Worklight 6.2 使用 OpenDS 对 LDAP 进行身份验证
Posted
技术标签:
【中文标题】Worklight 6.2 使用 OpenDS 对 LDAP 进行身份验证【英文标题】:Worklight 6.2 Authentication to LDAP using OpenDS 【发布时间】:2014-11-04 12:03:41 【问题描述】:我正在努力使用 openDS 进行 ldap 身份验证。我使用 Worklight Studio 6.2 和 Apache DS 2.0 作为 ldap 浏览器。
该项目应该是调用一个登录页面,然后提交用户名和密码进行认证的ldap。
我在 Firefox 控制台中收到以下错误:
POST http://x.x.x.x:10080/LDAPTest/apps/services/j_security_check [HTTP/1.1 200 OK 253ms]
undefined entity j_security_check:134
在 eclipse 中的 worklight 控制台中:
[WARNING ] FWLSE0138W: LdapLoginModule authentication failed. Reason 'javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
[WARNING ] FWLSE0239W: Authentication failure in realm 'LDAPRealm': login fail [project LDAPTest]
我认为问题可能出在我的连接字符串或我的挑战处理程序上。但我怀疑由于我的错误是无效凭据,它必须是我在 authenticationconfig.xml 中的连接字符串。
我尝试了几种方法,包括这里的一些帖子,例如:
Worklight LDAP authentication using ApacheDS Worklight LDAP authentication using ApacheDS 2.0
还有其他。我按照 IBM LDAP 示例进行设置,并检查以确保我具有相同的结构。
任何解决此问题的帮助将不胜感激。此外,如果您认为我应该检查我的 LDAP 配置,我也可以发布我遵循 openDS wiki 的教程。我能够使用 apache browser studio 和 softera LDAP 管理员连接到它。
我的项目如下:-
index.html:
<!DOCTYPE HTML>
<html>
<head>
<meta charset="UTF-8">
<title>LDAPTest</title>
<meta name="viewport"
content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=0">
<!--
<link rel="shortcut icon" href="images/favicon.png">
<link rel="apple-touch-icon" href="images/apple-touch-icon.png">
-->
<link rel="stylesheet" href="css/main.css">
<script>window.$ = window.jQuery = WLJQ;</script>
</head>
<body style="display: none;">
<div id="header">
<h1>SigmaLDAP Login Module</h1>
</div>
<div id="wrapper">
<div id="AppDiv">
<input type="button" class="appButton"
value="Call protected adapter proc" onclick="getSecretData()" /> <input
type="button" class="appButton" value="Logout"
onclick="WL.Client.logout('LDAPRealm',onSuccess: WL.Client.reloadApp)" />
<p id="resultDiv"></p>
</div>
<div id="AuthDiv" style="display: none">
<div id="loginForm">
<input type="text" id="usernameInputField"
placeholder="Enter username" /> <br /> <input type="password"
placeholder="Enter password" id="passwordInputField" /> <br /> <input
type="button" class="formButton" id="loginButton" value="Login" />
<input type="button" class="formButton" id="cancelButton"
value="Cancel" />
</div>
</div>
</div>
<script src="js/initOptions.js"></script>
<script src="js/main.js"></script>
<script src="js/messages.js"></script>
<script src="js/LDAPRealmChallenger.js"></script>
</body>
</html>
Main.js
function wlCommonInit()
function getSecretData()
WL.Logger.info('invoking the adpater');
var invocationData =
adapter: "LDAPter",
procedure: "getSecretData",
parameters: []
;
WL.Client.invokeProcedure(invocationData,
onSuccess: getSecretData_Callback,
onFailure: getSecretData_Callback,
timeout: 2000
);
function getSecretData_Callback(response)
$("#resultDiv").css("padding", "10px");
$("#resultDiv").html(new Date() + "<hr/>");
$("#resultDiv").append("Secret data :: " + response.invocationResult.secretData + "<hr/>");
$("#resultDiv").append("Response :: " + JSON.stringify(response));
我的 Challenger.js
var LDAPRealmChallengeHandler = WL.Client.createChallengeHandler("LDAPRealm");
LDAPRealmChallengeHandler.isCustomResponse = function(response)
if (!response || !response.responseText)
WL.Logger.info('failed to authenticate');
var idx = response.responseText.indexOf("j_security_check");
if (idx >= 0)
WL.Logger.info("Authenticated");
return true;
return false;
;
LDAPRealmChallengeHandler.handleChallenge = function(response)
$('#AppDiv').hide();
$('#AuthDiv').show();
$('#passwordInputField').val('');
;
$('#loginButton').bind('click', function ()
var reqURL = '/j_security_check';
var options = ;
