如何使用 JNDI 在 java 中强制执行 LDAP bindRequest?
我有一个到 LDAP 服务器(在本例中为 Active Directory)的 JNDI 连接。我还使用 ctx.extendedOperation( new StartTlsRequest() ) 来获得安全连接。
在此连接上,我需要验证凭据。我可以使用登录,
ctx.addToEnvironment( Context.SECURITY_AUTHENTICATION, "simple" );
ctx.addToEnvironment( Context.SECURITY_PRINCIPAL, principal );
ctx.addToEnvironment( Context.SECURITY_CREDENTIALS, credentials );
但是“bindRequest”命令仅在对 JNDI 上下文执行下一个操作时通过 ldap 发出。但我不想用它做任何事。我只需要检查凭据。有没有办法强制执行“bindRequest”?
否则,我应该将操作用作我自己的 NOP 吗?搜索不存在的对象或者我应该查询某个存在的对象的某些属性或......?它需要速度快,不应该在服务器端创建任何工作,并且应该使用尽可能少的带宽。 (因为事实上,行动从一开始就不应该是必要的……)
问候, 史蒂芬
I have a JNDI-Connection to a LDAP server (Active Directory in this case). I also ctx.extendedOperation( new StartTlsRequest() ) to get a secure connection.
On this connection I need to validate credentials. I CAN login using
ctx.addToEnvironment( Context.SECURITY_AUTHENTICATION, "simple" );
ctx.addToEnvironment( Context.SECURITY_PRINCIPAL, principal );
ctx.addToEnvironment( Context.SECURITY_CREDENTIALS, credentials );
However the "bindRequest" command is only issued over ldap upon the next action performed on the JNDI context. Yet there is nothing I want to do with it. I just need to check the credentials. Is there any way to enforce the "bindRequest"?
Otherwise, action should I use as my own NOP? A search for a non-existent object or should I query some attribute of some object that exists or ...? It needs to be fast, it should not create any work on the server side and it should use as few bandwidth as possible. (Because in fact that action should never be nessessary in the first place...)
Regards,
Steffen
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
LdapContext.reconnect() 执行 LDAP 绑定。
LdapContext.reconnect() performs an LDAP Bind.
对于您的 NO-OP 操作,您只需搜索 根 DSE。那应该在服务器的内存中。如果您有权访问 BIND 请求和响应,则可以在 BIND 请求中包含授权身份请求控件。如果服务器支持此请求控制(在这种情况下它将在根 DSE 中列出),服务器将在 BIND 响应中包含授权身份响应控制。该响应控制将是连接的身份验证身份。
For your NO-OP action you could just search for the root DSE. That should be in memory on the server. If you have access to the BIND request and response, you could include the authorization identity request control in the BIND request. If the server supports this request control (in which case it will be listed in the root DSE), the server will include authorization identity response control in the BIND response. That response control will be the authentication identity of the connection.
据我了解,解决方案只是在目录中查找主体,使用如下过滤器进行搜索:
如果主体的形式为:“user1”
如果主体的形式为:“[电子邮件受保护]"
As Far as I understand a solution is just to look for the principal in the directory, making a search with a filter like :
If principal is in the form : "user1"
If principal is in the form : "[email protected]"