Page tree
Skip to end of metadata
Go to start of metadata

Overview

The Active Directory Security Module (security-ad) includes the ActiveDirectoryAuthenticationProvider, which implements the simple authentication(username,password) interface using an Microsoft Active Directory (AD) Server. The Active Directory and LDAP Configuration bean is used to configure this bean with details of the AD server.

Required Modules

 These features require that the security-ad module be included when you run createproject to create the project directories.

 

View incoming links.

Authenticate a Username

To authenticate a username, the AD Authentication Provider does the following:

  1. A query is issued for the distinguished name (DN) of the username provided (e.g. sAMAccountName=%username%) This query uses the bindDn and bindPassword credentials.
  2. A query is issued for all groups and nested groups that include this DN. This query uses the user's DN and password to authenticate the user.
    1. For each group returned, a role is added to the principal.e

Configuration

The following example creates a Active Directory Authentication Provider using a shared Active Directory and LDAP Configuration bean.

<project-dir>/conf/bean/defaultAuthenticationProvider.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">


 <bean id="defaultAuthenticationProvider" class="com.attivio.securityad.authentication.ActiveDirectoryAuthenticationProvider">
  		<property name="config" ref="activeDirectoryConfig" />
 </bean>

</beans>

Permissions

The bindDn acount must have search permission to all objects within the userSearchBase.
The authenticated user must have search permission to all their groups.

Usage

See Also

  • No labels