LDAP none、simple、strong 笔记
// 该笔记仍在调研中!!不确保中有错误信息!最终目的是想用java实现这三种认证方式。
1、ldaps:// 注意多了个s
参考:https://mail.python.org/pipermail/python-ldap/2002q1/000584.html
Dirksen Lau wrote:
>> When I try the bind operation against our department LDAP server,
> I got this
> error: ldap.STRONG_AUTH_REQUIRED: {'desc': 'Strong authentication
> required',
> 'info': 'This LDAP server does not accept cleartext passwords'}
This means you have to authenticate by presenting a client certificate which
is done during establishing the SSL connection. > How to do the strong authentication?
1. Make yourself familiar with concepts of SSL and client certificates.
2. Ask your LDAP server admin whether you have to use LDAP over SSL to
separate port or using StartTLS extended operation.
3. Look at Demo/initialize.py to get a idea of how to connect with
python-ldap using either one of the methods.
4. Have a client certificate and matching private key at
hand as "PEM files". You have to get a client certificate which validates
against a trusted root CA cert at the LDAP server. Ask your admin.
5. Use
ldap.set_option(ldap.OPT_X_TLS_CERTFILE,client_cert_file)
ldap.set_option(ldap.OPT_X_TLS_KEYFILE,client_key_file)
to point the python-ldap and OpenLDAP libs to the files to use for strong
authentication during opening the SSL connection. Ciao, Michael. On Sat, Mar 30, 2002 at 12:10:09PM +0800, Dirksen Lau wrote:
> How to do the strong authentication? There are two ways:
1. SSL/TLS
==========
Use thing like this (instead of your ldap_open or ldap_initialize):
l=ldap_initialize("ldaps://....");
This will work if your server listens on ldaps port. If your server listens on ldap port only,
but supports TLS, you use it:
l=ldap_initialize("ldap://....")
l.protocol_version=ldap.VERSION3
l.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
l.start_tls_s()
2. SASL
========
This is not yet supported by python-ldap, but is being worked on.
SASL is a way of doing strong authentication even without encrypting the whole sessions.
Greets, Jacek
参考:https://stackoverflow.com/questions/5991591/php-ldap-stronger-authentication-required
- SECURITY_AUTHENTICATION: specifies the authentication mechanism to use, which is one of the following strings:
- “none”: use no authentication (anonymous).
- “simple”: use weak authentication (password in clear text).
- sasl_mech: use strong authentication with SASL (Simple Authentication and Security Layer).
参考:http://www.codejava.net/coding/connecting-to-ldap-server-using-jndi-in-java
Authentication Mechanisms验证机制
参考:http://docs.oracle.com/javase/jndi/tutorial/ldap/security/auth.html
Different versions of the LDAP support different types of authentication. The LDAP v2 defines three types of authentication: anonymous匿名, simple (clear-text password明文密码), and Kerberos v4.
The LDAP v3 supports anonymous, simple, and SASL authentication.
How to enable LDAP signing in Windows Server 2008
参考:https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008
GSS-API/Kerberos v5 Authentication
参考:https://docs.oracle.com/javase/jndi/tutorial/ldap/security/gssapi.html
End-to-end steps for configuring Active Directory Kerberos authentication
Enable support for Kerberos authentication
参考:https://technet.microsoft.com/en-us/library/dd759186(v=ws.11).aspx
Java安全之认证与授权
参考:http://blog.csdn.net/xiaolangfanhua/article/details/52835920
配置 Kerberos 身份验证 (SharePoint Foundation 2010)
参考:https://msdn.microsoft.com/zh-cn/subscriptions/ff607695
Windows Server 2012:设置您的第一个域控制器(一步一步)
LDAP none、simple、strong 笔记的更多相关文章
- Java使用LdAP获取AD域用户
随着我们的习大大上台后,国家在网络信息安全方面就有了非常明显的改变!所以如今好多做网络信息安全产品的公司和须要网络信息安全的公司都会提到用AD域server来验证,这里就简单的研究了一下! 先简单的讲 ...
