Grails的/ Spring Security的LDAP：替代檢查方法

Question

我一直在想，如果有配置Spring Security的LDAP插件無法執行的標準方式的認證方式，但如下：

If one is able to connect and login to the LDAP server then 
the user is authenticated. 

Read the authorization from this user's account on LDAP 
(this is probably the default behavior) 

所以基本上代替擁有主帳戶配置的用戶使用用戶傳遞的用戶名/密碼來實際執行登錄（如果successfull允許用戶獲取其他數據）。

提前致謝！

Answer 1

希望你仍然在尋找這個。聽起來像是BindAuthenticator的正確方向邁出的一大步。您必須更改權威populator才能使用安全上下文源。我相信默認的populator使用連接池和相應的管理員帳戶。

下面是一個帶BindAuthenticator和自定義AuthoritiesPopulator的設置示例。

 <bean id="authPopulator" class="org.springframework.security.ldap.populator.CustomLdapAuthoritiesPopulator"> 
     <constructor-arg ref="securityContextSource"/> 
     <constructor-arg value="ou=Roles,o=data"/> 
     <property name="groupRoleAttribute" value="resourceGroupType"/> 
     <property name="groupSearchFilter" value="member={0}" /> 
    </bean> 

<bean id="ldap-authentication-provider" 
     class="org.springframework.security.providers.ldap.LdapAuthenticationProvider" > 
    <constructor-arg> 
    <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator"> 
     <constructor-arg ref="securityContextSource"/> 
     <property name="userDnPatterns"> 
     <list><value>cn={0},ou=users,o=system</value> 
      <value>cn={0},ou=users,o=xyz</value> 
      <value>cn={0},ou=users,ou=external,o=xyz</value> 
    </list> 
     </property> 
     <property name="userSearch" ref="userSearch"> 
     </property> 
    </bean> 
    </constructor-arg> 
    <constructor-arg ref="authPopulator"/> 
    <s:custom-authentication-provider /> 
</bean> 

這裏是我的上下文信息源DEF：

 <bean id="securityContextSource" 
     class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> 
    <constructor-arg value="ldap://192.168.254.254:389"/> 
    <property name="userDn" value="cn=admin,ou=users,o=xyz"/> 
    <property name="password" value="password"/> 
</bean> 

我決定測試無需用戶名或密碼的上下文信息源，它似乎部分工作。這是我的日誌輸出。

[java] - Authentication success: org.springframework.security.providers.UsernamePasswordAuthenticationToken@79107ad5: Principal: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@3d1a70a7: Username: internalUser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: a2a3a505521919d529e75c6d14081f6b; Granted Authorities: ROLE_USER 
    [java] - Updated SecurityContextHolder to contain the following Authentication: 'org.springframework.security.providers.UsernamePasswordAuthenticationToken@79107ad5: Principal: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@3d1a70a7: Username: internalUser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: a2a3a505521919d529e75c6d14081f6b; Granted Authorities: ROLE_USER' 

我沒有收到任何錯誤，但沒有填充所有角色。這可能是eDirectory權限問題，或者您可能必須創建自己的權限填充程序。 populator確實傳遞給用戶dirContext。