差異處
這裏顯示兩個版本的差異處。
| Both sides previous revision 前次修改 下次修改 | 前次修改 | ||
|
java:ldap [2016/03/24 11:07] tony [Auth & Security] |
java:ldap [2023/06/25 09:48] (目前版本) |
||
|---|---|---|---|
| 行 1: | 行 1: | ||
| + | {{tag>ldap}} | ||
| ====== LDAP & AD ====== | ====== LDAP & AD ====== | ||
| LDAP & AD都算是老東西了,會開始寫些教學是因為遇到與它的整合。內容隨著我的學習會慢慢增加,如果我有空寫的話~XD。 | LDAP & AD都算是老東西了,會開始寫些教學是因為遇到與它的整合。內容隨著我的學習會慢慢增加,如果我有空寫的話~XD。 | ||
| 行 5: | 行 6: | ||
| 我認為有困難。\\ | 我認為有困難。\\ | ||
| 由於認證行為是交給LDAP Server,RestAPI Web層只負責forwarding;而Digest Auth中的密碼會被根據Http Request種類、密碼等等內容一起MD5 encoding過。如果無法取得明文,除非LDAP Server允許接受一樣的方式。 | 由於認證行為是交給LDAP Server,RestAPI Web層只負責forwarding;而Digest Auth中的密碼會被根據Http Request種類、密碼等等內容一起MD5 encoding過。如果無法取得明文,除非LDAP Server允許接受一樣的方式。 | ||
| - | ===== OpenLDAP with SSL/TLS ===== | + | |
| - | 我參考了[[http://wiki.weithenn.org/cgi-bin/wiki.pl?OpenLDAP-SSL_TLS_%E8%A8%AD%E5%AE%9A|此篇]]教學產生certification file與設定,結果一直無法正常連線。於是透過以下command打開debug mode: | + | |
| - | <code bash> | + | |
| - | /usr/sbin/slapd -d 1 -h "ldap:/// ldapi:/// ldaps:///" -g openldap -u openldap -F /etc/ldap/slapd.d | + | |
| - | </code> | + | |
| - | 出現以下錯誤訊息: | + | |
| - | <code> | + | |
| - | 56f10002 slap_listener_activate(10): | + | |
| - | 56f10002 >>> slap_listener(ldaps://) | + | |
| - | 56f10002 connection_get(19): got connid=1001 | + | |
| - | 56f10002 connection_read(19): checking for input on id=1001 | + | |
| - | TLS: can't accept: Could not negotiate a supported cipher suite.. | + | |
| - | 56f10002 connection_read(19): TLS accept failure error=-1 id=1001, closing | + | |
| - | 56f10002 connection_close: conn=1001 sd=19 | + | |
| - | </code> | + | |
| - | 最後試出在Ubuntu 14.04下的slapd,可以參考[[http://mindref.blogspot.tw/2010/12/debian-openldap-ssl-tls-encryption.html|此篇]]教學做法,將certification file設定給匯進去。 | + | |
| ===== SunCertPathBuilderException ===== | ===== SunCertPathBuilderException ===== | ||
| <code bash> | <code bash> | ||
| 行 43: | 行 29: | ||
| ./keytool -delete -keystore /opt/jdk1.8.0_60/jre/lib/security/cacerts -storepass changeit -alias tonytest | ./keytool -delete -keystore /opt/jdk1.8.0_60/jre/lib/security/cacerts -storepass changeit -alias tonytest | ||
| </code> | </code> | ||
| - | ===== TLS already started ===== | + | 修改密碼: |
| - | http://www.openldap.org/faq/data/cache/1063.html | + | <code bash> |
| + | keytool -keystore "C:\Program Files\Java\jre1.8.0_66\lib\security\cacerts" -storepasswd -new newpasswd -storepass changeit | ||
| + | </code> | ||
| - | ===== Test Spring API ===== | + | ===== Articles ===== |
| - | <code java> | + | * [[java:ldap:openldap|OpenLDAP]] |
| - | public class Tester { | + | * [[java:ldap:jndi|JNDI API]] |
| - | + | * [[java:ldap:spring|Spring API]] | |
| - | public static void main(String[] args) { | + | * [[java:dalp:ad:enable_certificate|Enable SSL/TLS on Windows AD]] |
| - | try { | + | |
| - | LdapContextSource contextSource = new LdapContextSource(); | + | |
