外链:Tomcat+LDAP完成认证:http://my.oschina.net/xpbug/blog/198765
# tar -xzvf openldap-2.4.15.tgz
# cd openldap-2.4.15/
# ./configure --prefix=/usr/local/openldap
# make depend
# make
./configure --enable-bdb --libdir=/usr/local/BerkeleyDB/lib --includedir=/usr/local/BerkeleyDB/include --prefix=/usr/local/openldap --sysconfdir=/etc/openldap --enable-passwd --enable-wrappers --disable-ipv6 --enable-spasswd --enable-crypt --enable-modules --enable-accesslog=yes
2、在 ./configuer时出现错误提示: configure: error: could not locate libtool ltdl.h 解决方法:安装 libtool-ltdl 及libtool-ltdl-devel包 如果是64位系统,通过yum方式,命令如下, # yum install libtool-ltdl.x86_64 libtool-ltdl-devel.x86_64 |
这里要填定你的域名,客户端连接的时候要用到的!
# /usr/local/openldap/sbin/slappasswd -h {SSHA}
New password:
Re-enter new password:
4 启动LDAP
关于停止slapd,官方给的是:kill -INT 'cat /usr/local/var/slapd.pid'
#创建组Admins
dn: ou=Admins,dc=sogal,dc=com
ou: Admins
objectClass: top
objectClass: organizationalUnit
#创建组Users
dn: ou=Users,dc=sogal,dc=com
ou: Users
objectClass: top
objectClass: organizationalUnit
#创建组下的用户
dn: uid=testuid,ou=Users,dc=sogal,dc=com
objectClass: inetOrgPerson
uid: testuid
sn: testsn
cn: testcn
mail: testmail@gmail.com
userPassword: testpass
dn:(空格) dc=hq3595,dc=com(结尾无空格)
objectclass: (空格)dcObject(结尾无空格)
objectclass: (空格)organization(结尾无空格)
o: (空格)kaspersky(结尾无空格)
dc:(空格) test(结尾无空格)
(1空行)
dn: (空格)cn=test,dc=mail,dc=kaspersky,dc=com(结尾无空格)
objectclass: (空格)organizationalRole(结尾无空格)
cn: (空格)test(结尾无空格)
(结尾无空行)
6、安装JXplorer管理LDAP
7、访问控制配置,也是在slapd.conf配置文件里 (暂时没做处理)
by self write by anonymous auth by dn="cn=Admin,dc=example,dc=com" write by * none access to * by self write by dn="cn=Admin,dc=example,dc=com" write by * read |
|
8、Java认证(核心代码):
private static DirContext ctx; @SuppressWarnings(value = "unchecked") public static DirContext getCtx() { String account = "Manager"; //binddn String password = "hq3595"; //bindpwd String root = "dc=hq3595,dc=com"; // root Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://192.168.147.131:389/"); env.put(Context.SECURITY_AUTHENTICATION, "simple"); env.put(Context.SECURITY_PRINCIPAL, "cn=" + account+","+root); env.put(Context.SECURITY_CREDENTIALS, password); try { // 链接ldap // ctx = new InitialDirContext(env); ctx = new InitialLdapContext(env, new Control[]{new PagedResultsControl(100, Control.NONCRITICAL)}); System.out.println("认证成功"); } catch (javax.naming.AuthenticationException e) { e.printStackTrace(); System.out.println("认证失败"); } catch (Exception e) { System.out.println("认证出错:"); e.printStackTrace(); } return ctx; } public static void closeCtx() { try { ctx.close(); } catch (NamingException ex) { Logger.getLogger(LdapHelper.class.getName()).log(Level.SEVERE, null, ex); } }
- isAbsent 128字符内的字符串,单值
- substitutes 128字符内的字符串,多值
参阅了OpenLdap的管理文档以及网上的实例之后,解决方案如下:
NAME 'isAbsent'
DESC 'whether the person is absent from work'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128}
SINGLE-VALUE )
attributetype ( 2.16.840.1.113730.3.1.901
NAME 'substitutes'
DESC 'people substitutes when absent'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
其中2.16.840.1.113730.3.1.900和901是选择未被使用的OID(不知道有没有被使用过?google下吧),而1.3.6.1.4.1.1466.115.121.1.15则是字符串类型的语法。
在inetOrgPerson类中启用这2个属性
NAME 'inetOrgPerson'
DESC 'RFC2798: Internet Organizational Person'
SUP organizationalPerson
STRUCTURAL
MAY (
...
isAbsent $ substitutes )
)
在slapd.conf中启用inetorgperson.schema
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
ucdata-path ./ucdata
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/inetorgperson.schema
include ./schema/nis.schema