LDAP Namespace Options

LDAP 实现广泛使用 Spring LDAP,因此一些与该项目 API 相关的知识可能有用。

The LDAP implementation uses Spring LDAP extensively, so some familiarity with that project’s API may be useful.

Defining the LDAP Server using the

<ldap-server>`元素该元素设置一个名为Spring LDAP `ContextSource`的 Spring LDAP 给其它的 LDAP Bean 使用,它定义了 LDAP 服务器的位置以及与其连接时需要的信息(例如,用户名和密码,如果它不允许匿名访问的话)。它也可以用于创建一个嵌入式服务器来进行测试。两种选项的语法的详细信息见 LDAP chapter。该 `ContextSource`的实际实现是 `DefaultSpringSecurityContextSource, 它扩展了 Spring LDAP 的 `LdapContextSource`类。`manager-dn`和 `manager-password`属性分别映射到后面的 `userDn`和 `password`属性。

<ldap-server> Element This element sets up a Spring LDAP ContextSource for use by the other LDAP beans, defining the location of the LDAP server and other information (such as a username and password, if it doesn’t allow anonymous access) for connecting to it. It can also be used to create an embedded server for testing. Details of the syntax for both options are covered in the LDAP chapter. The actual ContextSource implementation is DefaultSpringSecurityContextSource which extends Spring LDAP’s LdapContextSource class. The manager-dn and manager-password attributes map to the latter’s userDn and password properties respectively.

如果应用程序上下文中只定义了一个服务器,则其他 LDAP 命名空间定义的 Bean 将自动使用它。否则,您可以为元素提供一个“id”属性,并使用 server-ref 属性从其他命名空间 Bean 中引用它。如果您想在其他传统 Spring Bean 中使用它,这实际上是 ContextSource 实例的 Bean id

If you only have one server defined in your application context, the other LDAP namespace-defined beans will use it automatically. Otherwise, you can give the element an "id" attribute and refer to it from other namespace beans using the server-ref attribute. This is actually the bean id of the ContextSource instance, if you want to use it in other traditional Spring beans.

<ldap-server> Attributes

  • *mode*明确指定应使用哪个嵌入式 ldap 服务器。值是 apacheds`和 `unboundid。默认情况下,这取决于类路径中是否有库。

  • mode Explicitly specifies which embedded ldap server should use. Values are apacheds and unboundid. By default, it will depends if the library is available in the classpath.

  • *id*Bean 标识符,用于在上下文的其他位置引用 Bean。

  • id A bean identifier, used for referring to the bean elsewhere in the context.

  • ldif*明确指定一个 ldif 文件资源,以加载到嵌入式 LDAP 服务器中。ldif 应为 Spring 资源模式(即 classpath:init.ldif)。默认值为 classpath:*.ldif。

  • ldif Explicitly specifies an ldif file resource to load into an embedded LDAP server. The ldif should be a Spring resource pattern (i.e. classpath:init.ldif). The default is classpath*:*.ldif

  • *manager-dn*用于对(非嵌入式)LDAP 服务器进行身份验证的“manager”用户标识的用户名(DN)。如果省略,将使用匿名访问。

  • manager-dn Username (DN) of the "manager" user identity which will be used to authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used.

  • *manager-password*manager DN 的密码。如果指定了 manager DN,则此项为必需。

  • manager-password The password for the manager DN. This is required if the manager-dn is specified.

  • *port*指定 IP 端口号。例如,用于配置嵌入式LDAP服务器。默认值是33389。

  • port Specifies an IP port number. Used to configure an embedded LDAP server, for example. The default value is 33389.

  • *root*嵌入式 LDAP 服务器的可选根后缀。默认值为“dc=springframework,dc=org”

  • root Optional root suffix for the embedded LDAP server. Default is "dc=springframework,dc=org"

  • *url*在不使用嵌入式LDAP服务器时指定ldap服务器URL。

  • url Specifies the ldap server URL when not using the embedded LDAP server.

