Glassfish 3.1 ldapRealm ActiveDirectory 组成员身份
我正在尝试在 Glassfish 3.1 上实现 ldapRealm。我可以使用以下配置正常登录,但是我无法正确获取 AD 的组成员身份。我按照(AD) ldap 领域中的群组成员身份添加群组-search-filter 但仍然不起作用。
这是我的 web.xml :
<auth-realm name="ADREALM" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
<property name="directory" value="ldap://domain.com:389"></property>
<property name="search-filter" value="(&(objectCategory=user)(sAMAccountName=%s))"></property>
<property name="search-bind-dn" value="[email protected]"></property>
<property description="null" name="base-dn" value="OU=CORP Users,DC=domain,DC=com"></property>
<property name="group-search-filter" value="(&(objectCategory=group)(member=%d))"></property>
<property name="search-bind-password" value="password"></property>
<property name="jaas-context" value="ldapRealm"></property>
</auth-realm>
我还将以下选项添加到 server-config > JVM
-Djava.naming.referral=follow
Glassfish 的日志条目:
FINE: [Web-Security] hasUserDataPermission perm: (javax.security.jacc.WebUserDataPermission /j_security_check POST)
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINEST: Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential
FINE: Logging in user [kip] into realm: ADREALM using JAAS module: ldapRealm
FINE: Login module initialized: class com.sun.enterprise.security.auth.login.LDAPLoginModule
FINE: search: baseDN: OU=CORP Users,DC=domain,DC=com filter: (&(objectCategory=user)(sAMAccountName=kip))
FINE: Found user DN: CN=Kipling,OU=IT,OU=CORP Users,DC=domain,DC=com
FINE: LDAP:Group search filter: (&(objectCategory=group)(member=CN=Kipling,OU=IT,OU=CORP Users,DC=domain,DC=com))
FINE: LDAP: Group memberships found:
FINE: LDAP: login succeeded for: kip
FINE: JAAS login complete.
FINE: JAAS authentication committed.
FINE: Password login succeeded for : kip
FINE: Set security context as user: kip
请注意,找到的组成员资格为空。如果需要更多信息,请告诉我。
I'm trying to implement ldapRealm on Glassfish 3.1. I can login fine with the following configuration, however I haven't been able to get AD's group membership correctly. I followed group memberships in (AD) ldap Realm to include group-search-filter but still not working.
Here's my web.xml :
<auth-realm name="ADREALM" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
<property name="directory" value="ldap://domain.com:389"></property>
<property name="search-filter" value="(&(objectCategory=user)(sAMAccountName=%s))"></property>
<property name="search-bind-dn" value="[email protected]"></property>
<property description="null" name="base-dn" value="OU=CORP Users,DC=domain,DC=com"></property>
<property name="group-search-filter" value="(&(objectCategory=group)(member=%d))"></property>
<property name="search-bind-password" value="password"></property>
<property name="jaas-context" value="ldapRealm"></property>
</auth-realm>
I also add the following option to server-config > JVM
-Djava.naming.referral=follow
Glassfish's log entry :
FINE: [Web-Security] hasUserDataPermission perm: (javax.security.jacc.WebUserDataPermission /j_security_check POST)
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINEST: Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential
FINE: Logging in user [kip] into realm: ADREALM using JAAS module: ldapRealm
FINE: Login module initialized: class com.sun.enterprise.security.auth.login.LDAPLoginModule
FINE: search: baseDN: OU=CORP Users,DC=domain,DC=com filter: (&(objectCategory=user)(sAMAccountName=kip))
FINE: Found user DN: CN=Kipling,OU=IT,OU=CORP Users,DC=domain,DC=com
FINE: LDAP:Group search filter: (&(objectCategory=group)(member=CN=Kipling,OU=IT,OU=CORP Users,DC=domain,DC=com))
FINE: LDAP: Group memberships found:
FINE: LDAP: login succeeded for: kip
FINE: JAAS login complete.
FINE: JAAS authentication committed.
FINE: Password login succeeded for : kip
FINE: Set security context as user: kip
Notice that Group memberships found is empty. Please let me know if more information is needed.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
周末,我发现我的 ldapRealm 配置出了什么问题。由于我将我的基本 dn 设置为用户 ou 分支,并且组信息位于不同的 ou 分支上,所以 glassfish 找不到我的组 dn。 (限制性太强 - SO 的一个问题也提到了)。为了让
group-search-filter工作,我必须向ldapRealm添加额外的属性,它是group-base-dn用于组数据检索。因此,除非我将
base-dn设置为基本DC=domain,DC=com,否则我必须包含group-base-dn属性。这是我最终的 ldapRealm 配置:我希望这可以帮助任何人配置 ldapRealm。谢谢!
附玻璃鱼日志:
Over the weekend, I figured out what was wrong with my ldapRealm configuration. Since I set my base-dn to users ou branch and group information is on different ou branch, glassfish couldn't find my groups dn. (too restrictive - also mentioned by one of SO's question). In order to get
group-search-filterto work, i had to add additional property to ldapRealm, which isgroup-base-dnfor group data retrieval.So, unless I set my
base-dnto basicDC=domain,DC=comI have to includegroup-base-dnproperty. Here's my final ldapRealm configuration:I hope this can help anybody to configure ldapRealm. Thanks!
Attached glassfish log :
搜索过滤器中的
objectClass=Group,而不是objectCategory=group。objectClass=Group, notobjectCategory=groupin your search filter.