Weblogic NegotiateIdentityAsserter 和用户主体名称
我的 Web 应用程序使用 Kerberos 身份验证。我设置了 NegotiateIdentityAsserter 和 LDAP 身份验证提供程序。如果 sAMAccountName 是用于用户查找的用户,则一切正常。不幸的是,在 tagret 环境中这个属性不是唯一的。我需要通过 UPN(用户主体名称)来识别用户。
有办法实现吗?
我的配置是
Weblogic 10.3.5 Java 1.6
login.config:
myrealm {
weblogic.security.auth.login.UsernamePasswordLoginModule required debug=true;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/[email protected]"
refreshKrb5Config=true
useKeyTab=true
keyTab="c:/ccaapl/security/ceprwlvyv_ktpass.keytab"
storeKey=true
debug=true;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/[email protected]"
refreshKrb5Config=true
useKeyTab=true
keyTab="c:/ccaapl/security/ceprwlvyv_ktpass.keytab"
storeKey=true
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/[email protected]"
refreshKrb5Config=true
useKeyTab=true
keyTab="c:/ccaapl/security/ceprwlvyv_ktpass.keytab"
storeKey=true
debug=true;
};
krb5.ini:
[libdefaults]
default_realm = DSMSP.LOCAL
kdc_timesync = 1
ccache_type = 4
ticket_lifetime = 600
clockskew = 1200
dns_lookup_kdc = true
[realms]
DSMSP.LOCAL = {
kdc = DSDC.dsmsp.local
}
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
提前致谢!
彼得
My web application uses Kerberos authentication. I set NegotiateIdentityAsserter and LDAP Authentication Provider. Everything works fine if sAMAccountName is user for user lookup. Unfortunately in tagret environment this attribute is not unique. I need to identify user by his UPN (user principal name).
Is there a way how to achieve it?
My configuration is
Weblogic 10.3.5
Java 1.6
login.config:
myrealm {
weblogic.security.auth.login.UsernamePasswordLoginModule required debug=true;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/[email protected]"
refreshKrb5Config=true
useKeyTab=true
keyTab="c:/ccaapl/security/ceprwlvyv_ktpass.keytab"
storeKey=true
debug=true;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/[email protected]"
refreshKrb5Config=true
useKeyTab=true
keyTab="c:/ccaapl/security/ceprwlvyv_ktpass.keytab"
storeKey=true
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/[email protected]"
refreshKrb5Config=true
useKeyTab=true
keyTab="c:/ccaapl/security/ceprwlvyv_ktpass.keytab"
storeKey=true
debug=true;
};
krb5.ini:
[libdefaults]
default_realm = DSMSP.LOCAL
kdc_timesync = 1
ccache_type = 4
ticket_lifetime = 600
clockskew = 1200
dns_lookup_kdc = true
[realms]
DSMSP.LOCAL = {
kdc = DSDC.dsmsp.local
}
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
Thanks in advance!
Petr
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
你的说法具有误导性。为什么混合使用 Kerberos 身份验证和 LDAP 身份验证?您只需要 Kerberos 身份验证。
成功登录后,您将获得用户的 UPN。在 AD 字段中搜索:userPrincipalName。
我就是这样做的。
你提的问题不够精确。您混淆了身份验证和用户查找。
Your statement is misleading. Why do you mix Kerberos auth and LDAP auth? You need Kerberos auth only.
After a sucessfully login, you'll be given the user's UPN. Search with that in your AD in the field: userPrincipalName.
This is how I do it.
You question is not precise enough. You are mixing up authentication and user lookup.