差異處
這裏顯示兩個版本的差異處。
java:ldap [2016/03/24 22:56] tony |
java:ldap [2023/06/25 09:48] |
||
---|---|---|---|
行 1: | 行 1: | ||
- | ====== LDAP & AD ====== | ||
- | LDAP & AD都算是老東西了,會開始寫些教學是因為遇到與它的整合。內容隨著我的學習會慢慢增加,如果我有空寫的話~XD。 | ||
- | ===== LDAP + RestAPI + Digest Auth? ===== | ||
- | 目前遇到的問題是: LDAP使用者是否可以透過RestAPI進行Digest Auth? \\ | ||
- | 我認為有困難。\\ | ||
- | 由於認證行為是交給LDAP Server,RestAPI Web層只負責forwarding;而Digest Auth中的密碼會被根據Http Request種類、密碼等等內容一起MD5 encoding過。如果無法取得明文,除非LDAP Server允許接受一樣的方式。 | ||
- | ===== OpenLDAP with SSL/TLS ===== | ||
- | 我參考了[[http://wiki.weithenn.org/cgi-bin/wiki.pl?OpenLDAP-SSL_TLS_%E8%A8%AD%E5%AE%9A|此篇]]教學產生certification file與設定,結果一直無法正常連線。於是透過以下command打開debug mode: | ||
- | <code bash> | ||
- | /usr/sbin/slapd -d 1 -h "ldap:/// ldapi:/// ldaps:///" -g openldap -u openldap -F /etc/ldap/slapd.d | ||
- | </code> | ||
- | 出現以下錯誤訊息: | ||
- | <code> | ||
- | 56f10002 slap_listener_activate(10): | ||
- | 56f10002 >>> slap_listener(ldaps://) | ||
- | 56f10002 connection_get(19): got connid=1001 | ||
- | 56f10002 connection_read(19): checking for input on id=1001 | ||
- | TLS: can't accept: Could not negotiate a supported cipher suite.. | ||
- | 56f10002 connection_read(19): TLS accept failure error=-1 id=1001, closing | ||
- | 56f10002 connection_close: conn=1001 sd=19 | ||
- | </code> | ||
- | 最後試出在Ubuntu 14.04下的slapd,可以參考[[http://mindref.blogspot.tw/2010/12/debian-openldap-ssl-tls-encryption.html|此篇]]教學做法,將certification file設定給匯進去。 | ||
- | ===== SunCertPathBuilderException ===== | ||
- | <code bash> | ||
- | Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target | ||
- | </code> | ||
- | 參考[[http://stackoverflow.com/questions/11617210/how-to-properly-import-a-selfsigned-certificate-into-java-keystore-that-is-avail|此篇]]教學,執行以下command將root ca給匯入到Java keystore中,changeit是預設密碼,如果要用記得要改: | ||
- | <code bash> | ||
- | keytool -importcert -trustcacerts -keystore /opt/jdk1.8.0_60/jre/lib/security/cacerts -storepass changeit -noprompt -alias tonytest -file /etc/ldap/ssl/rootca.crt | ||
- | Certificate was added to keystore | ||
- | </code> | ||
- | 列出現有的ca: | ||
- | <code bash> | ||
- | keytool -list -keystore /opt/jdk1.8.0_60/jre/lib/security/cacerts -storepass changeit | ||
- | </code> | ||
- | 查看看測試的ca: | ||
- | <code bash> | ||
- | ./keytool -list -keystore /opt/jdk1.8.0_60/jre/lib/security/cacerts -storepass changeit | grep tony | ||
- | tonytest, Mar 23, 2016, trustedCertEntry, | ||
- | </code> | ||
- | 刪除測試的ca: | ||
- | <code bash> | ||
- | ./keytool -delete -keystore /opt/jdk1.8.0_60/jre/lib/security/cacerts -storepass changeit -alias tonytest | ||
- | </code> | ||
- | ===== TLS already started ===== | ||
- | 在透過Spring Security使用TLS後,會發生TLS already started的例外。經過trace並從網路上[[http://www.openldap.org/faq/data/cache/1063.html|文章]]中發現,這是由於connection pool造成的。目前只要設定LdapContextSource以下內容,即可取消connection pool暫時解決: | ||
- | <code java> | ||
- | ldapContextSource.setCacheEnvironmentProperties(false); | ||
- | ldapContextSource.setPooled(false); | ||
- | </code> | ||
