Dav*_*lla 11 spring-security spring-security-ldap
这里有一个spring-security示例ldap-xml,它运行ldap服务器并导入LDIF文件以进行测试:
[...]
<s:ldap-server ldif="classpath:users.ldif" port="33389"/>
<s:authentication-manager>
<s:ldap-authentication-provider
group-search-filter="member={0}"
group-search-base="ou=groups"
user-search-base="ou=people"
user-search-filter="uid={0}"
/>
<s:authentication-provider ref='secondLdapProvider' />
</s:authentication-manager>
[...]
[...]
dn: uid=rod,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Rod Johnson
sn: Johnson
uid: rod
userPassword: koala
[...]
我需要修改这个工作示例,其中user-search-criteria基于sAMAccountName而不是uid.我修改users.ldif如下:
[...]
dn: cn=rod,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Rod Johnson
sn: Johnson
sAMAccountName: rod
userPassword: koala
[...]
但是,在导入users时,apached会显示警告.ldif:
OID for name 'samaccountname' was not found within the OID registry
似乎我需要通过修改LDAP模式来添加这个新属性sAMAccountName.如何在ldap-xml示例中执行此操作?
在这个要点示例中,他们使用"changetype:add"修改架构.但是在users.ldif中添加此项会导致错误We cannot have entries when reading a file which already contains changes.在gist示例中,他们提到更新运行该ldifde命令的模式.我应该如何修改ldap-xml项目来执行此操作?
我需要如何修改ldap-xml项目,以便我的users.ldif可以包含sAMAccountName属性?
Kar*_*ski 11
在users.ldif文件的开头添加以下(它是包含sAMAccountName的Microsoft模式的最小片段):
dn: cn=microsoft, ou=schema
objectclass: metaSchema
objectclass: top
cn: microsoft
dn: ou=attributetypes, cn=microsoft, ou=schema
objectclass: organizationalUnit
objectclass: top
ou: attributetypes
dn: m-oid=1.2.840.113556.1.4.221, ou=attributetypes, cn=microsoft, ou=schema
objectclass: metaAttributeType
objectclass: metaTop
objectclass: top
m-oid: 1.2.840.113556.1.4.221
m-name: sAMAccountName
m-equality: caseIgnoreMatch
m-syntax: 1.3.6.1.4.1.1466.115.121.1.15
m-singleValue: TRUE
dn: ou=objectclasses, cn=microsoft, ou=schema
objectclass: organizationalUnit
objectclass: top
ou: objectClasses
dn: m-oid=1.2.840.113556.1.5.6, ou=objectclasses, cn=microsoft, ou=schema
objectclass: metaObjectClass
objectclass: metaTop
objectclass: top
m-oid: 1.2.840.113556.1.5.6
m-name: securityPrincipal
m-supObjectClass: top
m-typeObjectClass: AUXILIARY
m-must: sAMAccountName
[rest of users.ldif]
现在将新的objectClass添加到人员条目:
[...]
dn: cn=rod,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: securityPrincipal <--- new objectClass
cn: Rod Johnson
sn: Johnson
sAMAccountName: rod
userPassword: koala
[...]
有新的条目是不够的.Spring Security中的ApacheDS配置已禁用模式拦截器,因此默认情况下不会创建新的模式条目.我们可以通过创建修复此问题的BeanPostProcessor来打开它:
package com.example.test.spring;
import java.util.List;
import org.apache.directory.server.core.interceptor.Interceptor;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.security.ldap.server.ApacheDSContainer;
import static org.springframework.util.CollectionUtils.isEmpty;
public class ApacheDSContainerConfigurer implements BeanPostProcessor {
private List<Interceptor> interceptors;
@Override
public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {
if (bean instanceof ApacheDSContainer){
ApacheDSContainer dsContainer = ((ApacheDSContainer) bean);
setInterceptorsIfPresent(dsContainer);
}
return bean;
}
private void setInterceptorsIfPresent(ApacheDSContainer container) {
if (!isEmpty(interceptors)) {
container.getService().setInterceptors(interceptors);
}
}
@Override
public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
return bean;
}
public void setInterceptors(List<Interceptor> interceptors) {
this.interceptors = interceptors;
}
}
我们必须在应用程序上下文中注册和配置bean:
<bean class="com.example.test.spring.ApacheDSContainerConfigurer">
<property name="interceptors">
<list>
<bean class="org.apache.directory.server.core.normalization.NormalizationInterceptor"/>
<bean class="org.apache.directory.server.core.authn.AuthenticationInterceptor"/>
<bean class="org.apache.directory.server.core.referral.ReferralInterceptor"/>
<!--<bean class="org.apache.directory.server.core.authz.AciAuthorizationInterceptor"/>-->
<!--<bean class="org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor"/>-->
<bean class="org.apache.directory.server.core.exception.ExceptionInterceptor"/>
<!--<bean class="org.apache.directory.server.core.changelog.ChangeLogInterceptor"/>-->
<bean class="org.apache.directory.server.core.operational.OperationalAttributeInterceptor"/>
<bean class="org.apache.directory.server.core.schema.SchemaInterceptor"/>
<bean class="org.apache.directory.server.core.subtree.SubentryInterceptor"/>
<!--<bean class="org.apache.directory.server.core.collective.CollectiveAttributeInterceptor"/>-->
<!--<bean class="org.apache.directory.server.core.event.EventInterceptor"/>-->
<!--<bean class="org.apache.directory.server.core.trigger.TriggerInterceptor"/>-->
<!--<bean class="org.apache.directory.server.core.journal.JournalInterceptor"/>-->
</list>
</property>
</bean>
它现在应该工作了.
| 归档时间: |
|
| 查看次数: |
5192 次 |
| 最近记录: |