当前位置: 文江博客话题详情

Glassfish 3.1 ldapRealm ActiveDirectory 组成员身份

发布于 2024-12-27 08:37:18 字数 2370 浏览 5 评论 0原文

我正在尝试在 Glassfish 3.1 上实现 ldapRealm。我可以使用以下配置正常登录,但是我无法正确获取 AD 的组成员身份。我按照(AD) ldap 领域中的群组成员身份添加群组-search-filter 但仍然不起作用。
这是我的 web.xml :

<auth-realm name="ADREALM" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
    <property name="directory" value="ldap://domain.com:389"></property>
    <property name="search-filter" value="(&amp;(objectCategory=user)(sAMAccountName=%s))"></property>
    <property name="search-bind-dn" value="[email protected]"></property>
    <property description="null" name="base-dn" value="OU=CORP Users,DC=domain,DC=com"></property>
    <property name="group-search-filter" value="(&amp;(objectCategory=group)(member=%d))"></property>
    <property name="search-bind-password" value="password"></property>
    <property name="jaas-context" value="ldapRealm"></property>
</auth-realm>

我还将以下选项添加到 server-config > JVM

-Djava.naming.referral=follow

Glassfish 的日志条目:

FINE: [Web-Security] hasUserDataPermission perm: (javax.security.jacc.WebUserDataPermission /j_security_check POST)
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINEST: Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential
FINE: Logging in user [kip] into realm: ADREALM using JAAS module: ldapRealm
FINE: Login module initialized: class com.sun.enterprise.security.auth.login.LDAPLoginModule
FINE: search: baseDN: OU=CORP Users,DC=domain,DC=com  filter: (&(objectCategory=user)(sAMAccountName=kip))
FINE: Found user DN: CN=Kipling,OU=IT,OU=CORP Users,DC=domain,DC=com
FINE: LDAP:Group search filter: (&(objectCategory=group)(member=CN=Kipling,OU=IT,OU=CORP Users,DC=domain,DC=com))
FINE: LDAP: Group memberships found: 
FINE: LDAP: login succeeded for: kip
FINE: JAAS login complete.
FINE: JAAS authentication committed.
FINE: Password login succeeded for : kip
FINE: Set security context as user: kip

请注意,找到的组成员资格为空。如果需要更多信息,请告诉我。

原文

I'm trying to implement ldapRealm on Glassfish 3.1. I can login fine with the following configuration, however I haven't been able to get AD's group membership correctly. I followed group memberships in (AD) ldap Realm to include group-search-filter but still not working.
Here's my web.xml :

<auth-realm name="ADREALM" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
    <property name="directory" value="ldap://domain.com:389"></property>
    <property name="search-filter" value="(&(objectCategory=user)(sAMAccountName=%s))"></property>
    <property name="search-bind-dn" value="[email protected]"></property>
    <property description="null" name="base-dn" value="OU=CORP Users,DC=domain,DC=com"></property>
    <property name="group-search-filter" value="(&(objectCategory=group)(member=%d))"></property>
    <property name="search-bind-password" value="password"></property>
    <property name="jaas-context" value="ldapRealm"></property>
</auth-realm>

I also add the following option to server-config > JVM

-Djava.naming.referral=follow

Glassfish's log entry :

FINE: [Web-Security] hasUserDataPermission perm: (javax.security.jacc.WebUserDataPermission /j_security_check POST)
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINEST: Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential
FINE: Logging in user [kip] into realm: ADREALM using JAAS module: ldapRealm
FINE: Login module initialized: class com.sun.enterprise.security.auth.login.LDAPLoginModule
FINE: search: baseDN: OU=CORP Users,DC=domain,DC=com  filter: (&(objectCategory=user)(sAMAccountName=kip))
FINE: Found user DN: CN=Kipling,OU=IT,OU=CORP Users,DC=domain,DC=com
FINE: LDAP:Group search filter: (&(objectCategory=group)(member=CN=Kipling,OU=IT,OU=CORP Users,DC=domain,DC=com))
FINE: LDAP: Group memberships found: 
FINE: LDAP: login succeeded for: kip
FINE: JAAS login complete.
FINE: JAAS authentication committed.
FINE: Password login succeeded for : kip
FINE: Set security context as user: kip

Notice that Group memberships found is empty. Please let me know if more information is needed.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

