【问题标题】:Java AD Authentication across Trusted Domains跨可信域的 Java AD 身份验证
【发布时间】:2012-10-29 15:26:04
【问题描述】:

我正在尝试在 Java 中实现 Active Directory 身份验证,该身份验证将在 Linux 机器上运行。我们的 AD 设置将包含多个彼此共享信任关系的服务器,因此对于我们的测试环境,我们有两个域控制器:

test1.ad1.foo.com谁信任test2.ad2.bar.com

使用下面的代码,我可以成功地验证来自 test1 的用户,但不能成功地验证来自 test2 的用户:

public class ADDetailsProvider implements ResultSetProvider {
private String domain;
private String user;
private String password;

public ADDetailsProvider(String user, String password) {
    //extract domain name
    if (user.contains("\\")) {
        this.user = user.substring((user.lastIndexOf("\\") + 1), user.length());
        this.domain = user.substring(0, user.lastIndexOf("\\"));
    } else {
        this.user = user;
        this.domain = "";
    }

    this.password    = password;
}

    /* Test from the command line */
public static void main (String[] argv) throws SQLException {
    ResultSetProvider res = processADLogin(argv[0], argv[1]);
    ResultSet results = null;
    res.assignRowValues(results, 0);
    System.out.println(argv[0] + " " + argv[1]);
}


public boolean assignRowValues(ResultSet results, int currentRow)
    throws SQLException
{
    // Only want a single row
    if (currentRow >= 1) return false;

    try {
        ADAuthenticator adAuth = new ADAuthenticator();
        LdapContext ldapCtx = adAuth.authenticate(this.domain, this.user, this.password);
        NamingEnumeration userDetails = adAuth.getUserDetails(ldapCtx, this.user);

        // Fill the result set (throws SQLException).
        while (userDetails.hasMoreElements()) {
            Attribute attr = (Attribute)userDetails.next();
            results.updateString(attr.getID(), attr.get().toString());
        }

        results.updateInt("authenticated", 1);
        return true;

    } catch (FileNotFoundException fnf) {
        Logger.getAnonymousLogger().log(Level.WARNING,
           "Caught File Not Found Exception trying to read cris_authentication.properties");

        results.updateInt("authenticated", 0);
        return false;

    } catch (IOException ioe) {
        Logger.getAnonymousLogger().log(Level.WARNING,
            "Caught IO Excpetion processing login");

        results.updateInt("authenticated", 0);
        return false;

    } catch (AuthenticationException aex) {
        Logger.getAnonymousLogger().log(Level.WARNING,
           "Caught Authentication Exception attempting to bind to LDAP for [{0}]",
           this.user);

        results.updateInt("authenticated", 0);
        return true;

    } catch (NamingException ne) {
        Logger.getAnonymousLogger().log(Level.WARNING,
           "Caught Naming Exception performing user search or LDAP bind for [{0}]",
           this.user);
        results.updateInt("authenticated", 0);
        return true;
    }
}

public void close() {
    // nothing needed here
}

/**
 * This method is called via a Postgres function binding to access the
 * functionality provided by this class.
 */
public static ResultSetProvider processADLogin(String user, String password) {
    return new ADDetailsProvider(user, password);
}
}

public class ADAuthenticator {

public ADAuthenticator()
    throws FileNotFoundException, IOException {
    Properties props = new Properties();
    InputStream inStream = this.getClass().getClassLoader().
       getResourceAsStream("com/bar/foo/ad/authentication.properties");

    props.load(inStream);
    this.domain                = props.getProperty("ldap.domain");
    inStream.close();
}

public LdapContext authenticate(String domain, String user, String pass)
   throws AuthenticationException, NamingException, IOException {
    Hashtable env = new Hashtable();
    this.domain = domain;

    env.put(Context.INITIAL_CONTEXT_FACTORY, com.sun.jndi.ldap.LdapCtxFactory);
    env.put(Context.PROVIDER_URL, "ldap://" + test1.ad1.foo.com + ":" + 3268);
    env.put(Context.SECURITY_AUTHENTICATION, simple);
    env.put(Context.REFERRAL, follow);

    env.put(Context.SECURITY_PRINCIPAL, (domain + "\\" + user));
    env.put(Context.SECURITY_CREDENTIALS, pass);

    // Bind using specified username and password
    LdapContext ldapCtx = new InitialLdapContext(env, null);
    return ldapCtx;
}

public NamingEnumeration getUserDetails(LdapContext ldapCtx, String user)
   throws NamingException {
    // List of attributes to return from LDAP query
    String returnAttributes[] = {"ou", "sAMAccountName", "givenName", "sn", "memberOf"};

    //Create the search controls
    SearchControls searchCtls = new SearchControls();
    searchCtls.setReturningAttributes(returnAttributes);

    //Specify the search scope
    searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

    // Specify the user to search against
    String searchFilter = "(&(objectClass=*)(sAMAccountName=" + user + "))";

    //Perform the search
    NamingEnumeration answer = ldapCtx.search("dc=dev4,dc=dbt,dc=ukhealth,dc=local", searchFilter, searchCtls);

    // Only care about the first tuple
    Attributes userAttributes = ((SearchResult)answer.next()).getAttributes();
    if (userAttributes.size() <= 0) throw new NamingException();

    return (NamingEnumeration) userAttributes.getAll();
}

根据我对信任关系的了解,如果trust1 收到trust2 中用户的登录尝试,那么它应该将登录尝试转发给它,并从用户的域名中解决这个问题。

这是正确的还是我遗漏了什么或者使用上述方法不可能?

--编辑--
来自 LDAP 绑定的堆栈跟踪是 {java.naming.provider.url=ldap://test1.ad1.foo.com:3268, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.authentication=simple, java.naming.referral=follow} 30-Oct-2012 13:16:02
ADDetailsProvider assignRowValues WARNING: Caught Authentication Exception attempting to bind to LDAP for [trusttest] Auth error is [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0]

【问题讨论】:

    标签: java active-directory ldap


    【解决方案1】:

    据我所知,您应该将 Context.REFERRAL 设置为 true。
    这是您在代码中的意思吗?
    另外,当我切换到 GSSAPI/Kerberos 时,
    我定义了 kerberos 领域之间的信任关系,它对我有用。

    【讨论】:

    • 我会通过查看本指南 link 设置要遵循的方法我确实尝试设置为 true 但这会引发命名异常。感谢您的回复!
    • 将推荐方法设置为 true 的堆栈宽限是 javax.naming.NoInitialContextException: Failed to create InitialContext using factory specified in hashtable [Root exception is java.lang.IllegalArgumentException: Illegal value for java.naming.referral property.] 谢谢。
    猜你喜欢
    • 2011-06-30
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2012-05-24
    • 1970-01-01
    • 2012-03-10
    • 2019-02-25
    • 2017-08-22
    相关资源
    最近更新 更多