我需要针对 AD 中的域用户组设置 LDAP 身份验证;有一个问题,ldap authenticatin 似乎要求用户是默认域用户以外的其他组的成员。但是,当有 10000 多个用户时,仅出于此 tomcat 目的将所有用户分配给另一个组并不是解决方案。
一定有别的办法吧?是否可以通过编辑 server.xml 或 web.xml 来检查 primaryGroupID?
或者是否可以完全忽略 GROUP 检查?
最佳答案
根据 Realm Configuration HOW-TO ,
The directory realm supports two approaches to the representation of roles in the directory:
- Roles as explicit directory entries
Roles may be represented by explicit directory entries. A role entry is usually an LDAP group entry with one attribute containing the name of the role and another whose values are the distinguished names or usernames of the users in that role. The following attributes configure a directory search to find the names of roles associated with the authenticated user:
roleBase- the base entry for the role search. If not specified, the search base is the top-level directory context.roleSubtree- the search scope. Set totrueif you wish to search the entire subtree rooted at theroleBaseentry. The default value offalserequests a single-level search including the top level only.roleSearch- the LDAP search filter for selecting role entries. It optionally includes pattern replacements "{0}" for the distinguished name and/or "{1}" for the username of the authenticated user.roleName- the attribute in a role entry containing the name of that role
- 作为用户条目属性的角色
角色名称也可以作为用户目录条目中的属性值。使用userRoleName指定此属性的名称。可以结合使用两种角色表示方法。
因此,如果您有合适的东西,一种方法是使用属性。有一些工具可以对 AD 属性进行“批量更新”或“批量修改”。如果你不想污染 AD,那就用 ADAM 包裹它。您可以在 ADAM 中创建指向 AD 用户的代理对象,并在 ADAM 中添加属性。参见 Understanding ADAM bind redirection了解更多信息。
关于tomcat - 如何在没有检查成员的情况下设置tomcat ldap身份验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/1443189/