冰之心 2025-01-03 08:37:19

周末,我发现我的 ldapRealm 配置出了什么问题。由于我将我的基本 dn 设置为用户 ou 分支,并且组信息位于不同的 ou 分支上,所以 glassfish 找不到我的组 dn。 (限制性太强 - SO 的一个问题也提到了)。为了让group-search-filter工作,我必须向ldapRealm添加额外的属性,它是group-base-dn用于组数据检索。

<property name="group-base-dn" value="OU=CORP Groups,DC=domain,DC=com"></property>

因此,除非我将 base-dn 设置为基本 DC=domain,DC=com,否则我必须包含 group-base-dn 属性。这是我最终的 ldapRealm 配置:

<auth-realm name="ADREALM" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
    <property name="directory" value="ldap://domain.com:389"></property>
    <property name="jaas-context" value="ldapRealm"></property>
    <property name="base-dn" value="OU=CORP Users,DC=domain,DC=com" description="null"></property>
    <property name="search-filter" value="(&(objectCategory=user)(sAMAccountName=%s))"></property>
    <property name="group-base-dn" value="OU=CORP Groups,DC=domain,DC=com"></property>
    <property name="group-search-filter" value="(&(objectCategory=group)(member=%d))"></property>
    <property name="search-bind-dn" value="[email protected]"></property>
    <property name="search-bind-password" value="password"></property>
</auth-realm>

我希望这可以帮助任何人配置 ldapRealm。谢谢!

附玻璃鱼日志:

FINE: search: baseDN: OU=CORP Users,DC=domain,DC=com  filter: (&(objectCategory=user)(sAMAccountName=kip))
FINE: Found user DN: CN=Kipling,OU=IT,OU=CORP Users,DC=domain,DC=com
FINE: LDAP:Group search filter: (&(objectCategory=group)(member=CN=Kipling,OU=IT,OU=CORP Users,DC=domain,DC=com))
FINE: LDAP: Group memberships found:  Application Administrators
FINE: LDAP: login succeeded for: kip
FINE: JAAS login complete.
FINE: JAAS authentication committed.

Over the weekend, I figured out what was wrong with my ldapRealm configuration. Since I set my base-dn to users ou branch and group information is on different ou branch, glassfish couldn't find my groups dn. (too restrictive - also mentioned by one of SO's question). In order to get group-search-filter to work, i had to add additional property to ldapRealm, which is group-base-dn for group data retrieval.

<property name="group-base-dn" value="OU=CORP Groups,DC=domain,DC=com"></property>

So, unless I set my base-dn to basic DC=domain,DC=com I have to include group-base-dn property. Here's my final ldapRealm configuration:

<auth-realm name="ADREALM" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
    <property name="directory" value="ldap://domain.com:389"></property>
    <property name="jaas-context" value="ldapRealm"></property>
    <property name="base-dn" value="OU=CORP Users,DC=domain,DC=com" description="null"></property>
    <property name="search-filter" value="(&(objectCategory=user)(sAMAccountName=%s))"></property>
    <property name="group-base-dn" value="OU=CORP Groups,DC=domain,DC=com"></property>
    <property name="group-search-filter" value="(&(objectCategory=group)(member=%d))"></property>
    <property name="search-bind-dn" value="[email protected]"></property>
    <property name="search-bind-password" value="password"></property>
</auth-realm>

I hope this can help anybody to configure ldapRealm. Thanks!

Attached glassfish log :

FINE: search: baseDN: OU=CORP Users,DC=domain,DC=com  filter: (&(objectCategory=user)(sAMAccountName=kip))
FINE: Found user DN: CN=Kipling,OU=IT,OU=CORP Users,DC=domain,DC=com
FINE: LDAP:Group search filter: (&(objectCategory=group)(member=CN=Kipling,OU=IT,OU=CORP Users,DC=domain,DC=com))
FINE: LDAP: Group memberships found:  Application Administrators
FINE: LDAP: login succeeded for: kip
FINE: JAAS login complete.
FINE: JAAS authentication committed.
回复 原文
征﹌骨岁月お 2025-01-03 08:37:19

搜索过滤器中的 objectClass=Group,而不是 objectCategory=group

objectClass=Group, not objectCategory=group in your search filter.

回复 原文
~没有更多了~

关于作者

内心激荡

暂无简介

文章
评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

alipaysp_snBf0MSZIv

文章 0 评论 0

梦断已成空

文章 0 评论 0

瞎闹

文章 0 评论 0

凯凯我们等你回来

文章 0 评论 0

寄意

文章 0 评论 0

似梦非梦

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文