<ldap-authentication-provider>

此元素是创建 LdapAuthenticationProvider 实例的简写。默认情况下,它将使用 BindAuthenticator 实例和 DefaultAuthoritiesPopulator 进行配置。与所有命名空间身份验证提供程序一样,它必须作为 authentication-provider 元素的子元素包含在内。

This element is shorthand for the creation of an LdapAuthenticationProvider instance. By default this will be configured with a BindAuthenticator instance and a DefaultAuthoritiesPopulator. As with all namespace authentication providers, it must be included as a child of the authentication-provider element.

Parent Elements of <ldap-authentication-provider>

<ldap-authentication-provider> Attributes

  • *group-role-attribute*包含将在Spring Security中使用的角色名称的LDAP属性名称。映射到 `DefaultLdapAuthoritiesPopulator&#8217;s `groupRoleAttribute`属性。默认为“cn”。

  • group-role-attribute The LDAP attribute name which contains the role name which will be used within Spring Security. Maps to the DefaultLdapAuthoritiesPopulator’s `groupRoleAttribute property. Defaults to "cn".

  • *group-search-base*组成员身份搜索的搜索基准。映射到 `DefaultLdapAuthoritiesPopulator&#8217;s `groupSearchBase`构造函数参数。默认为“” (从根开始搜索)。

  • group-search-base Search base for group membership searches. Maps to the DefaultLdapAuthoritiesPopulator’s `groupSearchBase constructor argument. Defaults to "" (searching from the root).

  • *group-search-filter*组搜索过滤器。映射到 DefaultLdapAuthoritiesPopulator&#8217;s `groupSearchFilter`属性。默认为 `(uniqueMember={0})。替换的参数是用户的DN。

  • group-search-filter Group search filter. Maps to the DefaultLdapAuthoritiesPopulator’s `groupSearchFilter property. Defaults to (uniqueMember={0}). The substituted parameter is the DN of the user.

  • *role-prefix*将添加到从持久性加载的角色字符串的非空字符串前缀。映射到 `DefaultLdapAuthoritiesPopulator&#8217;s `rolePrefix`属性。默认为“ROLE_”。在默认值不为空的情况下,使用值“none”表示没有前缀。

  • role-prefix A non-empty string prefix that will be added to role strings loaded from persistent. Maps to the DefaultLdapAuthoritiesPopulator’s `rolePrefix property. Defaults to "ROLE_". Use the value "none" for no prefix in cases where the default is non-empty.

  • *server-ref*要使用的可选服务器。如果省略,并且注册了默认的LDAP服务器(使用不带ID的<ldap-server>),则将使用该服务器。

  • server-ref The optional server to use. If omitted, and a default LDAP server is registered (using <ldap-server> with no Id), that server will be used.

  • *user-context-mapper-ref*允许通过指定UserDetailsContextMapper bean来显式定制已加载的用户对象,该bean将使用来自用户目录条目的上下文信息进行调用

  • user-context-mapper-ref Allows explicit customization of the loaded user object by specifying a UserDetailsContextMapper bean which will be called with the context information from the user’s directory entry

  • *user-details-class*允许指定用户条目的 objectClass。如果设置,框架将尝试将定义的类的标准属性加载到返回的 UserDetails 对象中

  • user-details-class Allows the objectClass of the user entry to be specified. If set, the framework will attempt to load standard attributes for the defined class into the returned UserDetails object

  • *user-dn-pattern*如果你的用户在目录中的位置是固定的(即,你可以直接从用户名计算DN,而无需执行目录搜索),你可以使用此属性直接映射到DN。它直接映射到 AbstractLdapAuthenticator`中的 `userDnPatterns`属性。该值是用于构建用户DN的特定模式,例如 `uid={0},ou=people。密钥 `{0}`必须存在,并将用用户名替换。

  • user-dn-pattern If your users are at a fixed location in the directory (i.e. you can work out the DN directly from the username without doing a directory search), you can use this attribute to map directly to the DN. It maps directly to the userDnPatterns property of AbstractLdapAuthenticator. The value is a specific pattern used to build the user’s DN, for example uid={0},ou=people. The key {0} must be present and will be substituted with the username.

