Worklight 6.2 使用 OpenDS 对 LDAP 进行身份验证

Posted

技术标签:

【中文标题】Worklight 6.2 使用 OpenDS 对 LDAP 进行身份验证【英文标题】:Worklight 6.2 Authentication to LDAP using OpenDS 【发布时间】:2014-11-04 12:03:41 【问题描述】:

我正在努力使用 openDS 进行 ldap 身份验证。我使用 Worklight Studio 6.2 和 Apache DS 2.0 作为 ldap 浏览器。

该项目应该是调用一个登录页面,然后提交用户名和密码进行认证的ldap。

我在 Firefox 控制台中收到以下错误:

POST http://x.x.x.x:10080/LDAPTest/apps/services/j_security_check [HTTP/1.1 200 OK 253ms]
undefined entity j_security_check:134 

在 eclipse 中的 worklight 控制台中:

[WARNING ] FWLSE0138W: LdapLoginModule authentication failed. Reason 'javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
[WARNING ] FWLSE0239W: Authentication failure in realm 'LDAPRealm': login fail [project LDAPTest]

我认为问题可能出在我的连接字符串或我的挑战处理程序上。但我怀疑由于我的错误是无效凭据,它必须是我在 authenticationconfig.xml 中的连接字符串。

我尝试了几种方法,包括这里的一些帖子,例如:

Worklight LDAP authentication using ApacheDS Worklight LDAP authentication using ApacheDS 2.0

还有其他。我按照 IBM LDAP 示例进行设置,并检查以确保我具有相同的结构。

任何解决此问题的帮助将不胜感激。此外,如果您认为我应该检查我的 LDAP 配置,我也可以发布我遵循 openDS wiki 的教程。我能够使用 apache browser studio 和 softera LDAP 管理员连接到它。

我的项目如下:-

index.html

<!DOCTYPE HTML>
<html>
<head>
<meta charset="UTF-8">
<title>LDAPTest</title>
<meta name="viewport"
    content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=0">
<!--
                <link rel="shortcut icon" href="images/favicon.png">
                <link rel="apple-touch-icon" href="images/apple-touch-icon.png"> 
            -->
<link rel="stylesheet" href="css/main.css">
<script>window.$ = window.jQuery = WLJQ;</script>
</head>
<body style="display: none;">

    <div id="header">
        <h1>SigmaLDAP Login Module</h1>
    </div>

    <div id="wrapper">
        <div id="AppDiv">
            <input type="button" class="appButton"
                value="Call protected adapter proc" onclick="getSecretData()" /> <input
                type="button" class="appButton" value="Logout"
                onclick="WL.Client.logout('LDAPRealm',onSuccess: WL.Client.reloadApp)" />
            <p id="resultDiv"></p>
        </div>

        <div id="AuthDiv" style="display: none">
            <div id="loginForm">
                <input type="text" id="usernameInputField"
                    placeholder="Enter username" /> <br /> <input type="password"
                    placeholder="Enter password" id="passwordInputField" /> <br /> <input
                    type="button" class="formButton" id="loginButton" value="Login" />
                <input type="button" class="formButton" id="cancelButton"
                    value="Cancel" />
            </div>
        </div>
    </div>


    <script src="js/initOptions.js"></script>
    <script src="js/main.js"></script>
    <script src="js/messages.js"></script>
    <script src="js/LDAPRealmChallenger.js"></script>
</body>
</html>

Main.js

function wlCommonInit()



function getSecretData()
    WL.Logger.info('invoking the adpater');
    var invocationData = 
            adapter: "LDAPter",
            procedure: "getSecretData",
            parameters: []
    ;

    WL.Client.invokeProcedure(invocationData, 
        onSuccess: getSecretData_Callback,
        onFailure: getSecretData_Callback,
        timeout: 2000
    );


function getSecretData_Callback(response)
    $("#resultDiv").css("padding", "10px");
    $("#resultDiv").html(new Date() + "<hr/>");
    $("#resultDiv").append("Secret data :: " + response.invocationResult.secretData + "<hr/>"); 
    $("#resultDiv").append("Response :: " + JSON.stringify(response));

我的 Challenger.js

var LDAPRealmChallengeHandler = WL.Client.createChallengeHandler("LDAPRealm");

LDAPRealmChallengeHandler.isCustomResponse = function(response) 
    if (!response || !response.responseText) 
        WL.Logger.info('failed to authenticate');
    

    var idx = response.responseText.indexOf("j_security_check");

    if (idx >= 0) 
        WL.Logger.info("Authenticated");
        return true;
    
    return false;

;

LDAPRealmChallengeHandler.handleChallenge = function(response)
        $('#AppDiv').hide();
        $('#AuthDiv').show();
        $('#passwordInputField').val('');
;

