無法在JBoss 7.1中正確配置LDAP

我必須在JBoss 7.1下配置LDAP身份驗證，但是當我嘗試使用我的憑證時，我遇到了一個問題。我的配置是這樣的：無法在JBoss 7.1中正確配置LDAP

<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> 
    <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> 
    <module-option name="java.naming.provider.url" value="ldap://domain.com:389"/> 
    <module-option name="java.naming.security.authentication" value="simple"/> 
    <module-option name="java.naming.referral" value="follow"/> 
    <module-option name="baseFilter" value="(uid={0})"/> 
    <module-option name="baseCtxDN" value="ou=people,dc=domain,dc=com"/> 
    <module-option name="throwValidateError" value="true"/> 
    <module-option name="principalDNPrefix" value="suid="/> 
    <module-option name="principalDNSuffix" value=",ou=people,dc=domain,dc=com"/> 
    <module-option name="searchTimeLimit" value="5000"/> 
    <module-option name="searchScope" value="ONELEVEL"/> 
</login-module>

「uid」代表用戶名登錄（「姓名」）和「suid」代表一個唯一的ID。所以，當我嘗試在我的Java這樣的類來使用LDAP，它的工作原理：

Hashtable env = new Hashtable(); 
env.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory"); 
env.put("java.naming.provider.url", "ldap://domain.com:389"); 
env.put("java.naming.security.authentication", "simple"); 
env.put("java.naming.security.principal", "suid=1234567890,ou=people,dc=st,dc=com"); 
env.put("java.naming.referral", "follow"); 
env.put("java.naming.security.credentials", "123456"); 
DirContext directoryContext = new InitialDirContext(env);

但是，我不能配置JBoss如何有可能改變UID爲SUID（「姓名」爲「1234567890」例如）。

來源

2013-01-11 Florent06

題外話：屬於對serverfault.com。 – EJP

LDAP服務器中創建下一個層次：在JBoss 7.1（standalone.xml）

+ o=your-organization-name (partition) 
    + ou=users (organizationalUnit) 
     - uid=your-id-user (inetOrgPerson), add userPassword attribute 
    + ou=groups (organizationalUnit) 
     - cn=your-user-role (groupOfNames), add the uid before created

安全域：在你的jboss-web.xml中

<subsystem xmlns="urn:jboss:domain:security:1.1"> 
      <security-domains> 
      ... 
<security-domain name="SecurityRealm" cache-type="default"> 
        <authentication> 
         <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> 
          <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> 
          <module-option name="java.naming.provider.url" value="ldap://host-ldap-server:port-ldap-server/"/> 
          <module-option name="java.naming.security.authentication" value="simple"/> 
          <module-option name="principalDNPrefix" value="uid="/> 
          <module-option name="principalDNSuffix" value=",ou=users,o=your-organization-name"/> 
          <module-option name="rolesCtxDN" value="ou=groups,o=your-organization-name"/> 
          <module-option name="uidAttributeID" value="member"/> 
          <module-option name="matchOnUserDN" value="true"/> 
          <module-option name="roleAttributeID" value="cn"/> 
          <module-option name="roleAttributeIsDN" value="false"/> 
         </login-module> 
        </authentication> 
       </security-domain> 
      </security-domains>

<security-domain>SecurityRealm</security-domain>

而最重要的是：用戶被允許訪問此頁面嗎？（web.xml中）：

<?xml version="1.0" encoding="UTF-8"?> 
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> 

    <!-- Protected Areas --> 
    <security-constraint> 
     <display-name>Protected</display-name> 
     <web-resource-collection>    
      <url-pattern>url-pages-you-want-protect</url-pattern> 
      <http-method>GET</http-method> 
      <http-method>POST</http-method> 
     </web-resource-collection> 
     <auth-constraint> 
      <role-name>your-user-role</role-name> 
     </auth-constraint> 
     <user-data-constraint> 
      <transport-guarantee>NONE</transport-guarantee> 
     </user-data-constraint> 
    </security-constraint> 

    <!-- Validation By Form --> 
    <login-config> 
     <auth-method>FORM</auth-method> 
     <form-login-config> 
      <form-login-page>your-login-page</form-login-page> 
      <form-error-page>your-error-page</form-error-page> 
     </form-login-config> 
    </login-config> 

    <!-- Allowed Roles --> 
    <security-role> 
     <role-name>your-user-role</role-name> 
    </security-role> 
</web-app>

測試連接使用：

public class LoginModulesTestCase extends TestCase 
{ 
    static 
    { 
     try 
     { 
     Configuration.setConfiguration(new TestConfig()); 
     System.out.println("Installed TestConfig as JAAS Configuration"); 
     } 
     catch(Exception e) 
     { 
     e.printStackTrace(); 
     } 
    } 
    /** Hard coded login configurations for the test cases. The configuration 
    name corresponds to the unit test function that uses the configuration. 
    */ 
    static class TestConfig extends Configuration 
    { 
     public void refresh() 
     { 
     } 

     public AppConfigurationEntry[] getAppConfigurationEntry(String name) 
     { 
     AppConfigurationEntry[] entry = null; 
     try 
     { 
      Class[] parameterTypes = {}; 
      Method m = getClass().getDeclaredMethod(name, parameterTypes); 
      Object[] args = {}; 
      entry = (AppConfigurationEntry[]) m.invoke(this, args); 
     } 
     catch(Exception e) 
     { 
     } 
     return entry; 
     } 