| - | //contextSource.setUrl("ldap://superserver.tony.org:389"); | + | |
| - | //contextSource.setUrl("ldap://superserver.tony.org:389"); | + | |
| - | contextSource.setUrl("ldap://10.134.15.131:389"); | + | |
| - | contextSource.setBase("DC=tony,DC=org"); | + | |
| - | contextSource.setUserDn("CN=admin,DC=tony,DC=org"); | + | |
| - | contextSource.setPassword("123456"); | + | |
| - | contextSource.afterPropertiesSet(); | + | |
| - | + | ||
| - | DefaultTlsDirContextAuthenticationStrategy strategy = new DefaultTlsDirContextAuthenticationStrategy(){ | + | |
| - | @Override | + | |
| - | protected void applyAuthentication(LdapContext ctx, String userDn, String password) | + | |
| - | throws NamingException { | + | |
| - | super.applyAuthentication(ctx, userDn, password); | + | |
| - | ctx.addToEnvironment("com.sun.jndi.ldap.read.timeout", "20000"); | + | |
| - | } | + | |
| - | }; | + | |
| - | + | ||
| - | strategy.setHostnameVerifier(new HostnameVerifier() { | + | |
| - | + | ||
| - | @Override | + | |
| - | public boolean verify(String paramString, SSLSession paramSSLSession) { | + | |
| - | System.out.println("ignore verify"); | + | |
| - | return true; | + | |
| - | } | + | |
| - | }); | + | |
| - | + | ||
| - | contextSource.setAuthenticationStrategy(strategy); | + | |
| - | + | ||
| - | + | ||
| - | LdapTemplate ldapTemplate = new LdapTemplate(contextSource); | + | |
| - | ldapTemplate.afterPropertiesSet(); | + | |
| - | + | ||
| - | + | ||
| - | Filter filter = new EqualsFilter("uid", "tonylin"); | + | |
| - | + | ||
| - | boolean authed = ldapTemplate.authenticate("ou=supermicro", filter.encode(), "123456"); | + | |
| - | + | ||
| - | System.out.println("Authenticated: " + authed); | + | |
| - | } catch (Exception e) { | + | |
| - | e.printStackTrace(); | + | |
| - | } finally { | + | |
| - | ThreadUtil.sleep(15000); | + | |
| - | } | + | |
| - | } | + | |
| - | + | ||
| - | } | + | |
| - | </code> | + | |
| ===== Reference ===== | ===== Reference ===== | ||
| ==== Auth & Security ==== | ==== Auth & Security ==== | ||
| 行 108: | 行 47: | ||
| ==== OpenLDAP ==== | ==== OpenLDAP ==== | ||
| * [[http://wiki.weithenn.org/cgi-bin/wiki.pl?OpenLDAP-SSL_TLS_%E8%A8%AD%E5%AE%9A|Setup SSL/TLS on OpenLDAP server]] | * [[http://wiki.weithenn.org/cgi-bin/wiki.pl?OpenLDAP-SSL_TLS_%E8%A8%AD%E5%AE%9A|Setup SSL/TLS on OpenLDAP server]] | ||
| + | ==== Spring - LDAP ==== | ||
| + | * [[http://forum.spring.io/forum/spring-projects/data/ldap/19764-tls-and-setupauthenticatedenvironment|StartTLS與Pool的問題]] | ||
| + | ==== Client ==== | ||
| + | * [[https://directory.apache.org/studio/downloads.html|Apache Directory Studio]] | ||
| + | * [[http://www.ldapadmin.org/|LDAP Admin]] | ||
| + | ==== Integration ==== | ||
| + | * [[http://media.community.dell.com/en/dtc/attach/idrac6_directoryservices.pdf|Dell iDRAC6]] | ||
| + | |||
| + | ===== ===== | ||
| + | ---- | ||
| + | \\ | ||
| + | ~~DISQUS~~ | ||