$('#loginButton').bind('click', function () 
    var reqURL = '/j_security_check';
    var options = ;
    options.parameters = 
            j_username : $('#usernameInputField').val(),
            j_password : $('#passwordInputField').val()
    ;
    options.headers = ;
    LDAPRealmChallengeHandler.submitLoginForm(reqURL, options, LDAPRealmChallengeHandler.submitLoginFormCallback);
);

$('#cancelButton').bind('click', function () 
    $('#AppDiv').show();
    $('#AuthDiv').hide();
    LDAPRealmChallengeHandler.submitFailure();
);

LDAPRealmChallengeHandler.submitLoginFormCallback = function(response) 
    var isLoginFormResponse = LDAPRealmChallengeHandler.isCustomResponse(response);
    if (isLoginFormResponse)
        LDAPRealmChallengeHandler.handleChallenge(response);
     else 
        $('#AppDiv').show();
        $('#AuthDiv').hide();
        LDAPRealmChallengeHandler.submitSuccess();
    
;

我的适配者: js文件

function getSecretData()
     console.log("getting you secrets mofos");
    return secretData: 1234;
  

xml文件:

 <?xml version="1.0" encoding="UTF-8"?>
    <!--
        Licensed Materials - Property of IBM
        5725-I43 (C) Copyright IBM Corp. 2011, 2013. All Rights Reserved.
        US Government Users Restricted Rights - Use, duplication or
        disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
    -->
    <wl:adapter name="LDAPter"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xmlns:wl="http://www.worklight.com/integration"
        xmlns:http="http://www.worklight.com/integration/http">

        <displayName>LDAPter</displayName>
        <description>LDAPter</description>
            <connectivity>
            <connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
                <protocol>http</protocol>
                <domain>none</domain>
                <port>80</port>         
            </connectionPolicy>
            <loadConstraints maxConcurrentConnectionsPerNode="2" />
        </connectivity>

        <procedure name="getSecretData"  securityTest="LDAPSecurityTest" />
    </wl:adapter>


The authenticationConfig.xml:

<?xml version="1.0" encoding="UTF-8"?>
<tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <!-- Licensed Materials - Property of IBM 5725-I43 (C) Copyright IBM Corp. 
        2006, 2013. All Rights Reserved. US Government Users Restricted Rights - 
        Use, duplication or disclosure restricted by GSA ADP Schedule Contract with 
        IBM Corp. -->

    <staticResources>
        <!-- <resource id="logUploadServlet" securityTest="LogUploadServlet"> <urlPatterns>/apps/services/loguploader*</urlPatterns> 
            </resource> -->
        <resource id="subscribeServlet" securityTest="SubscribeServlet">
            <urlPatterns>/subscribeSMS*;/receiveSMS*;/ussd*</urlPatterns>
        </resource>

    </staticResources>

    <!-- Sample security tests Even if not used there will be some default webSecurityTest 
        and mobileSecurityTest Attention: If you are adding an app authenticity realm 
        to a security test, you must also update the application-descriptor.xml. 
        Please refer to the user documentation on application authenticity for environment 
        specific guidelines. -->

    <securityTests>

        <customSecurityTest name="LDAPSecurityTest">
                <test isInternalUserID="true" realm="LDAPRealm" />
        </customSecurityTest>

        <!-- <mobileSecurityTest name="mobileTests"> <testAppAuthenticity/> <testDeviceId 
            provisioningType="none" /> <testUser realm="myMobileLoginForm" /> <testDirectUpdate 
            mode="perSession" /> </mobileSecurityTest> <webSecurityTest name="webTests"> 
            <testUser realm="myWebLoginForm"/> </webSecurityTest> <customSecurityTest 
            name="customTests"> <test realm="wl_antiXSRFRealm" step="1"/> <test realm="wl_authenticityRealm" 
            step="1"/> <test realm="wl_remoteDisableRealm" step="1"/> <test realm="wl_directUpdateRealm" 
            mode="perSession" step="1"/> <test realm="wl_anonymousUserRealm" isInternalUserID="true" 
            step="1"/> <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" 
            step="2"/> </customSecurityTest> <customSecurityTest name="LogUploadServlet"> 
            <test realm="wl_anonymousUserRealm" step="1"/> <test realm="LogUploadServlet" 
            isInternalUserID="true"/> </customSecurityTest> -->
        <customSecurityTest name="SubscribeServlet">
            <test realm="SubscribeServlet" isInternalUserID="true" />
        </customSecurityTest>

    </securityTests>

    <realms>

        <realm loginModule="LDAPLoginModule" name="LDAPRealm">
            <className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
            <onLoginUrl>/console</onLoginUrl>
        </realm>

        <realm name="SubscribeServlet" loginModule="rejectAll">
            <className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
        </realm>

