What login name to use for Spring LDAP authentication -
i created local ldap server , added user "djiao" password "123456
trying implement authentication spring security spring boot. webconfig class follows:
@configuration @enablewebsecurity public class websecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .authorizerequests() .anyrequest() .authenticated() .and() .formlogin(); } @bean public activedirectoryldapauthenticationprovider activedirectoryldapauthenticationprovider() { activedirectoryldapauthenticationprovider provider = new activedirectoryldapauthenticationprovider("", "ldap://localhost:10389"); provider.setconvertsuberrorcodestoexceptions(true); provider.setconvertsuberrorcodestoexceptions(true); provider.setuseauthenticationrequestcredentials(true); return provider; } @bean public loggerlistener loggerlistener() { return new loggerlistener(); } @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth.authenticationprovider(activedirectoryldapauthenticationprovider()); }
however can't seem login login page.
if use djiao (cn) or djiao1 (uid), 500.
[ldap: error code 34 - incorrect dn given : djiao1 (0x64 0x6a 0x69 0x61 0x6f 0x31 ) invalid]; nested exception javax.naming.invalidnameexception: [ldap: error code 34 - incorrect dn given : djiao1 (0x64 0x6a 0x69 0x61 0x6f 0x31 ) invalid]
if use dn "cn=djiao,ou=users,dc=example,dc=com" username "bad credentials" error. , password 123456.
what should username login? or missing in websecurityconfig class?
since code identify you're using spring-boot.
this working connecting ldap
@configuration
public class securityconfig extends websecurityconfigureradapter {
@autowired public void configureglobal(authenticationmanagerbuilder authbuilder) throws exception { authbuilder .ldapauthentication() .usersearchfilter("(samaccountname={0})") .usersearchbase("dc=some,dc=domain,dc=com") .groupsearchbase("ou=groups,dc=some,dc=domain,dc=com") .groupsearchfilter("member={0}") .contextsource() .url("ldaps://<ldap-server>") .port(639) .managerdn("cn=binduser,ou=users,dc=some,dc=domain,dc=com") .managerpassword("some pass") ; }
so in essence going usersearchfilter
you'd have define different values. if use ldap besides ad filter should "(uid={0})"
or if wan't people able use email go "(mail={0})"
or combination "(|(uid={0})(mail={0}))"
woul allow use both.
if go activedirectory – assume not based on have written above – should samaccountname
stated above allow people enter id in domain mydomain\myusername
login myusername
.
if need connect multiple ldap-server share same information ha purposes can through .contextsource().url()
call. if carry different ones, e.g. 'emea', 'us', 'ap' can combine these calls using:
@autowired public void configureglobal(authenticationmanagerbuilder authbuilder) throws exception { authbuilder .ldapauthentication() .usersearchfilter("(samaccountname={0})") .usersearchbase("dc=emea,dc=domain,dc=com") .groupsearchbase("ou=groups,dc=emea,dc=domain,dc=com") .groupsearchfilter("member={0}") .contextsource() .url("ldaps://<emea-ldap-server>") .port(639) .managerdn("cn=binduser,ou=users,dc=emea,dc=domain,dc=com") .managerpassword("some pass") .and() .and() .ldapauthentication() .usersearchfilter("(samaccountname={0})") .usersearchbase("dc=ap,dc=domain,dc=com") .groupsearchbase("ou=groups,dc=ap,dc=domain,dc=com") .groupsearchfilter("member={0}") .contextsource() .url("ldaps://<ap-ldap-server>") .port(639) .managerdn("cn=binduser,ou=users,dc=ap,dc=domain,dc=com") .managerpassword("some pass") ; }
btw: allows combine different authentication mechanisms inmemory (default-admin-backdoor) ldap and/or jdbc.
Comments
Post a Comment