LDAP Namespace Options

LDAP 实现广泛使用 Spring LDAP,因此一些与该项目 API 相关的知识可能有用。

The LDAP implementation uses Spring LDAP extensively, so some familiarity with that project’s API may be useful.

Defining the LDAP Server using the

<ldap-server>`元素该元素设置一个名为Spring LDAP `ContextSource`的 Spring LDAP 给其它的 LDAP Bean 使用,它定义了 LDAP 服务器的位置以及与其连接时需要的信息(例如,用户名和密码,如果它不允许匿名访问的话)。它也可以用于创建一个嵌入式服务器来进行测试。两种选项的语法的详细信息见 LDAP chapter。该 `ContextSource`的实际实现是 `DefaultSpringSecurityContextSource, 它扩展了 Spring LDAP 的 `LdapContextSource`类。`manager-dn`和 `manager-password`属性分别映射到后面的 `userDn`和 `password`属性。

<ldap-server> Element This element sets up a Spring LDAP ContextSource for use by the other LDAP beans, defining the location of the LDAP server and other information (such as a username and password, if it doesn’t allow anonymous access) for connecting to it. It can also be used to create an embedded server for testing. Details of the syntax for both options are covered in the LDAP chapter. The actual ContextSource implementation is DefaultSpringSecurityContextSource which extends Spring LDAP’s LdapContextSource class. The manager-dn and manager-password attributes map to the latter’s userDn and password properties respectively.

如果应用程序上下文中只定义了一个服务器,则其他 LDAP 命名空间定义的 Bean 将自动使用它。否则,您可以为元素提供一个“id”属性,并使用 server-ref 属性从其他命名空间 Bean 中引用它。如果您想在其他传统 Spring Bean 中使用它,这实际上是 ContextSource 实例的 Bean id

If you only have one server defined in your application context, the other LDAP namespace-defined beans will use it automatically. Otherwise, you can give the element an "id" attribute and refer to it from other namespace beans using the server-ref attribute. This is actually the bean id of the ContextSource instance, if you want to use it in other traditional Spring beans.

<ldap-server> Attributes

  • mode Explicitly specifies which embedded ldap server should use. Values are apacheds and unboundid. By default, it will depends if the library is available in the classpath.

  • id A bean identifier, used for referring to the bean elsewhere in the context.

  • ldif Explicitly specifies an ldif file resource to load into an embedded LDAP server. The ldif should be a Spring resource pattern (i.e. classpath:init.ldif). The default is classpath*:*.ldif

  • manager-dn Username (DN) of the "manager" user identity which will be used to authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used.

  • manager-password The password for the manager DN. This is required if the manager-dn is specified.

  • port Specifies an IP port number. Used to configure an embedded LDAP server, for example. The default value is 33389.

  • root Optional root suffix for the embedded LDAP server. Default is "dc=springframework,dc=org"

  • url Specifies the ldap server URL when not using the embedded LDAP server.

<ldap-authentication-provider>

此元素是创建 LdapAuthenticationProvider 实例的简写。默认情况下,它将使用 BindAuthenticator 实例和 DefaultAuthoritiesPopulator 进行配置。与所有命名空间身份验证提供程序一样,它必须作为 authentication-provider 元素的子元素包含在内。

This element is shorthand for the creation of an LdapAuthenticationProvider instance. By default this will be configured with a BindAuthenticator instance and a DefaultAuthoritiesPopulator. As with all namespace authentication providers, it must be included as a child of the authentication-provider element.

Parent Elements of <ldap-authentication-provider>

<ldap-authentication-provider> Attributes

  • group-role-attribute The LDAP attribute name which contains the role name which will be used within Spring Security. Maps to the DefaultLdapAuthoritiesPopulator’s `groupRoleAttribute property. Defaults to "cn".

  • group-search-base Search base for group membership searches. Maps to the DefaultLdapAuthoritiesPopulator’s `groupSearchBase constructor argument. Defaults to "" (searching from the root).

  • group-search-filter Group search filter. Maps to the DefaultLdapAuthoritiesPopulator’s `groupSearchFilter property. Defaults to (uniqueMember={0}). The substituted parameter is the DN of the user.

  • role-prefix A non-empty string prefix that will be added to role strings loaded from persistent. Maps to the DefaultLdapAuthoritiesPopulator’s `rolePrefix property. Defaults to "ROLE_". Use the value "none" for no prefix in cases where the default is non-empty.

  • server-ref The optional server to use. If omitted, and a default LDAP server is registered (using <ldap-server> with no Id), that server will be used.

