Support SAM-Account-Name of AD Provider

Introduction

Windows Active Directory提供User Principle Name(簡稱UPN)與SAM Account Name(簡稱SAM)兩種登入方式:

然而ActiveDirectoryLdapAuthenticationProvider僅支援UPN的驗證方式。因此本篇文章主要告訴大家如何支援SAM驗證方式。

How to?

ActiveDirectoryLdapAuthenticationProvider驗證UPN的方式，是透過使用者輸入的帳號密碼，並藉由JNDI去做搜尋。而搜尋過濾的條件為:

(&(objectClass=user)(userPrincipalName={0}))

所以我們也許可以透過JNDI並搭配搜尋過濾條件去驗證SAM；在開始修改Provider前，我要先確認JNDI是否有辦法支援SAM。我撰寫以下程式碼做確認:

• Domain: TEST.COM
• SAM: TEST\test
• filter: (&(objectClass=user)(samaccountname=test))

LdapContextSource contextSource = new DefaultSpringSecurityContextSource("ldap://10.134.15.138:389");
contextSource.setBase("DC=TEST,DC=COM");
//contextSource.setUserDn("test@TEST.COM");
contextSource.setUserDn("TEST\\test");
contextSource.setPassword("123456");
contextSource.afterPropertiesSet();
 
LdapTemplate ldapTemplate = new LdapTemplate(contextSource);
ldapTemplate.afterPropertiesSet();
 
SearchControls sc = new SearchControls();
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
 
ldapTemplate.search("cn=Users", "(&(objectClass=user)(samaccountname=test))", sc, new NameClassPairCallbackHandler() {	
	@Override
	public void handleNameClassPair(NameClassPair nameClassPair) {
		System.out.println(nameClassPair.getName());
	}
});

如果是搜尋UPN可以用以下程式碼:

ldapTemplate.search("cn=Users", "(&(objectClass=user)(userPrincipalName=test@test.com))", sc, 
			new NameClassPairCallbackHandler() {		
	@Override
	public void handleNameClassPair(NameClassPair nameClassPair) {
		System.out.println(nameClassPair.getName());
	}
});

基於原本Spring的程式碼，我新增getFilterConditions簡單的根據使用者帳號做UPN與SAM的判斷，去決定要使用哪一個filter:

private String searchFilter = "(&(objectClass=user)(userPrincipalName={0}))";
private String samAccountNameSearchFilter = "(&(objectClass=user)(samaccountname={0}))";
 
private DirContextOperations searchForUser(DirContext context, String username)
		throws NamingException {
	SearchControls searchControls = new SearchControls();
	searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
 
	String bindPrincipal = createBindPrincipal(username);
	String searchRoot = rootDn != null ? rootDn
			: searchRootFromPrincipal(bindPrincipal);
 
 
	Pair<String, String> filterCond = getFilterConditions(username);
 
	try {
		return SpringSecurityLdapTemplate.searchForSingleEntryInternal(context,
				searchControls, searchRoot, filterCond.getFirst() ,
				new Object[] { filterCond.getSecond() });
	}
	catch (IncorrectResultSizeDataAccessException incorrectResults) {
		if (incorrectResults.getActualSize() != 0) {
			throw incorrectResults;
		}
 
		UsernameNotFoundException userNameNotFoundException = new UsernameNotFoundException(
				"User " + username + " not found in directory.", incorrectResults);
		throw badCredentials(userNameNotFoundException);
	}
}
 
private Pair<String, String> getFilterConditions(String aUserName){
	int index = aUserName.indexOf('\\');
	int size = aUserName.length();
 
	if( index == -1 || size <= index ) {
		return new Pair<String, String>(searchFilter, createBindPrincipal(aUserName));
	}
 
	String samaccountname = aUserName.substring(index+1);
	return new Pair<String, String>(samAccountNameSearchFilter, samaccountname);
}

直接把ActiveDirectoryLdapAuthenticationProvider搬來改也是千百個不願意。主要是因為類別本身宣告為final，且還有新增關於security驗證的需求，索性選擇簡單點的方法。

Reference

• SAM-Account-Name attribute
• Github - ActiveDirectoryLdapAuthenticationProvider.java