        <!-- For client logger -->
        <!-- <realm name="LogUploadServlet" loginModule="StrongDummy"> <className>com.worklight.core.auth.ext.HeaderAuthenticator</className> 
            </realm -->

        <!-- For websphere -->
        <!-- realm name="WASLTPARealm" loginModule="WASLTPAModule"> <className>com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator</className> 
            <parameter name="login-page" value="/login.html"/> <parameter name="error-page" 
            value="/loginError.html"/> </realm -->

        <!-- For User Certificate Authentication -->
        <!-- realm name="wl_userCertificateAuthRealm" loginModule="WLUserCertificateLoginModule"> 
            <className>com.worklight.core.auth.ext.UserCertificateAuthenticator</className> 
            <parameter name="dependent-user-auth-realm" value="WASLTPARealm" /> <parameter 
            name="pki-bridge-class" value="com.worklight.core.auth.ext.UserCertificateEmbeddedPKI" 
            /> <parameter name="embedded-pki-bridge-ca-p12-file-path" value="/opt/ssl_ca/ca.p12"/> 
            <parameter name="embedded-pki-bridge-ca-p12-password" value="capassword" 
            /> </realm -->

        <!-- For Trusteer Fraud Detection -->
        <!-- Requires acquiring Trusteer SDK -->
        <!-- realm name="wl_basicTrusteerFraudDetectionRealm" loginModule="trusteerFraudDetectionLogin"> 
            <className>com.worklight.core.auth.ext.TrusteerAuthenticator</className> 
            <parameter name="rooted-device" value="block"/> <parameter name="device-with-malware" 
            value="block"/> <parameter name="rooted-hiders" value="block"/> <parameter 
            name="unsecured-wifi" value="alert"/> <parameter name="outdated-configuration" 
            value="alert"/> </realm -->

    </realms>

    <loginModules>

        <loginModule name="LDAPLoginModule">
            <className>com.worklight.core.auth.ext.LdapLoginModule</className>
            <parameter name="ldapProviderUrl" value="ldap://localhost:389/dc=sigma,dc=com" />
            <parameter name="ldapTimeoutMs" value="2000"/>
            <parameter name="ldapSecurityAuthentication" value="simple"/>
            <parameter name="validationType" value="searchPattern"/>
            <parameter name="ldapSecurityPrincipalPattern" value="uid=username,ou=users,dc=sigma,dc=com"/>
            <parameter name="ldapSearchFilterPattern" value="(uid=username)"/>
            <parameter name="ldapSearchBase" value="ou=users,dc=sigma,dc=com"/>  
        </loginModule>

        <loginModule name="StrongDummy">
            <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
        </loginModule>

        <loginModule name="requireLogin">
            <className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
        </loginModule>

        <loginModule name="rejectAll">
            <className>com.worklight.core.auth.ext.RejectingLoginModule</className>
        </loginModule>

        <!-- Required for Trusteer - wl_basicTrusteerFraudDetectionRealm -->
        <!-- loginModule name="trusteerFraudDetectionLogin"> <className>com.worklight.core.auth.ext.TrusteerLoginModule</className> 
            </loginModule -->

        <!-- For websphere -->
        <!-- loginModule name="WASLTPAModule"> <className>com.worklight.core.auth.ext.WebSphereLoginModule</className> 
            </loginModule -->

        <!-- Login module for User Certificate Authentication -->
        <!-- <loginModule name="WLUserCertificateLoginModule"> <className>com.worklight.core.auth.ext.UserCertificateLoginModule</className> 
            </loginModule> -->


        <!-- For enabling SSO with no-provisioning device authentication -->
        <!-- <loginModule name="MySSO" ssoDeviceLoginModule="WLDeviceNoProvisioningLoginModule"> 
            <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className> 
            </loginModule> -->


        <!-- For enabling SSO with auto-provisioning device authentication -->
        <!-- <loginModule name="MySSO" ssoDeviceLoginModule="WLDeviceAutoProvisioningLoginModule"> 
            <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className> 
            </loginModule> -->
    </loginModules>

</tns:loginConfiguration>

来自 j_security_check 的响应

Request URL:    http://x.x.x.x:10080/LDAPTest/apps/services/j_security_check
Request Method:     POST
Status Code:    HTTP/1.1 200 OK


Request Headers 12:47:00.000
x-wl-app-version:   1.0
x-wl-analytics-tracking-id: a948e425-1ace-a28b-3d27-11bac5ba3de3
X-Requested-With:   XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Referer:    http://10.2.38.14:10080/LDAPTest/apps/services/preview/LDAPTest/common/0/default/index.html
Pragma: no-cache
Host:   10.2.38.14:10080
Content-Type:   application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 37
Connection: keep-alive
Cache-Control:  no-cache
Accept-Language:    en-US
Accept-Encoding:    gzip, deflate
Accept: text/javascript, text/html, application/xml, text/xml, */*