- JAVA使用Ldap操作AD域
项目上遇到的需要在集成 操作域用户的信息的功能,第一次接触ad域,因为不了解而且网上其他介绍不明确,比较费时,这里记录下. 说明: (1). 特别注意:Java操作查询域用户信息获取到的数据和域管理员 ...
- AD域和LDAP协议
随着我们的习大大上台后,国家在网络信息安全方面就有了很明显的改变!所以现在好多做网络信息安全产品的公司和需要网络信息安全的公司都会提到用AD域服务器来验证,这里就简单的研究了一下! 先简单的讲讲AD域 ...
- JAVA中使用LDAP登录的三种方式
搜索中关于java 登录ldap,大部分会采用 cn=xxx,ou=xxx,dc=xxx的方式,此处的cn是用户的Display Name,而不是account,而且如果ou有多层,比如我们的OU就 ...
- Ldap 从入门到放弃(一)
OpenLDAP 2.4版本 快速入门 本文内容是自己通过官网文档.网络和相关书籍学习和理解并整理成文档,其中有错误或者疑问请在文章下方留言. 一.Introduction to OpenLDAP D ...
- centos Sonarqube ldap(AD域) 配置
1. 测试ad 连接 命令: ldapsearch -h 192.168.1.4 -D LXWJadmin@wjj.local -w 用户密码 -b "OU=蓝翔技校,OU=挖掘机事业群,O ...
- Realm Configuration HOW-TO--官方
来源:https://secure.gettinglegaldone.com/docs/realm-howto.html Quick Start This document describes how ...
- 使用java连接AD域,验证账号password是否正确
web项目中有时候客户要求我们使用ad域进行身份确认,不再另外做一套用户管理系统.事实上客户就是仅仅要一套账号能够訪问全部的OA.CRM等办公系统. 这就是第三方验证.一般有AD域,Ldap,Radi ...
- java修改AD域用户密码使用SSL连接方式
正常情况下,JAVA修改AD域用户属性,只能修改一些普通属性, 如果要修改AD域用户密码和userAccountControl属性就得使用SSL连接的方式修改, SSL连接的方式需要操作以下步骤: 1 ...
随机推荐
- 引文分析工具HistCite使用简介
运行环境: win8.1(lenovo Y450) 1.去www.histcite.com下载histcite最新版,并安装 2.去WOS下载文献.保存方式为: 记录数: 记录1至500(最大支持50 ...
- nginx增加ssl支持 - 编译时参数详情列表
./configure \ --with-http_ssl_module \ make && make install nginx编译参数说明如下: --prefix=&l ...
- linux分享三:文件操作
查找文件命令: which 查看可执行文件的位置 whereis 查看文件的位置 locate 配 合数据库查看文件位置 find 实际搜寻硬盘查询文件 ...
- c# vs2010 excel 上传oracle数据
excel 数据表上传到oracle数据库.过程例如以下: 1.打开本地excel文件 2.用OleDb连接excel文件 3.将来excel的数据读取到dataset中 4.把dataset 中数据 ...
- SQL Server 2008开启sa账户以及如何用JDBC进行连接
做实验需要用Java与SQL Server连接,因为使用的 SQL 2008 Express Edition 是基于 Visual Studio2010 安装包安装时一起安装的,所以为了方便数据库的操 ...
- EMIT 动态创建类型
https://www.cnblogs.com/xiaodlll/p/4029051.html 值得一读
- mysql中tinyint、smallint、int、bigint的区别
tinyint 从 -2^7 (-128) 到 2^7 - 1 (123) 的整型数据.存储大小为 1 个字节. unsigned 是从 0 到 255 的整型数据. 所以建表的时候 只能是tinyi ...
- scikit
http://scikit-learn.org/dev/_downloads/scikit-learn-docs.pdf http://scikit-learn.org/stable/tutorial ...
- 解决jar格式文件,双击不能直接运行问题
前提: 安装了JDK 步骤: 1.先右击jar文件,打开方式->选择默认程序->浏览,选中jre下bin文件中javaw.exe(比如我的javaw.exe在C:\Program Fil ...
- 每日英语:Making the Most of Your Lunch Hour
More Americans are eating lunch at their desks or even forgoing it altogether. Is passing up a prope ...