Giriş
Bazı kavramlar şöyle
Security Account Manager (SAM) Name
Açıklaması
şöyle.
The networkID you use to login to the network.
User Principal Name (UPN)
Açıklaması
şöyle.
It may be Implicit UPN (iUPN) or Explicit UPN (eUPN).
An example for iUPN would be: networkID@internalDomain.com
An example for eUPN would be: employee_name@companyName.com
eUPN may be defined by network administrator.
In my case, the UPN we're using in our AD is actually an eUPN.
Ben şimdiye kadar hep eUPN kullanan şirketler gördüm. Yani e-posta adresleri şöyleydi
employee_name@companyName.com
Örnek
Kullandığımız filtre şöyle
olsun. Bu filtre ile
employee_name@companyName.com şeklinde e-postalar bulunabilir.
(&(objectClass=user)(userPrincipalName={0}))
Açıklaması
şöyle.
if it's the domain used in email address, this filter will find the user with and without the domain name.
Örnek
Kullandığımız filtre şöyle
olsun. Bu filtre ile
employee_AD_username@internaldomain.com şeklinde e-postalar bulunabilir.
(&(objectClass=user)(sAMAccountName={1}))
Açıklaması
şöyle.
will find the user if the username provided is networkID with no doamin.
Search Filter Syntax
Açıklaması
şöyle.
This is query language for AD.
We used it to define the filter while searching for objects in AD.
{0}-occurrence means full username with domain in it. If the domain is defined in LDAP
configuration then Spring Security checks if it's present in the entered username to
login. If not, then it'll be added.
{1}-occurrence means whatever entered as username. So, Spring won't do any modification
on the provided username.
constructor
İlk parametre domain adıdır. Açıklaması
şöyle.
If you want to be able to login without providing domain name, you need to define the domain in LDAP configuration
Açıklaması
şöyle.
If you don't define the domain for LDAP configuration and leave it null while instantiating the object, then you should be able to search for both UPN and sam -account with {1} occurrence but you have to provide the domain for both networkID and email-username while on login.
Örnek
Şöyle
yaparız.
ActiveDirectoryLdapAuthenticationProvider provider =
new ActiveDirectoryLdapAuthenticationProvider("domain",...);
Örnek
Şöyle
yaparız.
ActiveDirectoryLdapAuthenticationProvider provider =
new ActiveDirectoryLdapAuthenticationProvider(...,...);
setUserDetailsContextMapper metodu
Örnek
Elimizde şöyle bir kod
olsun.
@Slf4j
public class LdapUserDetailsContextMapper implements UserDetailsContextMapper {
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username,
Collection<? extends GrantedAuthority> collection) {
...
}
@Override
public void mapUserToContext(UserDetails userDetails,
DirContextAdapter dirContextAdapter) {
...
}
}
Şöyle
yaparız.
provider.setUserDetailsContextMapper(new LdapUserDetailsContextMapper());