spring boot配置ldap 連接時,通過ldap://xxxxx:389 連接,一般來說都能成功,但是如果配置ldap ssl 連接,ldaps://xxxx:636 那么很大概率會出現 javax.naming.CommunicationException: simple bind failed: xxxxxtest.com.local:636 這種異常 。百度,谷歌搜索 大部分解決方案是需要從ldap 服務器上導出證書,然后再通過Java的keytool 工具導入證書,比較繁瑣,我也沒試過好不好使,反正從服務器上導出證書那一步就很煩了。下面,說一下如何代碼配置ldap 跳過ssl。直接上代碼。
package com.github.wxiaoqi.security.common.config; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Primary; import org.springframework.ldap.core.LdapTemplate; import org.springframework.ldap.core.support.LdapContextSource; import java.util.Hashtable; import java.util.Objects; /** * @author margo * @date 2021/11/4 */ @Slf4j // @ConditionalOnExpression("${ldap.enabled:false}") public class LdapConfiguration { private LdapTemplate ldapTemplate; @Value("${ldap.url}") private String ldapUrl; @Value("${ldap.basedc}") private String ldapBaseDc; @Value("${ldap.username}") private String ldapUsername; @Value("${ldap.passwd}") private String ldapPasswd; /** * 繼承LdapContextSource重寫getAnonymousEnv方法來加載, * 使連接ldap時用SSL連接(由於修改AD密碼時必須使用SSL連接) */ public class SsldapContextSource extends LdapContextSource { @Override public Hashtable<String, Object> getAnonymousEnv(){ Hashtable<String, Object> anonymousEnv = super.getAnonymousEnv(); anonymousEnv.put("java.naming.security.protocol", "ssl"); anonymousEnv.put("java.naming.ldap.factory.socket", CustomSslSocketFactory.class.getName()); return anonymousEnv; } } @Bean public LdapContextSource contextSource() { SsldapContextSource ldapContextSource = new SsldapContextSource(); ldapContextSource.setBase(ldapBaseDc); ldapContextSource.setUrl(ldapUrl); ldapContextSource.setUserDn(ldapUsername); ldapContextSource.setPassword(ldapPasswd); ldapContextSource.setPooled(false); ldapContextSource.setReferral("follow"); ldapContextSource.afterPropertiesSet(); return ldapContextSource; } @Bean public LdapTemplate ldapTemplate(LdapContextSource contextSource) { if (Objects.isNull(contextSource)) { throw new RuntimeException("ldap contextSource error"); } if (null == ldapTemplate) { ldapTemplate = new LdapTemplate(contextSource); } return ldapTemplate; } }
package com.github.wxiaoqi.security.common.config; import javax.net.SocketFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; import java.io.IOException; import java.net.InetAddress; import java.net.Socket; import java.net.UnknownHostException; import java.security.SecureRandom; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; /** * 自定義的SSL工廠里面加載自己實現X509TrustManager,信任自簽證書 * @author cb */ public class CustomSslSocketFactory extends SSLSocketFactory { private SSLSocketFactory socketFactory; public CustomSslSocketFactory() { try { SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(null, new TrustManager[]{new DummyTrustmanager()}, new SecureRandom()); socketFactory = ctx.getSocketFactory(); } catch (Exception ex) { ex.printStackTrace(System.err); } } public static SocketFactory getDefault() { return new CustomSslSocketFactory(); } @Override public String[] getDefaultCipherSuites() { return socketFactory.getDefaultCipherSuites(); } @Override public String[] getSupportedCipherSuites() { return socketFactory.getSupportedCipherSuites(); } @Override public Socket createSocket(Socket socket, String string, int num, boolean bool) throws IOException { return socketFactory.createSocket(socket, string, num, bool); } @Override public Socket createSocket(String string, int num) throws IOException, UnknownHostException { return socketFactory.createSocket(string, num); } @Override public Socket createSocket(String string, int num, InetAddress netAdd, int i) throws IOException, UnknownHostException { return socketFactory.createSocket(string, num, netAdd, i); } @Override public Socket createSocket(InetAddress netAdd, int num) throws IOException { return socketFactory.createSocket(netAdd, num); } @Override public Socket createSocket(InetAddress netAdd1, int num, InetAddress netAdd2, int i) throws IOException { return socketFactory.createSocket(netAdd1, num, netAdd2, i); } /** * 證書 */ public static class DummyTrustmanager implements X509TrustManager { @Override public void checkClientTrusted(X509Certificate[] cert, String string) throws CertificateException { } @Override public void checkServerTrusted(X509Certificate[] cert, String string) throws CertificateException { } @Override public X509Certificate[] getAcceptedIssuers() { return new java.security.cert.X509Certificate[0]; } } }
主要的配置是 CustomSslSocketFactory 這個類,其他的正常配置。
配置好后啟動應用,又出現了另外一個錯誤,
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException
那么在啟動main方法中加上一行環境變量配置即可
@EnableEurekaClient @SpringBootApplication @EnableConfigurationProperties @EnableTransactionManagement @Import(value = {RedissonConfig.class, GatewayReqInterceptor.class, UserInfoInterceptor.class, InterceptorConfig.class, CoreConfig.class, AuthConfig.class, AuthServerRunner.class, LdapConfiguration.class}) @EnableScheduling public class WxCpApplication { public static void main(String[] args) { System.setProperty("com.sun.jndi.ldap.object.disableEndpointIdentification", "true"); // important resolve javax.net.ssl.SSLHandshakeException SpringApplication.run(WxCpApplication.class, args); } @Bean public RestTemplate restTemplate() { return new RestTemplate(); } }
System.setProperty("com.sun.jndi.ldap.object.disableEndpointIdentification", "true"); 這行