Grails / Spring Security LDAP：备用检查方法

Question

我一直想知道是否有一种方法可以配置 Spring Security LDAP 插件以不以标准方式执行身份验证，但如下所示：

If one is able to connect and login to the LDAP server then 
the user is authenticated. 

Read the authorization from this user's account on LDAP 
(this is probably the default behavior)

所以基本上不是配置主帐户，而是使用用户传递的用户/密码来实际执行登录（如果成功，则允许用户获取其他数据）。

提前致谢！

Answer 1

希望你还在寻找这个。听起来像是朝着正确方向迈出的一大步是 BindAuthenticator。您必须更改权限填充器以不使用安全上下文源。我相信默认填充器使用具有适当管理员帐户的连接池。

这是一个带有 BindAuthenticator 和自定义 AuthoritiesPopulator 的设置示例。

        <bean id="authPopulator" class="org.springframework.security.ldap.populator.CustomLdapAuthoritiesPopulator">
      <constructor-arg ref="securityContextSource"/>
      <constructor-arg value="ou=Roles,o=data"/>
      <property name="groupRoleAttribute" value="resourceGroupType"/>
      <property name="groupSearchFilter" value="member={0}" />
    </bean>

<bean id="ldap-authentication-provider"
        class="org.springframework.security.providers.ldap.LdapAuthenticationProvider" >
  <constructor-arg>
    <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
      <constructor-arg ref="securityContextSource"/>
      <property name="userDnPatterns">
        <list><value>cn={0},ou=users,o=system</value>
          <value>cn={0},ou=users,o=xyz</value>
          <value>cn={0},ou=users,ou=external,o=xyz</value>
    </list>
      </property>
      <property name="userSearch" ref="userSearch">
      </property>
    </bean>
  </constructor-arg>
  <constructor-arg ref="authPopulator"/>
  <s:custom-authentication-provider />
</bean>

这是我的上下文源定义：

     <bean id="securityContextSource"
        class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <constructor-arg value="ldap://192.168.254.254:389"/>
  <property name="userDn" value="cn=admin,ou=users,o=xyz"/>
  <property name="password" value="password"/>
</bean>

我决定在没有用户名或密码的情况下测试上下文源，它似乎可以部分工作。这是我的日志输出。

 [java] - Authentication success: org.springframework.security.providers.UsernamePasswordAuthenticationToken@79107ad5: Principal: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@3d1a70a7: Username: internalUser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: a2a3a505521919d529e75c6d14081f6b; Granted Authorities: ROLE_USER
     [java] - Updated SecurityContextHolder to contain the following Authentication: 'org.springframework.security.providers.UsernamePasswordAuthenticationToken@79107ad5: Principal: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@3d1a70a7: Username: internalUser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: a2a3a505521919d529e75c6d14081f6b; Granted Authorities: ROLE_USER'

我没有收到任何错误，但它没有填充所有角色。这可能是 eDirectory 权限问题，或者您可能必须创建自己的权限填充器。填充器确实通过了用户 dirContext。