options.parameters =
j_username : $('#usernameInputField').val(),
j_password : $('#passwordInputField').val()
;
options.headers = ;
LDAPRealmChallengeHandler.submitLoginForm(reqURL, options, LDAPRealmChallengeHandler.submitLoginFormCallback);
);
$('#cancelButton').bind('click', function ()
$('#AppDiv').show();
$('#AuthDiv').hide();
LDAPRealmChallengeHandler.submitFailure();
);
LDAPRealmChallengeHandler.submitLoginFormCallback = function(response)
var isLoginFormResponse = LDAPRealmChallengeHandler.isCustomResponse(response);
if (isLoginFormResponse)
LDAPRealmChallengeHandler.handleChallenge(response);
else
$('#AppDiv').show();
$('#AuthDiv').hide();
LDAPRealmChallengeHandler.submitSuccess();
;
我的适配者: js文件
function getSecretData()
console.log("getting you secrets mofos");
return secretData: 1234;
xml文件:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed Materials - Property of IBM
5725-I43 (C) Copyright IBM Corp. 2011, 2013. All Rights Reserved.
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
-->
<wl:adapter name="LDAPter"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:wl="http://www.worklight.com/integration"
xmlns:http="http://www.worklight.com/integration/http">
<displayName>LDAPter</displayName>
<description>LDAPter</description>
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>http</protocol>
<domain>none</domain>
<port>80</port>
</connectionPolicy>
<loadConstraints maxConcurrentConnectionsPerNode="2" />
</connectivity>
<procedure name="getSecretData" securityTest="LDAPSecurityTest" />
</wl:adapter>
The authenticationConfig.xml:
<?xml version="1.0" encoding="UTF-8"?>
<tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Licensed Materials - Property of IBM 5725-I43 (C) Copyright IBM Corp.
2006, 2013. All Rights Reserved. US Government Users Restricted Rights -
Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM Corp. -->
<staticResources>
<!-- <resource id="logUploadServlet" securityTest="LogUploadServlet"> <urlPatterns>/apps/services/loguploader*</urlPatterns>
</resource> -->
<resource id="subscribeServlet" securityTest="SubscribeServlet">
<urlPatterns>/subscribeSMS*;/receiveSMS*;/ussd*</urlPatterns>
</resource>
</staticResources>
<!-- Sample security tests Even if not used there will be some default webSecurityTest
and mobileSecurityTest Attention: If you are adding an app authenticity realm
to a security test, you must also update the application-descriptor.xml.
Please refer to the user documentation on application authenticity for environment
specific guidelines. -->
<securityTests>
<customSecurityTest name="LDAPSecurityTest">
<test isInternalUserID="true" realm="LDAPRealm" />
</customSecurityTest>
<!-- <mobileSecurityTest name="mobileTests"> <testAppAuthenticity/> <testDeviceId
provisioningType="none" /> <testUser realm="myMobileLoginForm" /> <testDirectUpdate
mode="perSession" /> </mobileSecurityTest> <webSecurityTest name="webTests">
<testUser realm="myWebLoginForm"/> </webSecurityTest> <customSecurityTest
name="customTests"> <test realm="wl_antiXSRFRealm" step="1"/> <test realm="wl_authenticityRealm"
step="1"/> <test realm="wl_remoteDisableRealm" step="1"/> <test realm="wl_directUpdateRealm"
mode="perSession" step="1"/> <test realm="wl_anonymousUserRealm" isInternalUserID="true"
step="1"/> <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true"
step="2"/> </customSecurityTest> <customSecurityTest name="LogUploadServlet">
<test realm="wl_anonymousUserRealm" step="1"/> <test realm="LogUploadServlet"
isInternalUserID="true"/> </customSecurityTest> -->
<customSecurityTest name="SubscribeServlet">
<test realm="SubscribeServlet" isInternalUserID="true" />
