Spring Security LDAP身份驗證錯誤 - 身份驗證異常而不是密碼鎖

Question

我使用以下配置設置了ldap身份驗證。我需要用戶使用LDAP數據存儲進行身份驗證，並且已將pwdMaxFailure設置爲2.

但是，每次使用錯誤密碼登錄時，身份驗證都正常工作我收到以下異常而不是密碼鎖異常。我不認爲Spring LDAP在驗證用戶的同時檢查PwdPolicy（計數密碼嘗試）。

ne = (javax.naming.AuthenticationException) javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user cn=admin,ou=users,o=organisation]

我LDIF文件

dn: cn=admin,ou=users,o=organization objectClass: inetOrgPerson
objectClass: organizationalPerson objectClass: person objectClass: top cn: admin sn: Admin uid: admin userPassword:: e1NTSEF9bEtlTUNzLy9OK1JsV2hCWEM2U2ZZNDh0Lzd0OHBlbjFrdjkxN3c9P Q==
createTimestamp: 20141003000008.689Z creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system entryCSN: 20141020004319.002000Z#000000#001#000000 entryDN: cn=admin,ou=users,o=organization entryParentId: 8204b2df-ff5a-413a-a063-4ac30d35bee4 entryUUID:: N2I1MTFlNjYtMDhjZS00YjA3LWIxYzItNTkyOTI3ZGE3ZTBi modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system modifyTimestamp: 20141020004319.002Z pwdFailureTime: 20141020003207.120Z pwdHistory:: MjAxNDEwMDMwMDAwMDguNjgxWiMxLjMuNi4xLjQuMS4xNDY2LjExNS4xMjEuMS4
0MCM4I1lXUnRhVzQ9 pwdPolicySubentry: cn=default,ou=pwdPolicy,o=organization

dn: cn=default,ou=pwdPolicy,o=organization objectClass: device
objectClass: pwdPolicy objectClass: top cn: default
pwdAttribute: userPassword pwdExpireWarning: 3600 pwdGraceExpire: 1 pwdLockout: TRUE pwdLockoutDuration: 120 pwdMaxAge: 2592000
pwdMaxFailure: 2

和Spring配置文件如下

<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security"> 
 
    <authentication-provider ref="jdbcProviderManager" /> 
 
    <authentication-provider ref="ldapProviderManager" />  
 
</authentication-manager> 
 

 
<bean id="jdbcProviderManager" class="au.com.spring.handler.DBLoginAuthentication"> 
 
    <property name="userDetailsService" ref="daoAuthenticationProvider" /> 
 
</bean> 
 

 
<bean id="ldapProviderManager" class="au.com.spring.handler.LDAPLoginAuthentication"> 
 
    <property name="userDetailsService" ref="ldapAuthenticationProvider" /> 
 
</bean> 
 

 
<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> 
 
    <property name="userDetailsService" ref="JdbcUserDetailsManager" /> 
 
    <property name="passwordEncoder" ref="encoder" /> 
 
</bean> 
 

 
<bean id="ldapAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> 
 
    <constructor-arg> 
 
    <bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> 
 
     <constructor-arg ref="contextSource" /> 
 
     <property name="userSearch" ref="ldapUserSearch" /> 
 
    </bean> 
 
    </constructor-arg> 
 
    <constructor-arg> 
 
    <bean class="au.com.spring.handler.CustomLDAPAuthoritiesPopulator"> 
 
     <constructor-arg ref="contextSource" /> 
 
     <constructor-arg value="${group.search}" /> 
 
     <property name="groupSearchFilter" value="${group.search.filter}" /> 
 
     <property name="groupRoleAttribute" value="${group.role.att}" /> 
 
     <property name="rolePrefix" value="ROLE_" /> 
 
     <property name="searchSubtree" value="true" /> 
 
     <property name="convertToUpperCase" value="true" /> 
 
    </bean> 
 
    </constructor-arg> 
 
    <property name="hideUserNotFoundExceptions" value="false" /> 
 
    <property name="useAuthenticationRequestCredentials" value="true" /> 
 
    <property name="userDetailsContextMapper" ref="inetOrgPersonContextMapper" /> 
 
</bean> 
 

 
<bean id="inetOrgPersonContextMapper" class="org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper" /> 
 

 
<bean id="defaultLdapUsernameToDnMapper" class="org.springframework.security.ldap.DefaultLdapUsernameToDnMapper"> 
 
    <constructor-arg value="${users.search}" /> 
 
    <constructor-arg value="${uid.att}" /> 
 
</bean> 
 
<!--<bean id="authenticationSuccessListener" class="prpa.athos.security.listener.AuthenticationSuccessListener" />--> 
 

 
<!--<bean id="contextSource" class="org.springframework.security.ldap.ppolicy.PasswordPolicyAwareContextSource">--> 
 
<bean id="contextSource" class="org.springframework.security.ldap.ppolicy.PasswordPolicyAwareContextSource"> 
 
    <constructor-arg value="ldap://localhost:10389/o=organization" /> 
 
    <!--<property name=""/>--> 
 
</bean>

Answer 1

I'm getting the following exception instead of Password lock exception.

從LDAP password policy draft 10：

8.1.1. Fail if the account is locked

If the account is locked as specified in Section 7.1, the server fails the operation with an appropriate resultCode (i.e. invalidCredentials (49) in the case of a bind operation, compareFalse (5) in the case of a compare operation, etc.). The server MAY set the error: accountLocked (1) in the passwordPolicyResponse in the controls field of the message.

所以LDAP服務器正確行爲。

I don't think Spring LDAP is checking the PwdPolicy (Counting the password attempts) while authenticating the user

它是執行檢查的LDAP服務器。 Spring需要提供額外的請求控制，使其能夠查看上述密碼鎖定狀態。但是，無論如何，您絕不會想要向用戶透露登錄時登錄失敗的原因：這是信息泄漏。這相當於告訴攻擊者該用戶名是正確的，這是不可取的。讓用戶詢問爲什麼登錄失敗，如果他認爲他的密碼是正確的，或讓他通過遺失密碼序列。