Page tree
Skip to end of metadata
Go to start of metadata

Overview

The Active Directory Security Module (security-ad) includes the LdapAuthenticationProvider class, which implements the simple authentication(username,password) interface using an LDAP Server. The Active Directory and LDAP Configuration bean is used to configure this bean with details of the AD server.

Required Modules

 These features require that the security-ad module be included when you run createproject to create the project directories.

 

View incoming links.

Authenticate a Username

To authenticate a username, the LDAP Authentication Provider does the following:

  1. A query is issued to determine the distinguished name (DN) of the user ID provided (e.g. uid=%username%) This query uses the bindDn and bindPassword credentials.
  2. A context is created for the user's DN using the user's password - that establishes the user's credentials.
  3. A query is issued to find all groups and nested groups that include this DN. This query uses the user's DN and password to authenticate the user.
    1. For each group returned, a role is added to the principal.

Configuration

The following example creates an LDAP Authentication Provider using a shared Active Directory and LDAP Configuration bean.

<project-dir>/conf/bean/defaultAuthenticationProvider.xml
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">


 <bean id="defaultAuthenticationProvider" class="com.attivio.securityad.authentication.LdapAuthenticationProvider">
  		<property name="config" ref="ldapDirectoryConfig" />
 </bean>

</beans>

Permissions

The bindDn acount must have search permission to all objects within the userSearchBase.
The authenticated user must have search permission to all their groups.

Usage

See Also

  • No labels