Java、LDAP:让它不忽略空白密码?
我正在维护一些旧版 Java LDAP 代码.我对 LDAP 几乎一无所知.
I'm maintaining some legacy Java LDAP code. I know next to nothing about LDAP.
下面的程序基本上只是将用户名和密码发送到 LDAP 服务器,如果凭据正确,则会收到通知.如果是,则打印出从 LDAP 服务器接收到的 LDAP 属性,如果不是,则打印出异常.
The program below basically just sends the userid and password to the LDAP server, receives notification back if the credentials are good. If so, it prints out the LDAP attributes received from the LDAP server, if not it prints out an exception.
如果输入的密码错误,一切正常.抛出无效凭据"异常.但是,如果向 LDAP 服务器发送空白密码,仍然会进行身份验证,仍然会返回 LDAP 属性.
All works well if a bad password is given. An "invalid credentials" exception gets thrown. However, if a blank password is sent to the LDAP Server, authentication will still happen, LDAP attributes will still be returned.
这种不愉快的情况是由于 LDAP 服务器允许空白密码,还是需要调整下面的代码,这样空白密码才会以这种方式输入 LDAP 服务器而被拒绝?
Is this unhappy situation due to the LDAP server allowing blank passwords, or does the code below need to be adjusted such a blank password will get fed to the LDAP server in such a way so it will get rejected?
我确实有数据验证.我在测试环境中将其取下来解决另一个问题并注意到了这个问题.我不希望在数据验证下出现这个问题.
I do have data validation in place. I took it off in a testing environment to solve another issue and noticed this problem. I would prefer not to have this problem underneath the data validation.
非常感谢您提供任何信息
Thanks much in advance for any information
import javax.naming.*;
import javax.naming.directory.*;
import java.util.*;
import java.sql.*;
public class LDAPTEST {
public static void main(String args[]) {
String lcf = "com.sun.jndi.ldap.LdapCtxFactory";
String ldapurl = "ldaps://ldap-cit.smew.acme.com:636/o=acme.com";
String loginid = "George.Jetson";
String password = "";
DirContext ctx = null;
Hashtable env = new Hashtable();
Attributes attr = null;
Attributes resultsAttrs = null;
SearchResult result = null;
NamingEnumeration results = null;
int iResults = 0;
int iAttributes = 0;
env.put(Context.INITIAL_CONTEXT_FACTORY, lcf);
env.put(Context.PROVIDER_URL, ldapurl);
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "uid=" + loginid + ",ou=People,o=acme.com");
env.put(Context.SECURITY_CREDENTIALS, password);
try {
ctx = new InitialDirContext(env);
attr = new BasicAttributes(true);
attr.put(new BasicAttribute("uid",loginid));
results = ctx.search("ou=People",attr);
while (results.hasMore()) {
result = (SearchResult)results.next();
resultsAttrs = result.getAttributes();
for (NamingEnumeration enumAttributes = resultsAttrs.getAll(); enumAttributes.hasMore();) {
Attribute a = (Attribute)enumAttributes.next();
System.out.println("attribute: " + a.getID() + " : " + a.get().toString());
iAttributes++;
}// end for loop
iResults++;
}// end while loop
System.out.println("Records == " + iResults + " Attributes: " + iAttributes);
}// end try
catch (Exception e) {
e.printStackTrace();
}
}// end function main()
}// end class LDAPTEST
推荐答案
很遗憾,使用 DN 和空密码进行身份验证是 LDAP 的难点之一,会导致未经身份验证".来自服务器的积极响应.一些 LDAP 服务器有配置选项来禁用在最新版本的 LDAPv3 (RFC 4511) 中不鼓励的行为,甚至默认禁用它.
Unfortunately, the authentication with a DN and an empty password is one of the difficiency of LDAP, and results in an "unauthenticated" positive response from the server. Some LDAP servers have configuration options to disable that behavior that has been discouraged in the latest revision of LDAPv3 (RFC 4511), and even have it disabled by default.
最终,客户端应用程序应该检查输入参数并确保密码不为空.
Ultimately, the client application should check input parameters and make sure the password is not empty.
相关文章