     AppConfigurationEntry[] testLdapExample1() 
     { 
     String name = "org.jboss.security.auth.spi.LdapLoginModule"; 
     HashMap options = new HashMap(); 
     options.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory"); 
     options.put("java.naming.provider.url", "ldap://host-ldap-server:port-ldap-server/"); 
     options.put("java.naming.security.authentication", "simple"); 
     options.put("principalDNPrefix", "uid="); 
     options.put("principalDNSuffix", ",ou=users,o=your-organization-name");   
     options.put("rolesCtxDN", "ou=groups,o=your-organization-name"); 
     options.put("uidAttributeID", "member"); 
     options.put("matchOnUserDN", "true"); 
     options.put("roleAttributeID", "cn"); 
     options.put("roleAttributeIsDN", "false"); 
     AppConfigurationEntry ace = new AppConfigurationEntry(name, 
     AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options); 
     AppConfigurationEntry[] entry = {ace}; 
     return entry; 
     } 
    } 

    public LoginModulesTestCase(String testName) 
    { 
     super(testName); 
    } 

    @Test 
    public void testLdapExample1() throws Exception 
    { 
     System.out.println("testLdapExample1"); 
     UsernamePasswordHandler handler = new UsernamePasswordHandler("your-uid", "your-uid-password".toCharArray()); 
     LoginContext lc = new LoginContext("testLdapExample1", handler); 
     lc.login(); 

     Subject subject = lc.getSubject(); 
     System.out.println("Subject: "+subject); 

     Set groups = subject.getPrincipals(Group.class); 
     assertTrue("Principals contains your-uid", subject.getPrincipals().contains(new SimplePrincipal("your-uid"))); 
     Group roles = (Group) groups.iterator().next(); 
     assertTrue("your-uid-role is a role", roles.isMember(new SimplePrincipal("your-uid-role"))); 

     lc.logout(); 
    } 

}

嘿，我要問你一件事：

是您的LDAP主機= domain.com？
和您的ldap端口= 389？
您的ldap服務器安裝在哪裏？
是您組織的ldap分區ou = people，dc = domain，dc = com？
不使用suid，使用uid就像我向你展示過的例子，uid是唯一的
是你的uid位於ou = people，dc = domain，dc = com？
這是一個示例代碼副本？
我在我自己的機器上使用Apache Directory服務器作爲lpad服務器，誰是您的服務器？
你的服務器在哪裏？

，如果你想我可以幫你配置Apache目錄服務器中，你只需要問一個問題，計算器，並添加了JBoss 7.x和LDAP計算器標籤

來源

2013-01-12 18:42:18

我很抱歉，但我不允許修改我公司的LDAP服務器。 – Florent06

你可以使用Apache Directory Studio並與你的公司LDAP服務器建立一個新的LDAP連接，當你確定你有連接權限參數，然後修改我給你看的測試連接並測試它 – 2013-01-16 14:43:21

好吧，我設法連接到我公司的ldap服務器。但是，要這樣做，我必須在「綁定DN或用戶」（其中** **）中輸入：「suid = ********，ou = people，dc = domain，dc = com」 ******代表我唯一的員工編號。）但我無法使用我的「姓氏名」登錄。 – Florent06

我設法與此連接使用jldap：

LDAPConnection conn = new LDAPConnection(); 
conn.connect("ldap.mycompany.com",389); 
LDAPSearchResults searchResults = conn.search("ou=people,dc=mycompany,dc=com", 
    LDAPConnection.SCOPE_ONE, "cn=Surname Name", null, false); 
LDAPEntry entry = searchResults.next(); 
if (entry != null) { 
    // the username is valid, lets pull out the CN from the attributes 
    String cnValue = null; 
    LDAPAttributeSet attrSet = entry.getAttributeSet(); 

    Iterator<LDAPAttribute> allAttrs = attrSet.iterator(); 
    while (allAttrs.hasNext()) { 
     LDAPAttribute attr = allAttrs.next(); 
     String attrName = attr.getName(); 
     System.out.println(attrName); 
     if (attrName.equalsIgnoreCase("suid")) { // we got the CN 
      cnValue = (String) attr.getStringValues().nextElement(); 
      System.out.println(cnValue); 
     } else { 
      continue; 
     } 
    } 

    if (cnValue == null) { 
     // return auth failed, the username doesn't exist 
    } 

    // attempt a bind with CN and given password 
    LDAPConnection tmp = new LDAPConnection(); 
    tmp.connect("ldap.mycompany.com", 389); 
    tmp.bind("suid=" + cnValue + "," + "ou=people,dc=mycompany,dc=com", "MYPASSWORD"); 

    // <password> came from the user trying to login*/ 
    // return auth successful, username and password are valid 
    // an LDAPException is thrown if the credentials are invalid 
}

但我沒有設法將這個用於我的jboss配置。

編輯，這部作品在Java中：

String username = "surname name"; 

Hashtable<String, String> env = new Hashtable<String, String>(11); 

boolean b = false; 

env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); 
env.put(Context.PROVIDER_URL, "ldap://ldap.mycompany.com:389"); 
env.put(Context.SECURITY_AUTHENTICATION, "none"); 
env.put(Context.SECURITY_PRINCIPAL, "uid="+ username +",ou=people,dc=mycompany,dc=com"); 
env.put(Context.SECURITY_CREDENTIALS, "PASS"); 

try { 
    // Create initial context 
    DirContext ctx = new InitialDirContext(env); 

    // Close the context when we're done 
    b = true; 
    ctx.close(); 

} catch (NamingException e) { 
    b = false; 
    e.printStackTrace(); 
}finally{ 
    if(b){ 
     System.out.print("Success"); 
    }else{ 
     System.out.print("Failure"); 
    } 
}

來源

2013-07-29 16:17:14 Florent06

無法在JBoss 7.1中正確配置LDAP

回答

相關問題