06 17:40:22.762 DEBUG 7308 --- [nio-8080-exec-5] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2018-03-06 17:40:22.764 ERROR 7308 --- [nio-8080-exec-5] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception

org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
        ''
 ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
        ''
 ]; remaining name ''

我很难过我对它的期望。我用这个错误看到的所有其他问题似乎都是他们的查询失败了。但是,在生成错误之前,这个人显然已成功找到用户。

编辑: 我让他们创建了一个测试用户,名字中没有逗号,因为这是人们关注的焦点。这似乎没有解决错误。 

2018-03-07 13:59:52.569 DEBUG 1384 --- [nio-8080-exec-9] o.s.s.ldap.SpringSecurityLdapTemplate    : Found DN: CN=Test TESTER1,ou=AAA,ou=BBBB,ou=users,dc=dom,dc=company,dc=com
2018-03-07 13:59:52.571 DEBUG 1384 --- [nio-8080-exec-9] o.s.s.l.a.BindAuthenticator              : Attempting to bind as cn=Test TESTER1,ou=AAA,ou=BBBB,ou=users,dc=dom,dc=company,dc=com
2018-03-07 13:59:52.572 DEBUG 1384 --- [nio-8080-exec-9] s.s.l.DefaultSpringSecurityContextSource : Removing pooling flag for user cn=Test TESTER1,ou=AAA,ou=BBBB,ou=users,dc=dom,dc=company,dc=com
2018-03-07 13:59:52.588 DEBUG 1384 --- [nio-8080-exec-9] o.s.s.l.a.BindAuthenticator              : Retrieving attributes...
2018-03-07 13:59:52.591 DEBUG 1384 --- [nio-8080-exec-9] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Getting authorities for user cn=Test TESTER1,ou=AAA,ou=BBBB,ou=users,dc=dom,dc=company,dc=com
2018-03-07 13:59:52.591 DEBUG 1384 --- [nio-8080-exec-9] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Searching for roles for user 'TESTER1', DN = 'cn=Test TESTER1,ou=AAA,ou=BBBB,ou=users,dc=dom,dc=company,dc=com', with filter (uniqueMember={0}) in search base ''
2018-03-07 13:59:52.591 DEBUG 1384 --- [nio-8080-exec-9] o.s.s.ldap.SpringSecurityLdapTemplate    : Using filter: (uniqueMember=cn=Test TESTER1,ou=AAA,ou=BBBB,ou=users,dc=dom,dc=company,dc=com)
2018-03-07 13:59:52.614 DEBUG 1384 --- [nio-8080-exec-9] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2018-03-07 13:59:52.615 DEBUG 1384 --- [nio-8080-exec-9] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2018-03-07 13:59:52.616 ERROR 1384 --- [nio-8080-exec-9] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
        ''
 ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
        ''
 ]; remaining name ''

1 个答案:

答案 0 :(得分:0)

看起来它正在尝试为您的用户读取组成员资格,但不知何故用户的DN是乱码:

Found DN: CN=user\, lname.,OU=AAA,OU=BBBB,OU=users,DC=dom,DC=company,DC=com

然后使用以下方式搜索成员身份:

Using filter: (uniqueMember=cn=user\,lname.,OU=AAA,OU=BBBB,OU=users,DC=dom,DC=company,DC=com)

从用户的CN中剥离空间,因此Active Directory会告诉您2001 (NO_OBJECT) - 这是正确的。 看起来像某个地方的LDAP处理程序中的错误。

修改

查看https://github.com/spring-projects/spring-security/blob/master/ldap/src/main/java/org/springframework/security/ldap/SpringSecurityLdapTemplate.javasearchForMultipleAttributeValues()的以下代码段似乎正在重新格式化您的用户DN:

    for (int i = 0; i < params.length; i++) {
        encodedParams[i] = LdapEncoder.filterEncode(params[i].toString());
    }

    String formattedFilter = MessageFormat.format(filter, encodedParams);
    logger.debug("Using filter: " + formattedFilter);

所以它是LdapEncoder.filterEncode()来电或致电MessageFormat.format()。绝对是Spring LDAP中的一个错误。

相关问题
最新问题