How to deep into the LDAP tree to find a user who can authenticate in spring ldap security

社会主义新天地 提交于 2020-01-06 06:27:40

问题


I want to use spring security ldap authentication. However I would like to traverse ldap tree recursively. Unfortunately I can find a user only one level or depth.

For example , my user tree likes below:

ouUsers: has users (user1, user2 etc) and subtrees (ouGenel, ouYatay).

And subtrees have subtrees and users.

I would like to traverse the ldap tree recursively to authenticate in spring security project.

My spring authencation code is below, what should I change in my code? :

 @Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth
            .ldapAuthentication()
            .userDnPatterns("CN={0},OU=ouUsers")
            .groupSearchBase("ou=ouUsers")
            .contextSource()
            .url(url+"/"+base)
            .managerDn(dn)
            .managerPassword(password)
            .and()
            .passwordCompare()
            .passwordEncoder(new LdapShaPasswordEncoder())
            .passwordAttribute("sn");
}

Thank you


回答1:


You need to use userSearchFilter() and userSearchBase() instead of userDnPatterns().

  • userDnPatterns tries to match a DN by substituting the user login name in the supplied pattern, appending the base from the LDAP url.

    This is OK if all your users are stored under a single node in the directory.

  • userSearchFilter() on the other hand can be used to match the login name in a regular request, searching down the tree (default SearchScope =SUBTREE) under a certain base. userSearchBase() can optionally be used to set a branch rdn where user entries are located and from which to perform the search. If not specified, the search includes the entire directory starting from the base dn of the LDAP url.

Replacing userDnPatterns() with the following should be ok :

.userSearchBase('ou=ouUsers')
.userSearchFilter('(cn={0})')

https://docs.spring.io/spring-security/site/docs/3.0.x/reference/ldap.html#d0e5940



来源:https://stackoverflow.com/questions/56830804/how-to-deep-into-the-ldap-tree-to-find-a-user-who-can-authenticate-in-spring-lda

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!