我正在尝试使用Grails LDAP插件来使用我的Active Directory.
这个插件需要很多我不熟悉的东西,因为我对Active Directory知之甚少.
// LDAP config grails.plugins.springsecurity.ldap.context.managerDn = '[distinguishedName]' grails.plugins.springsecurity.ldap.context.managerPassword = '[password]' grails.plugins.springsecurity.ldap.context.server = 'ldap://[ip]:[port]/' grails.plugins.springsecurity.ldap.authorities.ignorePartialResultException = true // typically needed for Active Directory grails.plugins.springsecurity.ldap.search.base = '[the base directory to start the search. usually something like dc=mycompany,dc=com]' grails.plugins.springsecurity.ldap.search.filter="sAMAccountName={0}" // for Active Directory you need this grails.plugins.springsecurity.ldap.search.searchSubtree = true grails.plugins.springsecurity.ldap.auth.hideUserNotFoundExceptions = false grails.plugins.springsecurity.ldap.search.attributesToReturn = ['mail','displayName'] // extra attributes you want returned; see below for custom classes that access this data grails.plugins.springsecurity.providerNames = ['ldapAuthProvider','anonymousAuthenticationProvider'] // specify this when you want to skip attempting to load from db and only use LDAP // role-specific LDAP config grails.plugins.springsecurity.ldap.useRememberMe = false grails.plugins.springsecurity.ldap.authorities.retrieveGroupRoles = true grails.plugins.springsecurity.ldap.authorities.groupSearchBase ='[the base directory to start the search. usually something like dc=mycompany,dc=com]' // If you don't want to support group membership recursion (groups in groups),then use the following setting // grails.plugins.springsecurity.ldap.authorities.groupSearchFilter = 'member={0}' // Active Directory specific // If you wish to support groups with group as members (recursive groups),use the following grails.plugins.springsecurity.ldap.authorities.groupSearchFilter = '(member:1.2.840.113556.1.4.1941:={0})' // Active Directory specific
我正在使用Windows 2008 Server并知道以下内容:
IP = 10.10.10.90 Name = bold.foo.bar (This is what I see under Active Directory Users and Computers) Domain =`BOLD` Group = `MANAGERS` Users = USERA (part of MANAGERS group) and USERB (not part of MANAGERS group)
题
我可以获得一些填写所需的部分/大部分配置的帮助吗?我可以访问服务器管理器中的Active Directory域服务,因此如果大部分信息都来自那里,我就可以获得它.
PS:我没有Sys Admin的豪华帮助我.所以我是开发人员留下填补两个角色:)
Microsoft
Windows Sysinternals套件中的
Active Directory Explorer (AdExplorer)实用程序可以帮助您查找所需的DN和搜索库信息.
但最好是获得一些LDAP概念以获得更多控制,例如,您希望在搜索结果中添加更多search.filter
或获取更多属性(search.attributesToReturn)(您也希望获得用户的phoneNumber).有用的链接:
> Wikipedia: Lightweight Directory Access Protocol
> MSDN: Lightweight Directory Access Protocol (Windows)