java ad 认证_跨受信任域的Java AD身份验证

最新推荐文章于 2024-04-17 13:17:57 发布

WEYSUV

最新推荐文章于 2024-04-17 13:17:57 发布

阅读量499

点赞数

文章标签： java ad 认证

本文链接：https://blog.csdn.net/weixin_28677005/article/details/114181475

版权

在Java中实现在Linux上与Active Directory（AD）进行身份验证，特别是涉及跨多个互信域的情况。目前代码能够成功验证属于test1.ad1.foo.com域的用户，但在test2.ad2.bar.com域上验证失败。问题可能是由于对AD信任关系的理解不准确，或者使用的身份验证方法不支持跨域。堆栈跟踪显示了Authentication Exception，错误代码为49，可能需要检查配置和域间信任设置。

摘要由CSDN通过智能技术生成

我正在尝试在Java中实现Active Directory身份验证，该身份验证将从Linux机器运行 . 我们的AD设置将包含多个彼此共享信任关系的服务器，因此对于我们的测试环境，我们有两个域控制器：

test1.ad1.foo.com 谁信任 test2.ad2.bar.com .

使用下面的代码，我可以从 test1 成功验证用户，但不能在 test2 上验证：

public class ADDetailsProvider implements ResultSetProvider {

private String domain;

private String user;

private String password;

public ADDetailsProvider(String user, String password) {

//extract domain name

if (user.contains("\\")) {

this.user = user.substring((user.lastIndexOf("\\") + 1), user.length());

this.domain = user.substring(0, user.lastIndexOf("\\"));

} else {

this.user = user;

this.domain = "";

}

this.password = password;

}

/* Test from the command line */

public static void main (String[] argv) throws SQLException {

ResultSetProvider res = processADLogin(argv[0], argv[1]);

ResultSet results = null;

res.assignRowValues(results, 0);

System.out.println(argv[0] + " " + argv[1]);

}

public boolean assignRowValues(ResultSet results, int currentRow)

throws SQLException

{

// Only want a single row

if (currentRow >= 1) return false;

try {

ADAuthenticator adAuth = new ADAuthenticator();

LdapContext ldapCtx = adAuth.authenticate(this.domain, this.user, this.password);

NamingEnumeration userDetails = adAuth.getUserDetails(ldapCtx, this.user);

// Fill the result set (throws SQLException).

while (userDetails.hasMoreElements()) {

Attribute attr = (Attribute)userDetails.next();

results.updateString(attr.getID(), attr.get().toString());

}

results.updateInt("authenticated", 1);

return true;

} catch (FileNotFoundException fnf) {

Logger.getAnonymousLogger().log(Level.WARNING,

"Caught File Not Found Exception trying to read cris_authentication.properties");

results.updateInt("authenticated", 0);

return false;

} catch (IOException ioe) {

Logger.getAnonymousLogger().log(Level.WARNING,

"Caught IO Excpetion processing login");

results.updateInt("authenticated", 0);

return false;

} catch (AuthenticationException aex) {

Logger.getAnonymousLogger().log(Level.WARNING,

"Caught Authentication Exception attempting to bind to LDAP for [{0}]",

this.user);

results.updateInt("authenticated", 0);

return true;

} catch (NamingException ne) {

Logger.getAnonymousLogger().log(Level.WARNING,

"Caught Naming Exception performing user search or LDAP bind for [{0}]",

this.user);

results.updateInt("authenticated", 0);

return true;

}

public void close() {

// nothing needed here

}

/**

* This method is called via a Postgres function binding to access the

* functionality provided by this class.

public static ResultSetProvider processADLogin(String user, String password) {

return new ADDetailsProvider(user, password);

}

public class ADAuthenticator {

public ADAuthenticator()

throws FileNotFoundException, IOException {

Properties props = new Properties();

InputStream inStream = this.getClass().getClassLoader().

getResourceAsStream("com/bar/foo/ad/authentication.properties");

props.load(inStream);

this.domain = props.getProperty("ldap.domain");

inStream.close();

}

public LdapContext authenticate(String domain, String user, String pass)

throws AuthenticationException, NamingException, IOException {

Hashtable env = new Hashtable();

this.domain = domain;

env.put(Context.INITIAL_CONTEXT_FACTORY, com.sun.jndi.ldap.LdapCtxFactory);

env.put(Context.PROVIDER_URL, "ldap://" + test1.ad1.foo.com + ":" + 3268);

env.put(Context.SECURITY_AUTHENTICATION, simple);

env.put(Context.REFERRAL, follow);

env.put(Context.SECURITY_PRINCIPAL, (domain + "\\" + user));

env.put(Context.SECURITY_CREDENTIALS, pass);

// Bind using specified username and password

LdapContext ldapCtx = new InitialLdapContext(env, null);

return ldapCtx;

}

public NamingEnumeration getUserDetails(LdapContext ldapCtx, String user)

throws NamingException {

// List of attributes to return from LDAP query

String returnAttributes[] = {"ou", "sAMAccountName", "givenName", "sn", "memberOf"};

//Create the search controls

SearchControls searchCtls = new SearchControls();

searchCtls.setReturningAttributes(returnAttributes);

//Specify the search scope

searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

// Specify the user to search against

String searchFilter = "(&(objectClass=*)(sAMAccountName=" + user + "))";

//Perform the search

NamingEnumeration answer = ldapCtx.search("dc=dev4,dc=dbt,dc=ukhealth,dc=local", searchFilter, searchCtls);

// Only care about the first tuple

Attributes userAttributes = ((SearchResult)answer.next()).getAttributes();

if (userAttributes.size() <= 0) throw new NamingException();

return (NamingEnumeration) userAttributes.getAll();

}

根据我对信任关系的理解，如果 trust1 在 trust2 中收到用户的登录尝试，那么它应该将登录尝试转发给它，并且它将从用户的域名中解决 .

这是正确的还是我遗漏了某些东西，或者使用上述方法是不可能的？

编辑 -

来自LDAP绑定的堆栈跟踪是 {java.naming.provider.url=ldap://test1.ad1.foo.com:3268, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.authentication=simple, java.naming.referral=follow} 30-Oct-2012 13:16:02 ADDetailsProvider assignRowValues WARNING: Caught Authentication Exception attempting to bind to LDAP for [trusttest] Auth error is [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0]