  • *user-search-base*用户搜索的搜索基准。默认为“”。仅与“user-search-filter”一起使用。[.iokays-translated-81eb2524126dcc6de348e8554d5fd547] 如果需要执行搜索以便在目录中找到用户,则您可以设置这些属性来控制搜索。BindAuthenticator 将使用 FilterBasedLdapUserSearch 进行配置,并且属性值直接映射到该 Bean 构造函数的前两个参数。如果未设置这些属性并且未提供 user-dn-pattern 作为替代,则会使用默认搜索值 user-search-filter="(uid={0})"user-search-base=""

If you need to perform a search to locate the user in the directory, then you can set these attributes to control the search. The BindAuthenticator will be configured with a FilterBasedLdapUserSearch and the attribute values map directly to the first two arguments of that bean’s constructor. If these attributes aren’t set and no user-dn-pattern has been supplied as an alternative, then the default search values of user-search-filter="(uid={0})" and user-search-base="" will be used.

  • user-search-base Search base for user searches. Defaults to "". Only used with a 'user-search-filter'.[.iokays-translated-81eb2524126dcc6de348e8554d5fd547] 如果需要执行搜索以便在目录中找到用户,则您可以设置这些属性来控制搜索。BindAuthenticator 将使用 FilterBasedLdapUserSearch 进行配置,并且属性值直接映射到该 Bean 构造函数的前两个参数。如果未设置这些属性并且未提供 user-dn-pattern 作为替代,则会使用默认搜索值 user-search-filter="(uid={0})"user-search-base=""

If you need to perform a search to locate the user in the directory, then you can set these attributes to control the search. The BindAuthenticator will be configured with a FilterBasedLdapUserSearch and the attribute values map directly to the first two arguments of that bean’s constructor. If these attributes aren’t set and no user-dn-pattern has been supplied as an alternative, then the default search values of user-search-filter="(uid={0})" and user-search-base="" will be used.

  • *user-search-filter*用于搜索用户的LDAP过滤器(可选)。例如,(uid={0})。替换的参数是用户的登录名。[.iokays-translated-81eb2524126dcc6de348e8554d5fd547] 如果需要执行搜索以便在目录中找到用户,则您可以设置这些属性来控制搜索。BindAuthenticator 将使用 FilterBasedLdapUserSearch 进行配置,并且属性值直接映射到该 Bean 构造函数的前两个参数。如果未设置这些属性并且未提供 user-dn-pattern 作为替代,则会使用默认搜索值 user-search-filter="(uid={0})"user-search-base=""

If you need to perform a search to locate the user in the directory, then you can set these attributes to control the search. The BindAuthenticator will be configured with a FilterBasedLdapUserSearch and the attribute values map directly to the first two arguments of that bean’s constructor. If these attributes aren’t set and no user-dn-pattern has been supplied as an alternative, then the default search values of user-search-filter="(uid={0})" and user-search-base="" will be used.

  • user-search-filter The LDAP filter used to search for users (optional). For example (uid={0}). The substituted parameter is the user’s login name.[.iokays-translated-81eb2524126dcc6de348e8554d5fd547] 如果需要执行搜索以便在目录中找到用户,则您可以设置这些属性来控制搜索。BindAuthenticator 将使用 FilterBasedLdapUserSearch 进行配置,并且属性值直接映射到该 Bean 构造函数的前两个参数。如果未设置这些属性并且未提供 user-dn-pattern 作为替代,则会使用默认搜索值 user-search-filter="(uid={0})"user-search-base=""

If you need to perform a search to locate the user in the directory, then you can set these attributes to control the search. The BindAuthenticator will be configured with a FilterBasedLdapUserSearch and the attribute values map directly to the first two arguments of that bean’s constructor. If these attributes aren’t set and no user-dn-pattern has been supplied as an alternative, then the default search values of user-search-filter="(uid={0})" and user-search-base="" will be used.