</customSecurityTest>
</securityTests>
<realms>
<realm loginModule="LDAPLoginModule" name="LDAPRealm">
<className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
<onLoginUrl>/console</onLoginUrl>
</realm>
<realm name="SubscribeServlet" loginModule="rejectAll">
<className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
</realm>
<!-- For client logger -->
<!-- <realm name="LogUploadServlet" loginModule="StrongDummy"> <className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
</realm -->
<!-- For websphere -->
<!-- realm name="WASLTPARealm" loginModule="WASLTPAModule"> <className>com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator</className>
<parameter name="login-page" value="/login.html"/> <parameter name="error-page"
value="/loginError.html"/> </realm -->
<!-- For User Certificate Authentication -->
<!-- realm name="wl_userCertificateAuthRealm" loginModule="WLUserCertificateLoginModule">
<className>com.worklight.core.auth.ext.UserCertificateAuthenticator</className>
<parameter name="dependent-user-auth-realm" value="WASLTPARealm" /> <parameter
name="pki-bridge-class" value="com.worklight.core.auth.ext.UserCertificateEmbeddedPKI"
/> <parameter name="embedded-pki-bridge-ca-p12-file-path" value="/opt/ssl_ca/ca.p12"/>
<parameter name="embedded-pki-bridge-ca-p12-password" value="capassword"
/> </realm -->
<!-- For Trusteer Fraud Detection -->
<!-- Requires acquiring Trusteer SDK -->
<!-- realm name="wl_basicTrusteerFraudDetectionRealm" loginModule="trusteerFraudDetectionLogin">
<className>com.worklight.core.auth.ext.TrusteerAuthenticator</className>
<parameter name="rooted-device" value="block"/> <parameter name="device-with-malware"
value="block"/> <parameter name="rooted-hiders" value="block"/> <parameter
name="unsecured-wifi" value="alert"/> <parameter name="outdated-configuration"
value="alert"/> </realm -->
</realms>
<loginModules>
<loginModule name="LDAPLoginModule">
<className>com.worklight.core.auth.ext.LdapLoginModule</className>
<parameter name="ldapProviderUrl" value="ldap://localhost:389/dc=sigma,dc=com" />
<parameter name="ldapTimeoutMs" value="2000"/>
<parameter name="ldapSecurityAuthentication" value="simple"/>
<parameter name="validationType" value="searchPattern"/>
<parameter name="ldapSecurityPrincipalPattern" value="uid=username,ou=users,dc=sigma,dc=com"/>
<parameter name="ldapSearchFilterPattern" value="(uid=username)"/>
<parameter name="ldapSearchBase" value="ou=users,dc=sigma,dc=com"/>
</loginModule>
<loginModule name="StrongDummy">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule>
<loginModule name="requireLogin">
<className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
</loginModule>
<loginModule name="rejectAll">
<className>com.worklight.core.auth.ext.RejectingLoginModule</className>
</loginModule>
<!-- Required for Trusteer - wl_basicTrusteerFraudDetectionRealm -->
<!-- loginModule name="trusteerFraudDetectionLogin"> <className>com.worklight.core.auth.ext.TrusteerLoginModule</className>
</loginModule -->
<!-- For websphere -->
<!-- loginModule name="WASLTPAModule"> <className>com.worklight.core.auth.ext.WebSphereLoginModule</className>
</loginModule -->
<!-- Login module for User Certificate Authentication -->
<!-- <loginModule name="WLUserCertificateLoginModule"> <className>com.worklight.core.auth.ext.UserCertificateLoginModule</className>
</loginModule> -->
<!-- For enabling SSO with no-provisioning device authentication -->
<!-- <loginModule name="MySSO" ssoDeviceLoginModule="WLDeviceNoProvisioningLoginModule">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule> -->
<!-- For enabling SSO with auto-provisioning device authentication -->
