LDAP none、simple、strong 笔记

// 该笔记仍在调研中！！不确保中有错误信息！最终目的是想用java实现这三种认证方式。

1、ldaps://  注意多了个s

---

参考：https://mail.python.org/pipermail/python-ldap/2002q1/000584.html
Dirksen Lau wrote:
>> When I try the bind operation against our department LDAP server,
> I got this
> error: ldap.STRONG_AUTH_REQUIRED: {'desc': 'Strong authentication
> required',
> 'info': 'This LDAP server does not accept cleartext passwords'}

This means you have to authenticate by presenting a client certificate which
is done during establishing the SSL connection.

> How to do the strong authentication?

1. Make yourself familiar with concepts of SSL and client certificates.
2. Ask your LDAP server admin whether you have to use LDAP over SSL to
separate port or using StartTLS extended operation.
3. Look at Demo/initialize.py to get a idea of how to connect with
python-ldap using either one of the methods.
4. Have a client certificate and matching private key at
hand as "PEM files". You have to get a client certificate which validates
against a trusted root CA cert at the LDAP server. Ask your admin.
5. Use
ldap.set_option(ldap.OPT_X_TLS_CERTFILE,client_cert_file)
ldap.set_option(ldap.OPT_X_TLS_KEYFILE,client_key_file)
to point the python-ldap and OpenLDAP libs to the files to use for strong
authentication during opening the SSL connection.

Ciao, Michael.

On Sat, Mar 30, 2002 at 12:10:09PM +0800, Dirksen Lau wrote: 
> How to do the strong authentication? 

 There are two ways: 
1. SSL/TLS 
========== 
Use thing like this (instead of your ldap_open or ldap_initialize): 
l=ldap_initialize("ldaps://...."); 
This will work if your server listens on ldaps port. If your server listens on ldap port only, 
but supports TLS, you use it: 
l=ldap_initialize("ldap://....") 
l.protocol_version=ldap.VERSION3 
l.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND) 
l.start_tls_s() 
2. SASL 
======== 
This is not yet supported by python-ldap, but is being worked on.
SASL is a way of doing strong authentication even without encrypting the whole sessions. 
Greets, Jacek

参考：https://stackoverflow.com/questions/5991591/php-ldap-stronger-authentication-required

• SECURITY_AUTHENTICATION: specifies the authentication mechanism to use, which is one of the following strings:

1. • “none”: use no authentication (anonymous).
   • “simple”: use weak authentication (password in clear text).
   • sasl_mech: use strong authentication with SASL (Simple Authentication and Security Layer).

参考：http://www.codejava.net/coding/connecting-to-ldap-server-using-jndi-in-java

Authentication Mechanisms验证机制

参考：http://docs.oracle.com/javase/jndi/tutorial/ldap/security/auth.html

Different versions of the LDAP support different types of authentication. The LDAP v2 defines three types of authentication: anonymous匿名, simple (clear-text password明文密码), and Kerberos v4.

The LDAP v3 supports anonymous, simple, and SASL authentication.

How to enable LDAP signing in Windows Server 2008

参考：https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008

GSS-API/Kerberos v5 Authentication

参考：https://docs.oracle.com/javase/jndi/tutorial/ldap/security/gssapi.html

End-to-end steps for configuring Active Directory Kerberos authentication

参考：https://docs.bmc.com/docs/display/public/sso90/End-to-end+steps+for+configuring+Active+Directory+Kerberos+authentication#End-to-endstepsforconfiguringActiveDirectoryKerberosauthentication-ConfiguringKerberosauthenticationwithActiveDirectory

Enable support for Kerberos authentication

参考：https://technet.microsoft.com/en-us/library/dd759186(v=ws.11).aspx

Java安全之认证与授权

参考：http://blog.csdn.net/xiaolangfanhua/article/details/52835920

配置 Kerberos 身份验证 (SharePoint Foundation 2010)

参考：https://msdn.microsoft.com/zh-cn/subscriptions/ff607695

Windows Server 2012：设置您的第一个域控制器（一步一步）

参考：https://social.technet.microsoft.com/wiki/contents/articles/12370.windows-server-2012-set-up-your-first-domain-controller-step-by-step.aspx