通过 ActiveDirectory 的 GlassFish 3.1 LDAP 领域

发布于 2024-11-30 02:00:56 字数 3045 浏览 0 评论 0原文

这里有一些关于这个主题的问题，但没有一个答案有帮助，或者线程似乎已经死了……所以这里还有另一个问题：

我正在尝试通过 ActiveDirectory 服务器处理我的 web 应用程序的身份验证。 domain.xml 中领域的配置如下：

<auth-realm name="ActiveDirectory" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
  <property description="null" name="directory" value="ldap://ad.local:389"></property>
  <property description="null" name="base-dn" value="DC=ad,DC=local"></property>
  <property name="jaas-context" value="ldapRealm"></property>
  <property name="assign-groups" value="Users"></property>
  <property name="search-filter" value="(&amp;(objectCategory=person)(objectClass=user)(sAMAccountName=%s))"></property>
  <property name="search-bind-password" value="topsecret"></property>
  <property name="group-search-filter" value="(&amp;(objectCategory=group)(member=%d))"></property>
  <property name="search-bind-dn" value="CN=read only,OU=@ServiceAccounts,DC=ad,DC=local"></property>
</auth-realm>

此外，还设置了此 JVM 选项（如许多教程中所述）：

<jvm-options>-Djava.naming.referral=follow</jvm-options>

应用程序的 web.xml 设置如下（是的，非常基本）：

...
<security-constraint>
    <display-name>OnlyAD</display-name>
    <web-resource-collection>
        <web-resource-name>/SubgroupFacade</web-resource-name>
        <description/>
        <url-pattern>/SubgroupFacade</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>Users</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>ActiveDirectory</realm-name>
</login-config>
<security-role>
    <description/>
    <role-name>Users</role-name>
</security-role>
...

启动 Glassfish 工作正常。访问 SubgroupFacade-Servlet 也有效：登录框出现。我输入有效的用户名和适当的密码，然后...窗口再次出现。

日志显示，原始连接和普通用户查找有效，但组查找失败，并出现一个（可能是两个）异常：

WARNUNG: SEC1106: Error during LDAP search with filter [(&(objectCategory=group)(member=CN=Someuser Joe,OU=Users,OU=Fizzlecorp,DC=ad,DC=local))].
WARNUNG: SEC1000: Caught exception.
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=ad,DC=local'
...
WARNUNG: SEC1106: Error during LDAP search with filter [(&(objectclass=groupofuniquenames)(objectclass=*groupofurls*))].
WARNUNG: SEC1000: Caught exception.
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=ad,DC=local'
...

在外部应用程序中运行 LDAP 查询（例如终端上的简单 ldapsearch）有效。我确实得到了 Joe Someuser 的所有组。但是，第二个查询 ((&(objectclass=groupofuniquenames)(objectclass=*groupofurls*))) 不返回任何结果......并且我无法获取有关什么的任何信息这个查询应该做。

我希望有人知道这里出了什么问题。自从我今天早上上班以来，这个问题一直困扰着我（现在已经是下午晚些时候了……）。

提前致谢！本

原文

There have been some questions about this topic here but none of the answers helped or the threads seemed to have died... so here goes another one:

I am trying to have authentification for my webapps handled via an ActiveDirectory Server. Configuration of the realm in domain.xml is as follows:

<auth-realm name="ActiveDirectory" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
  <property description="null" name="directory" value="ldap://ad.local:389"></property>
  <property description="null" name="base-dn" value="DC=ad,DC=local"></property>
  <property name="jaas-context" value="ldapRealm"></property>
  <property name="assign-groups" value="Users"></property>
  <property name="search-filter" value="(&(objectCategory=person)(objectClass=user)(sAMAccountName=%s))"></property>
  <property name="search-bind-password" value="topsecret"></property>
  <property name="group-search-filter" value="(&(objectCategory=group)(member=%d))"></property>
  <property name="search-bind-dn" value="CN=read only,OU=@ServiceAccounts,DC=ad,DC=local"></property>
</auth-realm>

Also, this JVM-Option is set (as stated in many tutorials):

<jvm-options>-Djava.naming.referral=follow</jvm-options>

web.xml for the application is setup this (yes, very basic):

...
<security-constraint>
    <display-name>OnlyAD</display-name>
    <web-resource-collection>
        <web-resource-name>/SubgroupFacade</web-resource-name>
        <description/>
        <url-pattern>/SubgroupFacade</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>Users</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>ActiveDirectory</realm-name>
</login-config>
<security-role>
    <description/>
    <role-name>Users</role-name>
</security-role>
...

Starting Glassfish works fine. Visiting the SubgroupFacade-Servlet works, too: the login-box comes up. I enter a valid username and the appropriate password and... the window simply appears again.

The log shows, that the raw connection and plain-user lookup works, but group-lookup fails with one (probably two) Exceptions:

WARNUNG: SEC1106: Error during LDAP search with filter [(&(objectCategory=group)(member=CN=Someuser Joe,OU=Users,OU=Fizzlecorp,DC=ad,DC=local))].
WARNUNG: SEC1000: Caught exception.
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=ad,DC=local'
...
WARNUNG: SEC1106: Error during LDAP search with filter [(&(objectclass=groupofuniquenames)(objectclass=*groupofurls*))].
WARNUNG: SEC1000: Caught exception.
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=ad,DC=local'
...

Running the LDAP-Queries in an external application (for example a simple ldapsearch on a terminal) works. I do get all groups of Joe Someuser. However, the second query ((&(objectclass=groupofuniquenames)(objectclass=*groupofurls*))) does not return any results... and I wasn't able to get any information about what this query is supposed to do.

I hope somebody out there has an idea about what's going wrong here. This one keeps beating me since I came to work this morning (it's now late afternoon here...).

Thanks in advance!
Ben

分享到QQ

分享到微博