登录
Java实现LDAP登录
LDAP的全称是Lightweight Directory Access Protocol(轻量级目录访问协议),是一种用于访问和管理分布式目录信息服务的应用协议。LDAP通常用于存储用户、组和其他组织信息,提供对这些信息的快速查询和管理。
LDAP是基于X.500标准的一个简化版本,使用更简单的网络协议(如 TCP/IP)来实现,定义了客户端如何与目录服务交互,如添加、删除、修改或查询目录信息。
LDAP使用SSL加密(ldaps://)时,如果服务端是自签证书,需提前安装证书到jdk的信任证书库内,我采用的open-jdk8的证书库位于/etc/pki/ca-trust/extracted/java/cacerts,将自签发的证书certificate.pem导入
keytool -importcert -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -trustcacerts -file certificate.pem -alias uua01Java原生支持LDAP协议,通过管理员账户adminDn,adminPassword连接LDAP服务器,并搜索用户的DN,验证用户凭据,再检查输入的密码是否正确
import javax.naming.Context;import javax.naming.NamingEnumeration;import javax.naming.NamingException;import javax.naming.directory.SearchControls;import javax.naming.directory.SearchResult;import javax.naming.ldap.Control;import javax.naming.ldap.InitialLdapContext;import javax.naming.ldap.LdapContext;import java.io.InputStream;import java.util.Hashtable;import java.util.Map;import lombok.extern.slf4j.Slf4j;@Slf4jpublic class LdapVerify { public boolean connehct(String username, String password) { String ip = ""; String port = ""; String timeOut = ""; String adminDn = ""; String adminPassword = ""; String url = String.format("ldaps://%s:%s", ip, port); // 1. 建立与 LDAP 的连接 Hashtable<String, String> env = new Hashtable<>(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, url); env.put(Context.SECURITY_AUTHENTICATION, "simple"); env.put(Context.SECURITY_PRINCIPAL, adminDn); env.put(Context.SECURITY_CREDENTIALS, adminPassword); env.put(Context.SECURITY_PROTOCOL, "ssl"); // 启用 LDAPS env.put("com.sun.jndi.ldap.connect.timeout", "3000"); try { LdapContext ldapContext = new InitialLdapContext(env, null); // 2. 查找用户的完整 DN String searchBase = "OU=All Users,DC=demo,DC=com"; // 搜索起点 String searchFilter = "(sAMAccountName=" + username + ")"; // 根据用户名查找 SearchControls searchControls = new SearchControls(); searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE); NamingEnumeration<SearchResult> results = ldapContext.search(searchBase, searchFilter, searchControls); if (results.hasMore()) { SearchResult result = results.next(); String userDn = result.getNameInNamespace(); log.info("LDAP登录, 找到用户 DN: " + userDn); // 3. 验证用户密码 Hashtable<String, String> userEnv = new Hashtable<>(); userEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); userEnv.put(Context.PROVIDER_URL, url); userEnv.put(Context.SECURITY_AUTHENTICATION, "simple"); userEnv.put(Context.SECURITY_PRINCIPAL, userDn); userEnv.put(Context.SECURITY_CREDENTIALS, password); userEnv.put(Context.SECURITY_PROTOCOL, "ssl"); userEnv.put("com.sun.jndi.ldap.connect.timeout", "3000"); try { new InitialLdapContext(userEnv, null).close(); log.info("LDAP登录, 用户验证成功 {}", username); return true; } catch (Exception e) { log.error("LDAP登录, 用户验证失败", username); return false; } } log.error("LDAP登录, 找不到用户 DN {} ", username); return false; } catch (NamingException e) { log.error("LDAP登录, 找用户异常 DN {} {} ", username, e.getMessage(), e); return false; } }}