使用LDAP模板查找证书
我们的组织将签名证书存储在 Active Directory 中。我们使用匿名绑定在基本 DN 上搜索它们(例如 OU=MY ORG,dc=mydc,dc=org)。我一直在尝试使用 Spring LdapTemplate 来查找它们,但无论我使用什么方法,我都会得到神秘的 InterruptedNamingException。
假设证书主题为 cn=mycert.myorg.com
我的代码如下所示
LdapContextSource contextSource = new LdapContextSource();
contextSource.setUrl(String.format(LDAP_URL_FORMAT, ldapCertStoreParameters.getServerName(),
ldapCertStoreParameters.getPort()));
contextSource.setBase(ldapCertStoreParameters.getBaseDn());
contextSource.setAnonymousReadOnly(true);
contextSource.afterPropertiesSet();
LdapTemplate ldapTemplate = new LdapTemplate(contextSource);
ldapTemplate.setIgnorePartialResultException(true);
ldapTemplate.afterPropertiesSet();
X500Principal principal = x509CertSelector.getSubject();
Object obj = ldapTemplate.lookup(new LdapName(principal.getName()));
X500 主体的名称是整个 dn。 cn=mycert.myorg.com,OU=MY ORG,dc=mydc,dc=org
我也尝试过仅使用 cn 进行搜索。
我们已使用 Apache Directory Studio 验证服务器上是否存在 DN。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
•我建议您根据以下社区线程中给定的示例,将'usersearchbase'设置为空字符串(“”): -
configure ldap Connection 中的configure Spring Security
如'AbstractContextSource',设置所有操作都应起源的基本后缀。如果设置了基本后缀,则您将不必(实际上不得不)指定执行的任何操作中的完整杰出名称。由于您为UserDN/过滤器指定了完整的DN,因此不得指定基础。
AD服务器显然无法自动处理转介,这会导致“ PartialResultException” 在搜索中遇到转介时会抛出。为了避免这种情况,请将“忽略partartialResultException” 属性设置为true。当前无法以'referralexception'的形式手动处理这些转介,即,您要么获得异常(并且丢失了结果),要么忽略了所有推荐(如果服务器无法正确处理它们)。也没有任何简单的方法可以通知'partialResultException'已被忽略。
有关Active Directory存储的证书的更多详细信息,请参阅下面的链接: -
https://docs.spring.io/spring-ldap/doc/doc/doc/current/current/current/apidocs/org/springframework/springframework/ldap/ldap/ldap/core/core/ldaptemplate/ldaptemplate一下>
•此外,请尝试参考以下文档,以通过存储在Active Directory中的证书配置Springboot LDAP模板配置: -
https://www.baeldung.com/x-509-authentication-in-spring-security
• I would suggest you to please remove the call altogether or set the ‘userSearchBase’ either to an empty String (“”) as per the given example in the below community thread: -
Configure Spring security for Ldap connection
As in the ‘AbstractContextSource’, set the base suffix from which all operations should origin. If a base suffix is set, you will not have to (and, indeed, must not) specify the full distinguished names in any operations performed. Since you specified the full DN for the userDN/filter, you must not specify the base.
AD servers are apparently unable to handle referrals automatically, which causes a ‘PartialResultException’ to be thrown whenever a referral is encountered in a search. To avoid this, set the ‘ignorePartialResultException’ property to true. There is currently no way of manually handling these referrals in the form of ‘ReferralException’, i.e., either you get the exception (and your results are lost) or all referrals are ignored (if the server is unable to handle them properly). Neither is there any simple way to get notified that a ‘PartialResultException’ has been ignored.
For more details regarding the LDAP template search for Active Directory stored certificates, kindly refer to the link below: -
https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/core/LdapTemplate.html
• Also, please try to refer to the below documentation for configuration of Springboot LDAP template configuration through certificates stored in Active Directory: -
https://www.baeldung.com/x-509-authentication-in-spring-security