Sent Cookie
WL_PERSISTENT_COOKIE:   b24de65a-9c5a-4f58-97d7-348e92c78034
testcookie: oreo
LtpaToken2: rZBXVP4XKLnpvJpLFrp3UArtZGrcsGAXr4jGDTBurns9Ej5Nrx1s4/yWsDJJN6xfWkxWh1/3bBruHvL9twdae1qVcE2/D/0GfMwd1pVLbpowclNLFtqKBonEXxV6TlFIVaKgKz62SHR2to3Az/vbTjF+ZH8V1QnAdGi6dC8mk+wympju0P/4hLKWHseN9Sty2UM94cL2Cd+vcBGhJ5QVF211RIwQTXuGeQl+WMTg6B8Kfjlvly4sanyVr5va2AW38752VNEWtdnsrTHcayO/lAG1SyebFEKtaTVZhOPBkml5m6AojEGlDbcUjjof6e9H
JSESSIONID: 0000QTvrT7OBSgjn7OJG9XPMtIE:b45f2ac7-fb59-4da4-b233-f8bc81b81cf0


Response Headers Δ315ms
X-Powered-By:   Servlet/3.0
Transfer-Encoding:  chunked
P3P:    policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Expires:    -1
Date:   Mon, 10 Nov 2014 11:47:00 GMT
Content-Language:   en-US

firefox 控制台还返回 j_sescurity_check 的未定义实体和行号 134,在下面的 sn-p 中是 dic 之前的最后一行。 它指向的代码如下:

body onload="isPopup(); setFocus();">
        <div id="authenticatorLoginFormWrapper">
            <h1>IBM</h1>
            <h2>IBM Worklight</h2>
            <form method="post" action="j_security_check">
                <p id="error">Please check the credentials</p>
                <label for="j_username">User name:</label>
                <input type="text" id="j_username" name="j_username" placeholder="User name" />
                <br />
                <label for="j_password">Password:</label>
                <input type="password" id="j_password" name="j_password" placeholder="Password" />
                <br />
                <input type="submit" id="login" name="login" value="Log In" />
            </form>
            <p id="copyright">&copy; 2006, 2012 IBM Corporation. <a href="#" target="_blank">Trademark</a></p>
        </div>

【问题讨论】:

我没有立即看到任何错误。您能否发布 POST x.x.x.x:10080/LDAPTest/apps/services/j_security_check 的响应内容?那里可能存在质询处理程序无法处理的隐藏错误。 抱歉,Mike 回复晚了,请在上面找到作为编辑添加的 j_security_check 的内容。我没有发现任何有用的东西。我一直在玩弄我的连接字符串,试图弄清楚问题出在哪里,但还没有确定性 【参考方案1】:

您能否尝试消除设置中的一些变量,并首先尝试检查您的 LDAP 服务器是否配置正确?

你可以使用这个:https://serverfault.com/questions/514870/how-do-i-authenticate-with-ldap-via-the-command-line

使用命令行工具与您的 ldap 服务器进行简单连接

【讨论】:

【参考方案2】:

我遇到了类似的问题,我的工作配置是从simple 移动到exists 签入authenticationConfig.xml 文件。 但特别是大的飞跃不再在ldapSecurityPrincipalPattern 中使用uid,而是为用户使用cn

我将配置粘贴在下面,希望对您有用(请注意在我的具体情况下,我设置了一个测试服务器 corp.workgroup.com 域):

 <loginModules>
  <loginModule expirationInSeconds="-1" name="LDAPLoginModule">
  <className>com.worklight.core.auth.ext.LdapLoginModule</className>
   <parameter name="ldapProviderUrl" value="ldap://yourserver" />
   <parameter name="ldapTimeoutMs" value="2000" />
   <parameter name="ldapSecurityAuthentication" value="simple" />
   <parameter name="validationType" value="exists" />
   <parameter name="ldapSecurityPrincipalPattern" value="cn=username,cn=Users,dc=corp,dc=workgroup,dc=com" />
   <parameter name="ldapReferral" value="ignore" />
</loginModule> 

【讨论】:

以上是关于Worklight 6.2 使用 OpenDS 对 LDAP 进行身份验证的主要内容,如果未能解决你的问题,请参考以下文章

在 Worklight 6.2 中拨打电话

手动安装 Worklight 服务器并声明 Worklight 运行时 (WL 6.2)

Worklight 6.2 - 隐藏 iphone/native 下的 LibInclude 目录

Worklight 6.2 - 推送通知 - 是不是可以更改 userSubscription.userId?

到 Worklight Server 6.2 的 HTTPS 连接

将项目从 WorkLight 6.2 升级到 MobileFirst 7.1