I am working on spring boot app. I am boggled with how to set principal credentials in the AuthenticationManagerBuilder's authentication provider, the ActiveDirectoryLdapAuthenticationProvider object. It just has the setSearchFilter to find if user is present in a group. But how is the principal credential supplied for authenticating web users? I have noticed, that when I provide right credentials it takes 2 seconds longer to reload, but still authentication fails:
(login?error redirection). But for wrong credentails, the invalid password message is thrown.Also, how to override username from email id to samaccountname?
(&(objectClass=user)(userPrincipalName={0})(memberOf=groupname))- this is failing, what doesuserPrincipalName={0}stand for here?@Override public void configure(AuthenticationManagerBuilder auth) throws Exception { ActiveDirectoryLdapAuthenticationProvider adProvider = new ActiveDirectoryLdapAuthenticationProvider(domain, url, userBaseDn); adProvider.setConvertSubErrorCodesToExceptions(true); adProvider.setUseAuthenticationRequestCredentials(true); // set pattern if it exists // The following example would authenticate a user if they were a member // of the ServiceAccounts group // (&(objectClass=user)(userPrincipalName={0}) // (memberof=CN=ServiceAccounts,OU=alfresco,DC=mycompany,DC=com)) if (userDnPattern != null && userDnPattern.trim().length() > 0) { adProvider.setSearchFilter(userDnPattern); } auth.authenticationProvider(adProvider); // don't erase credentials if you plan to get them later // (e.g using them for another web service call) auth.eraseCredentials(false); }
- 1,436
- 1
- 22
- 39
- 2,739
- 1
- 25
- 27
1 Answers
I can answer some of your questions but share your primary question.
The answer to 2 and 3 is related.
(&(objectClass=user)(userPrincipalName={0})
is the default search filter can be substituted with
sAMAccountName={0}
for a filter, if you find it works for your setup.
((&cn={0})) // works for me
This is just matching against fields in the AD record returned via LDAP and the expression {0} is where the credential id will be substituted on search. You would adjust this statement to match the directory structure and filtering you want to apply to your search against Active Directory. Providing too few or insufficiently specific filter criteria will throw an exception like:
Expected 1 but found 5
Like you, however, I suspect but don't know if principal security can or should be set directly. Looking through the test cases, it appears to be a function that is auto-magic with Spring as the method to do so is buried in the hidden ContextFactory.
However, if you're open to trying a different Spring class for this, this answer highlights extending GlobalAuthenticationConfigurerAdapter as a nested class to the WebSecurityConfigurerAdapter and with that, you can set the base DN:
contextSource.setBase("OU=MyCo Global,DC=myco");
Full code taken from sample linked above:
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/css/**").permitAll().anyRequest()
.fullyAuthenticated().and().formLogin();
}
@Configuration
protected static class AuthenticationConfiguration extends
GlobalAuthenticationConfigurerAdapter {
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
DefaultSpringSecurityContextSource contextSource = new DefaultSpringSecurityContextSource("ldap://<url>");
contextSource.setUserDn("<username>");
contextSource.setPassword("<password>");
contextSource.setReferral("follow");
contextSource.afterPropertiesSet();
LdapAuthenticationProviderConfigurer<AuthenticationManagerBuilder> ldapAuthenticationProviderConfigurer = auth.ldapAuthentication();
ldapAuthenticationProviderConfigurer
.userSearchFilter("(&(cn={0}))")
.userSearchBase("")
.contextSource(contextSource);
}
}
}
- 1,436
- 1
- 22
- 39