- | 會出現這問題,也有可能你是使用ldaps+636 port去做存取而產生的。(reference [[http://forum.spring.io/forum/spring-projects/data/ldap/19764-tls-and-setupauthenticatedenvironment|link]]) | ||
- | ===== Test Spring API ===== | ||
- | <code java> | ||
- | public class Tester { | ||
- | public static void main(String[] args) { | ||
- | try { | ||
- | LdapContextSource contextSource = new LdapContextSource(); | ||
- | //contextSource.setUrl("ldap://superserver.tony.org:389"); | ||
- | //contextSource.setUrl("ldap://superserver.tony.org:389"); | ||
- | contextSource.setUrl("ldap://10.134.15.131:389"); | ||
- | contextSource.setBase("DC=tony,DC=org"); | ||
- | contextSource.setUserDn("CN=admin,DC=tony,DC=org"); | ||
- | contextSource.setPassword("123456"); | ||
- | contextSource.afterPropertiesSet(); | ||
- | |||
- | DefaultTlsDirContextAuthenticationStrategy strategy = new DefaultTlsDirContextAuthenticationStrategy(){ | ||
- | @Override | ||
- | protected void applyAuthentication(LdapContext ctx, String userDn, String password) | ||
- | throws NamingException { | ||
- | super.applyAuthentication(ctx, userDn, password); | ||
- | ctx.addToEnvironment("com.sun.jndi.ldap.read.timeout", "20000"); | ||
- | } | ||
- | }; | ||
- | |||
- | strategy.setHostnameVerifier(new HostnameVerifier() { | ||
- | |||
- | @Override | ||
- | public boolean verify(String paramString, SSLSession paramSSLSession) { | ||
- | System.out.println("ignore verify"); | ||
- | return true; | ||
- | } | ||
- | }); | ||
- | |||
- | contextSource.setAuthenticationStrategy(strategy); | ||
- | |||
- | |||
- | LdapTemplate ldapTemplate = new LdapTemplate(contextSource); | ||
- | ldapTemplate.afterPropertiesSet(); | ||
- | |||
- | |||
- | Filter filter = new EqualsFilter("uid", "tonylin"); | ||
- | |||
- | boolean authed = ldapTemplate.authenticate("ou=supermicro", filter.encode(), "123456"); | ||
- | |||
- | System.out.println("Authenticated: " + authed); | ||
- | } catch (Exception e) { | ||
- | e.printStackTrace(); | ||
- | } finally { | ||
- | ThreadUtil.sleep(15000); | ||
- | } | ||
- | } | ||
- | |||
- | } | ||
- | </code> | ||
- | ===== OpenLDAP ===== | ||
- | View cn=config | ||
- | <code bash> | ||
- | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | ||
- | </code> | ||
- | ===== Articles ===== | ||
- | * [[java:ldap:openldap|OpenLDAP]] | ||
- | ===== Reference ===== | ||
- | ==== Auth & Security ==== | ||
- | * [[https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html|Authentication Mechanisms of JNDI]] | ||
- | * [[http://www.tech-faq.com/ldap-security-issues.html|LDAP security issues]] | ||
- | * [[http://www.openldap.org/doc/admin24/sasl.html|OpenLDAP - SASL]] | ||
- | * [[https://tersesystems.com/2014/03/23/fixing-hostname-verification/|fixing-hostname-verification]] | ||
- | ==== OpenLDAP ==== | ||
- | * [[http://wiki.weithenn.org/cgi-bin/wiki.pl?OpenLDAP-SSL_TLS_%E8%A8%AD%E5%AE%9A|Setup SSL/TLS on OpenLDAP server]] | ||
- | ==== Spring - LDAP ==== | ||
- | * [[http://forum.spring.io/forum/spring-projects/data/ldap/19764-tls-and-setupauthenticatedenvironment|StartTLS與Pool的問題]] |