// 该笔记仍在调研中!!不确保中有错误信息!最终目的是想用java实现这三种认证方式。
1、ldaps:// 注意多了个s
参考:https://mail.python.org/pipermail/python-ldap/2002q1/000584.html
Dirksen Lau wrote: >> When I try the bind operation against our department LDAP server, > I got this > error: ldap.STRONG_AUTH_REQUIRED: {'desc': 'Strong authentication > required', > 'info': 'This LDAP server does not accept cleartext passwords'} This means you have to authenticate by presenting a client certificate which is done during establishing the SSL connection. > How to do the strong authentication? 1. Make yourself familiar with concepts of SSL and client certificates. 2. Ask your LDAP server admin whether you have to use LDAP over SSL to separate port or using StartTLS extended operation. 3. Look at Demo/initialize.py to get a idea of how to connect with python-ldap using either one of the methods. 4. Have a client certificate and matching private key at hand as "PEM files". You have to get a client certificate which validates against a trusted root CA cert at the LDAP server. Ask your admin. 5. Use ldap.set_option(ldap.OPT_X_TLS_CERTFILE,client_cert_file) ldap.set_option(ldap.OPT_X_TLS_KEYFILE,client_key_file) to point the python-ldap and OpenLDAP libs to the files to use for strong authentication during opening the SSL connection. Ciao, Michael. On Sat, Mar 30, 2002 at 12:10:09PM +0800, Dirksen Lau wrote:
> How to do the strong authentication?
There are two ways:
1. SSL/TLS
==========
Use thing like this (instead of your ldap_open or ldap_initialize):
l=ldap_initialize("ldaps://....");
This will work if your server listens on ldaps port. If your server listens on ldap port only,
but supports TLS, you use it:
l=ldap_initialize("ldap://....")
l.protocol_version=ldap.VERSION3
l.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
l.start_tls_s()
2. SASL
========
This is not yet supported by python-ldap, but is being worked on.
SASL is a way of doing strong authentication even without encrypting the whole sessions.
Greets, Jacek
参考:https://stackoverflow.com/questions/5991591/php-ldap-stronger-authentication-required
- SECURITY_AUTHENTICATION: specifies the authentication mechanism to use, which is one of the following strings:
-
- “none”: use no authentication (anonymous).
- “simple”: use weak authentication (password in clear text).
- sasl_mech: use strong authentication with SASL (Simple Authentication and Security Layer).
参考:http://www.codejava.net/coding/connecting-to-ldap-server-using-jndi-in-java
Authentication Mechanisms验证机制
参考:http://docs.oracle.com/javase/jndi/tutorial/ldap/security/auth.html
Different versions of the LDAP support different types of authentication. The LDAP v2 defines three types of authentication: anonymous匿名, simple (clear-text password明文密码), and Kerberos v4.
The LDAP v3 supports anonymous, simple, and SASL authentication.
How to enable LDAP signing in Windows Server 2008
参考:https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008
GSS-API/Kerberos v5 Authentication
参考:https://docs.oracle.com/javase/jndi/tutorial/ldap/security/gssapi.html
End-to-end steps for configuring Active Directory Kerberos authentication
Enable support for Kerberos authentication
参考:https://technet.microsoft.com/en-us/library/dd759186(v=ws.11).aspx
Java安全之认证与授权
参考:http://blog.csdn.net/xiaolangfanhua/article/details/52835920
配置 Kerberos 身份验证 (SharePoint Foundation 2010)
参考:https://msdn.microsoft.com/zh-cn/subscriptions/ff607695
Windows Server 2012:设置您的第一个域控制器(一步一步)