tags:

views:

386

answers:

1
Q: 

Is using bindAuthentication with Spring and Active Directory impossible?

Hi,

I want to authenticate the useres of my webapplication against our internal active directory. I have the applicationContext-security set up as follows:

<beans:beans xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"&gt;

        <!-- HTTP security configurations -->
        <http auto-config="true" use-expressions="true">
                <form-login login-processing-url="/static/j_spring_security_check"
                        login-page="/login" authentication-failure-url="/login?login_error=t" />
                <logout logout-url="/static/j_spring_security_logout" />


                <!-- Configure these elements to secure URIs in your application -->
                <!--
                        <intercept-url pattern="/choice/**" access="hasRole('ROLE_ADMIN')"/>
                -->
                <!--
                        <intercept-url pattern="/member/**" access="isAuthenticated()" />
                -->
                <intercept-url pattern="/resources/**" access="permitAll" />
                <intercept-url pattern="/static/**" access="permitAll" />
                <intercept-url pattern="/login" access="permitAll" />
                <intercept-url pattern="/**" access="isAuthenticated()" />
        </http>

        <!-- Configure Authentication mechanism -->
        <authentication-manager alias="authenticationManager">
                <!--
                        SHA-256 values can be produced using 'echo -n your_desired_password |
                        sha256sum' (using normal *nix environments)
                -->
                <authentication-provider>
                        <password-encoder hash="sha-256" />
                        <user-service>
                                <user name="admin"
                                        password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918"
                                        authorities="ROLE_ADMIN" />
                                <user name="user"
                                        password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb"
                                        authorities="ROLE_USER" />
                        </user-service>
                </authentication-provider>

                <ldap-authentication-provider user-dn-pattern="{0}@company.domain"/>
                <!-- <ldap-authentication-provider user-search-filter="(sAMAccountName={0})" user-search-base="OU=UNIT,OU=CE,OU=company,OU=Accounts"/>-->


        </authentication-manager>

        <!-- LDAP Security Configuration -->
        <ldap-server url="ldap://10.9.1.1:389/DC=company,DC=domain"/>

My problem is: I do not know how to create the correct DN to use bind authentication?

The value above ({0]@company.domain) would work on windows (special 'feature' of AD) but spring-security will not accept it since it does not conform the correct syntax for a DN.

A: 

O.K. I did not write my own user-details service. Instead I went down the road of using a low priviliged accouont (only read access) to do an ldap-search for the user with the matching credentials.

It's ugly because I still need account for my application in the Active Directory. But so far it works. I also could not figure out how to corretly setup the ldapAuthenticationProvider using the new spring-security namespace. Hence I did the configuration "the old way" by wiring together the necessary beans.

Here is my sample.

It uses two authentication providers: a simple one with username and password stored in the config file and an ldapAuthenticationProvider.

Hope it helps:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"&gt;

    <!-- HTTP security configurations -->
    <http auto-config="true" use-expressions="true">
        <form-login login-processing-url="/static/j_spring_security_check"
            login-page="/login" authentication-failure-url="/login?login_error=t" />
        <logout logout-url="/static/j_spring_security_logout" />


        <!-- Configure these elements to secure URIs in your application -->
        <!--
            <intercept-url pattern="/choice/**" access="hasRole('ROLE_ADMIN')"/>
        -->
        <!--
            <intercept-url pattern="/member/**" access="isAuthenticated()" />
        -->
        <intercept-url pattern="/resources/**" access="permitAll" />
        <intercept-url pattern="/static/**" access="permitAll" />
        <intercept-url pattern="/login" access="permitAll" />
        <intercept-url pattern="/**" access="isAuthenticated()" />
    </http>

    <!-- Configure Authentication mechanism -->
    <authentication-manager alias="authenticationManager">
        <!--
            SHA-256 values can be produced using 'echo -n your_desired_password |
            sha256sum' (using normal *nix environments)
        -->
        <authentication-provider>
            <password-encoder hash="sha-256" />
            <user-service>
                <user name="admin"
                    password="8c6976e5b5410415mydepartmente908mydepartment4dee15dfb167a9c873fc4bb8a81f6f2ab448a918"
                    authorities="ROLE_ADMIN" />
                <user name="user"
                    password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb"
                    authorities="ROLE_USER" />
            </user-service>
        </authentication-provider> 

        <authentication-provider ref="ldapAuthProvider">

        </authentication-provider>

    </authentication-manager>

    <beans:bean id="contextSource"
        class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <beans:constructor-arg value="ldap://10.9.1.1:389/DC=mydomain,DC=com" />
        <beans:property name="userDn"
            value="CN=ReadOnly,OU=Services,DC=mydomain,DC=com" />
        <beans:property name="password" value="thesecret" />
    </beans:bean>

    <beans:bean id="ldapAuthProvider"
        class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
            <beans:bean
                class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="contextSource" />
                <beans:property name="userSearch">
                    <beans:bean id="userSearch"
                        class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
                        <beans:constructor-arg index="0" value="" />
                        <beans:constructor-arg index="1"
                            value="(&amp;(sAMAccountName={0})(objectclass=user))" />
                        <beans:constructor-arg index="2" ref="contextSource" />
                    </beans:bean>
                </beans:property>

            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean
                class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource" />
                <beans:constructor-arg value="ou=groups" />
                <beans:property name="groupRoleAttribute" value="ou" />
            </beans:bean>
        </beans:constructor-arg>
    </beans:bean>

</beans:beans>
er4z0r  2010-03-24 16:18:11

related questions

Querying Active Directory with "SQL"?
Can I get more than 1000 records from a DirectorySearcher in Asp.Net?
How to get AD User Groups for user in Asp.Net?
Attempting to update a user's "connect to:" home directory path in AD using C#
Monitoring group membership in Active Directory more efficiently (C# .NET)
How do I speed up data retrieval from .NET AD within ColdFusion
How do you authenticate against an Active Directory server using Spring Security?
Managing large user databases for single-signon.
Move Active Directory Group to Another OU using Powershell
How to move SharePoint sites from one active directory domain to another?
When did I last talk to my Domain Server?
Using ActiveDirectoryMembershipProvider with two domain controllers
I am having trouble getting phpBB to authenticate with our Active Directory
How do I use ADAM to run unit tests?
COMException "Library not registered." while using System.DirectoryServices
Caching Active Directory Data
Windows / Active Directory - User / Groups
Get a list of available domains (NT4 and Active Directory)
How do I use NTLM authentication with Active Directory
I/O permission settings using .net installer
quoting System.DirectoryServices.ResultPropertyCollection
How do you impersonate an Active Directory user in Powershell?
Setting Group Type for new Active Directory Entry in VB.NET
Is there a way for MS Access to grab the current Active Directory user?
Checklist for IIS 6/ASP.NET Windows Authentication?