  • user-context-mapper-ref Allows explicit customization of the loaded user object by specifying a UserDetailsContextMapper bean which will be called with the context information from the user’s directory entry

  • user-details-class Allows the objectClass of the user entry to be specified. If set, the framework will attempt to load standard attributes for the defined class into the returned UserDetails object

  • user-dn-pattern If your users are at a fixed location in the directory (i.e. you can work out the DN directly from the username without doing a directory search), you can use this attribute to map directly to the DN. It maps directly to the userDnPatterns property of AbstractLdapAuthenticator. The value is a specific pattern used to build the user’s DN, for example uid={0},ou=people. The key {0} must be present and will be substituted with the username.

  • user-search-base Search base for user searches. Defaults to "". Only used with a 'user-search-filter'.[.iokays-translated-81eb2524126dcc6de348e8554d5fd547] 如果需要执行搜索以便在目录中找到用户,则您可以设置这些属性来控制搜索。BindAuthenticator 将使用 FilterBasedLdapUserSearch 进行配置,并且属性值直接映射到该 Bean 构造函数的前两个参数。如果未设置这些属性并且未提供 user-dn-pattern 作为替代,则会使用默认搜索值 user-search-filter="(uid={0})"user-search-base=""

If you need to perform a search to locate the user in the directory, then you can set these attributes to control the search. The BindAuthenticator will be configured with a FilterBasedLdapUserSearch and the attribute values map directly to the first two arguments of that bean’s constructor. If these attributes aren’t set and no user-dn-pattern has been supplied as an alternative, then the default search values of user-search-filter="(uid={0})" and user-search-base="" will be used.

  • user-search-filter The LDAP filter used to search for users (optional). For example (uid={0}). The substituted parameter is the user’s login name.[.iokays-translated-81eb2524126dcc6de348e8554d5fd547] 如果需要执行搜索以便在目录中找到用户,则您可以设置这些属性来控制搜索。BindAuthenticator 将使用 FilterBasedLdapUserSearch 进行配置,并且属性值直接映射到该 Bean 构造函数的前两个参数。如果未设置这些属性并且未提供 user-dn-pattern 作为替代,则会使用默认搜索值 user-search-filter="(uid={0})"user-search-base=""

If you need to perform a search to locate the user in the directory, then you can set these attributes to control the search. The BindAuthenticator will be configured with a FilterBasedLdapUserSearch and the attribute values map directly to the first two arguments of that bean’s constructor. If these attributes aren’t set and no user-dn-pattern has been supplied as an alternative, then the default search values of user-search-filter="(uid={0})" and user-search-base="" will be used.

Child Elements of <ldap-authentication-provider>

<password-compare>

这用作 <ldap-provider> 的子元素,并将身份验证策略从 BindAuthenticator 切换为 PasswordComparisonAuthenticator

This is used as child element to <ldap-provider> and switches the authentication strategy from BindAuthenticator to PasswordComparisonAuthenticator.

Parent Elements of <password-compare>

<password-compare> Attributes

  • hash Defines the hashing algorithm used on user passwords. We recommend strongly against using MD4, as it is a very weak hashing algorithm.

  • password-attribute The attribute in the directory which contains the user password. Defaults to "userPassword".

Child Elements of <password-compare>

<ldap-user-service>

此元素配置了一个 LDAP UserDetailsService。所使用的类是 LdapUserDetailsService,它是 FilterBasedLdapUserSearchDefaultLdapAuthoritiesPopulator 的组合。它支持的属性与 <ldap-provider> 中的使用方式相同。

This element configures an LDAP UserDetailsService. The class used is LdapUserDetailsService which is a combination of a FilterBasedLdapUserSearch and a DefaultLdapAuthoritiesPopulator. The attributes it supports have the same usage as in <ldap-provider>.

<ldap-user-service> Attributes

  • cache-ref Defines a reference to a cache for use with a UserDetailsService.

  • group-role-attribute The LDAP attribute name which contains the role name which will be used within Spring Security. Defaults to "cn".

  • group-search-base Search base for group membership searches. Defaults to "" (searching from the root).

  • group-search-filter Group search filter. Defaults to (uniqueMember={0}). The substituted parameter is the DN of the user.

  • id A bean identifier, used for referring to the bean elsewhere in the context.

  • role-prefix A non-empty string prefix that will be added to role strings loaded from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the default is non-empty.

  • server-ref The optional server to use. If omitted, and a default LDAP server is registered (using <ldap-server> with no Id), that server will be used.

  • user-context-mapper-ref Allows explicit customization of the loaded user object by specifying a UserDetailsContextMapper bean which will be called with the context information from the user’s directory entry

  • user-details-class Allows the objectClass of the user entry to be specified. If set, the framework will attempt to load standard attributes for the defined class into the returned UserDetails object

  • user-search-base Search base for user searches. Defaults to "". Only used with a 'user-search-filter'.

  • user-search-filter The LDAP filter used to search for users (optional). For example (uid={0}). The substituted parameter is the user’s login name.