(AD) ldap 领域中的组成员资格
我在 java ee 企业应用程序中使用 JAAS 框架进行身份验证和授权过程。我使用 GlassFish 作为应用程序服务器。我的领域配置如下所示:
<auth-realm name="ads-realm" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
<property name="jaas-context" value="ldapRealm" />
<property name="base-dn" value="CN=Users,DC=company,DC=intern" />
<property name="directory" value="ldap://ad.company.intern:389" />
<property name="search-filter" value="(&(objectClass=user)(sAMAccountName=%s))" />
<property name="search-bind-password" value="****" />
<property name="search-bind-dn" value="[email protected]" />
</auth-realm>
此配置在我的环境中运行良好。请参阅以下日志条目:
FEIN: JAAS login complete.
FEIN: JAAS authentication committed.
FEIN: Password login succeeded for xyz
但我没有从 Active Directory 接收 LDAP 组成员身份
FEIN: LDAP: Group memberships found:
FEIN: LDAP: login succeeded for: xyz
我需要执行哪些配置/条目/映射才能从 AD 接收组成员身份?
当然,我可以将该属性添加
<property name="assign-groups" value="Users" />
到我的 GlassFish 配置中,但这并不是我想要的。
I use the JAAS Framework for the authentification and authorization process in a java ee enterprise application. I use GlassFish as the application server. My realm configuration looks like:
<auth-realm name="ads-realm" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
<property name="jaas-context" value="ldapRealm" />
<property name="base-dn" value="CN=Users,DC=company,DC=intern" />
<property name="directory" value="ldap://ad.company.intern:389" />
<property name="search-filter" value="(&(objectClass=user)(sAMAccountName=%s))" />
<property name="search-bind-password" value="****" />
<property name="search-bind-dn" value="[email protected]" />
</auth-realm>
This configuration works fine in my environment. See following log entries:
FEIN: JAAS login complete.
FEIN: JAAS authentication committed.
FEIN: Password login succeeded for xyz
but i don't receive a LDAP Group membership(s) from my Active Directory
FEIN: LDAP: Group memberships found:
FEIN: LDAP: login succeeded for: xyz
Which configuration/entry/mapping have I to do, to receive a group membership from AD?
Surely, I can add the property
<property name="assign-groups" value="Users" />
to my GlassFish configuration, but that is not exactly what i want.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您需要添加此额外属性:
group-search-filter搜索过滤器以查找用户的组成员身份。默认值为 uniquemember=%d(%d 扩展为用户元素 DN)。对于 Active Directory,这应该是 member=%dYou need to add this extra property:
group-search-filterSearch filter to find group memberships for the user. The default value is uniquemember=%d (%d expands to the user element DN). In the case of Active Directory this should be member=%d