I am currently implementing / configuring LDAP authentication for a Java web application using Spring Security 3.0. I am using Microsoft AD LDS as an LDAP server and have selected Spring BindAuthenticator. I found out that authentication only works if the authenticated user is a member of the role of section readers. BindAuthenticator attempts to read user attributes after authentication, which seems reasonable in scenarios where privileges are retrieved from a directory service.
Being new to LDAP and AD, is this an acceptable practice when an application is integrated into an existing AD framework? Can fine tuning give the dns user only read permissions for their own attributes, and not add them to the Reader group?
Thank you Thomas
Edit 3/8/2010: Here is what I ended up doing: I copied Spring BindAuthenticator (the whole class) and changed the bindWithDn () method as shown below. Differences are marked by DIFF.
private DirContextOperations bindWithDn(String userDn, String username, String password) {
BaseLdapPathContextSource ctxSource = (BaseLdapPathContextSource) getContextSource();
DistinguishedName fullDn = new DistinguishedName(userDn);
fullDn.prepend(ctxSource.getBaseLdapPath());
logger.debug("Attempting to bind as " + fullDn);
DirContext ctx = null;
try {
ctx = getContextSource().getContext(fullDn.toString(), password);
PasswordPolicyControl ppolicy = PasswordPolicyControlExtractor.extractControl(ctx);
DirContextAdapter result = new DirContextAdapter(null, new DistinguishedName(userDn),
ctxSource.getBaseLdapPath());
if (ppolicy != null) {
result.setAttributeValue(ppolicy.getID(), ppolicy);
}
return result;
} catch (NamingException e) {
if ((e instanceof org.springframework.ldap.AuthenticationException)
|| (e instanceof org.springframework.ldap.OperationNotSupportedException)) {
handleBindException(userDn, username, e);
} else {
throw e;
}
} finally {
LdapUtils.closeContext(ctx);
}
return null;
}
source
share