<!-- <loginModule name="MySSO" ssoDeviceLoginModule="WLDeviceAutoProvisioningLoginModule">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule> -->
</loginModules>
</tns:loginConfiguration>
来自 j_security_check 的响应
Request URL: http://x.x.x.x:10080/LDAPTest/apps/services/j_security_check
Request Method: POST
Status Code: HTTP/1.1 200 OK
Request Headers 12:47:00.000
x-wl-app-version: 1.0
x-wl-analytics-tracking-id: a948e425-1ace-a28b-3d27-11bac5ba3de3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Referer: http://10.2.38.14:10080/LDAPTest/apps/services/preview/LDAPTest/common/0/default/index.html
Pragma: no-cache
Host: 10.2.38.14:10080
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 37
Connection: keep-alive
Cache-Control: no-cache
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Accept: text/javascript, text/html, application/xml, text/xml, */*
Sent Cookie
WL_PERSISTENT_COOKIE: b24de65a-9c5a-4f58-97d7-348e92c78034
testcookie: oreo
LtpaToken2: rZBXVP4XKLnpvJpLFrp3UArtZGrcsGAXr4jGDTBurns9Ej5Nrx1s4/yWsDJJN6xfWkxWh1/3bBruHvL9twdae1qVcE2/D/0GfMwd1pVLbpowclNLFtqKBonEXxV6TlFIVaKgKz62SHR2to3Az/vbTjF+ZH8V1QnAdGi6dC8mk+wympju0P/4hLKWHseN9Sty2UM94cL2Cd+vcBGhJ5QVF211RIwQTXuGeQl+WMTg6B8Kfjlvly4sanyVr5va2AW38752VNEWtdnsrTHcayO/lAG1SyebFEKtaTVZhOPBkml5m6AojEGlDbcUjjof6e9H
JSESSIONID: 0000QTvrT7OBSgjn7OJG9XPMtIE:b45f2ac7-fb59-4da4-b233-f8bc81b81cf0
Response Headers Δ315ms
X-Powered-By: Servlet/3.0
Transfer-Encoding: chunked
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Expires: -1
Date: Mon, 10 Nov 2014 11:47:00 GMT
Content-Language: en-US
firefox 控制台还返回 j_sescurity_check 的未定义实体和行号 134,在下面的 sn-p 中是 dic 之前的最后一行。 它指向的代码如下:
body onload="isPopup(); setFocus();">
<div id="authenticatorLoginFormWrapper">
<h1>IBM</h1>
<h2>IBM Worklight</h2>
<form method="post" action="j_security_check">
<p id="error">Please check the credentials</p>
<label for="j_username">User name:</label>
<input type="text" id="j_username" name="j_username" placeholder="User name" />
<br />
<label for="j_password">Password:</label>
<input type="password" id="j_password" name="j_password" placeholder="Password" />
<br />
<input type="submit" id="login" name="login" value="Log In" />
</form>
<p id="copyright">© 2006, 2012 IBM Corporation. <a href="#" target="_blank">Trademark</a></p>
</div>
【问题讨论】:
我没有立即看到任何错误。您能否发布 POST x.x.x.x:10080/LDAPTest/apps/services/j_security_check 的响应内容?那里可能存在质询处理程序无法处理的隐藏错误。 抱歉,Mike 回复晚了,请在上面找到作为编辑添加的 j_security_check 的内容。我没有发现任何有用的东西。我一直在玩弄我的连接字符串,试图弄清楚问题出在哪里,但还没有确定性 【参考方案1】:您能否尝试消除设置中的一些变量,并首先尝试检查您的 LDAP 服务器是否配置正确?
你可以使用这个:https://serverfault.com/questions/514870/how-do-i-authenticate-with-ldap-via-the-command-line
使用命令行工具与您的 ldap 服务器进行简单连接
【讨论】:
【参考方案2】:我遇到了类似的问题,我的工作配置是从simple 移动到exists 签入authenticationConfig.xml 文件。
但特别是大的飞跃不再在ldapSecurityPrincipalPattern 中使用uid,而是为用户使用cn。
我将配置粘贴在下面,希望对您有用(请注意在我的具体情况下,我设置了一个测试服务器 corp.workgroup.com 域):
<loginModules>
<loginModule expirationInSeconds="-1" name="LDAPLoginModule">
<className>com.worklight.core.auth.ext.LdapLoginModule</className>
<parameter name="ldapProviderUrl" value="ldap://yourserver" />
<parameter name="ldapTimeoutMs" value="2000" />
<parameter name="ldapSecurityAuthentication" value="simple" />
<parameter name="validationType" value="exists" />
<parameter name="ldapSecurityPrincipalPattern" value="cn=username,cn=Users,dc=corp,dc=workgroup,dc=com" />
<parameter name="ldapReferral" value="ignore" />
</loginModule>
【讨论】:
以上是关于Worklight 6.2 使用 OpenDS 对 LDAP 进行身份验证的主要内容,如果未能解决你的问题,请参考以下文章
手动安装 Worklight 服务器并声明 Worklight 运行时 (WL 6.2)
Worklight 6.2 - 隐藏 iphone/native 下的 LibInclude 目录
Worklight 6.2 - 推送通知 - 是不是可以更改 userSubscription.userId?