Child Elements of <ldap-authentication-provider>

<password-compare>

这用作 <ldap-provider> 的子元素,并将身份验证策略从 BindAuthenticator 切换为 PasswordComparisonAuthenticator

This is used as child element to <ldap-provider> and switches the authentication strategy from BindAuthenticator to PasswordComparisonAuthenticator.

Parent Elements of <password-compare>

<password-compare> Attributes

  • *hash*定义用于用户密码的哈希算法。我们强烈建议不要使用 MD4,因为它是一种非常弱的哈希算法。

  • hash Defines the hashing algorithm used on user passwords. We recommend strongly against using MD4, as it is a very weak hashing algorithm.

  • *password-attribute*目录中包含用户密码的属性。默认为“userPassword”。

  • password-attribute The attribute in the directory which contains the user password. Defaults to "userPassword".

Child Elements of <password-compare>

<ldap-user-service>

此元素配置了一个 LDAP UserDetailsService。所使用的类是 LdapUserDetailsService,它是 FilterBasedLdapUserSearchDefaultLdapAuthoritiesPopulator 的组合。它支持的属性与 <ldap-provider> 中的使用方式相同。

This element configures an LDAP UserDetailsService. The class used is LdapUserDetailsService which is a combination of a FilterBasedLdapUserSearch and a DefaultLdapAuthoritiesPopulator. The attributes it supports have the same usage as in <ldap-provider>.

<ldap-user-service> Attributes

  • *cache-ref*定义与 UserDetailsService 一起使用的缓存的引用。

  • cache-ref Defines a reference to a cache for use with a UserDetailsService.

  • *group-role-attribute*包含将在Spring Security中使用的角色名称的LDAP属性名称。默认为“cn”。

  • group-role-attribute The LDAP attribute name which contains the role name which will be used within Spring Security. Defaults to "cn".

  • *group-search-base*组成员身份搜索的搜索基准。默认为 ""(从根开始搜索)。

  • group-search-base Search base for group membership searches. Defaults to "" (searching from the root).

  • *group-search-filter*组搜索过滤器。默认为 (uniqueMember={0})。替换的参数是用户的DN。

  • group-search-filter Group search filter. Defaults to (uniqueMember={0}). The substituted parameter is the DN of the user.

  • *id*Bean 标识符,用于在上下文的其他位置引用 Bean。

  • id A bean identifier, used for referring to the bean elsewhere in the context.

  • *role-prefix*将添加到从持久性存储加载的角色字符串的非空字符串前缀(例如,“ROLE_”)。在默认值不为空的情况下,使用值“none”表示没有前缀。

  • role-prefix A non-empty string prefix that will be added to role strings loaded from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the default is non-empty.

  • *server-ref*要使用的可选服务器。如果省略,并且注册了默认的LDAP服务器(使用不带ID的<ldap-server>),则将使用该服务器。

  • server-ref The optional server to use. If omitted, and a default LDAP server is registered (using <ldap-server> with no Id), that server will be used.

  • *user-context-mapper-ref*允许通过指定UserDetailsContextMapper bean来显式定制已加载的用户对象,该bean将使用来自用户目录条目的上下文信息进行调用

  • user-context-mapper-ref Allows explicit customization of the loaded user object by specifying a UserDetailsContextMapper bean which will be called with the context information from the user’s directory entry

  • *user-details-class*允许指定用户条目的 objectClass。如果设置,框架将尝试将定义的类的标准属性加载到返回的 UserDetails 对象中

  • user-details-class Allows the objectClass of the user entry to be specified. If set, the framework will attempt to load standard attributes for the defined class into the returned UserDetails object

  • *user-search-base*用户搜索的搜索基准。默认为“”。仅与“user-search-filter”一起使用。

  • user-search-base Search base for user searches. Defaults to "". Only used with a 'user-search-filter'.

  • *user-search-filter*用于搜索用户的LDAP过滤器(可选)。例如,(uid={0})。替换的参数是用户的登录名。

  • user-search-filter The LDAP filter used to search for users (optional). For example (uid={0}). The substituted parameter is the user’s login name.