Home » Java » Spring Security: Supporting Multiple LDAP Directory Services

Spring Security: Supporting Multiple LDAP Directory Services

Scenario/Problem:

The application I was working on authenticated against Active Directory (AD).  However, I wanted each developer to have the ability to run the full-fledged application on their own developer machine, and running AD on a developer machine isn’t ideal. Hence, problem #1.

Options:

Thankfully, there are free LDAP servers available.  Apache Directory Studio and Active Directory Lightweight Directory Services (AD LDS) are just a few.

Approach A:

We first tried Apache Directory Studio but the application would not recognize the username.  Finally we determined that AD accepts the sAMAccountName attribute as the username, while most other LDAP servers simply use uid.  So problem #2 became, how do we support both?

Approach B:

It turns out what I really needed to do was create an LDAP search filter.  And I found a great how-to on the Atlasssian website of all places.

https://confluence.atlassian.com/display/DEV/How+to+write+LDAP+search+filters

So the spring security configuration went from:


<bean id=”userSearch”
class=”org.springframework.security.ldap.search.FilterBasedLdapUserSearch”>
<constructor-arg index=”0″ value=”” />
<constructor-arg index=”1″ value=”(sAMAccountName={0})” />
<constructor-arg index=”2″ ref=”contextSource” />
</bean>


to this:


<bean id=”userSearch”
class=”org.springframework.security.ldap.search.FilterBasedLdapUserSearch”>
<constructor-arg index=”0″ value=”” />
<constructor-arg index=”1″ value=”(|(uid={0})(sAMAccountName={0}))” />
<constructor-arg index=”2″ ref=”contextSource” />
</bean>


Another problem:

I wish I could say that solved everything.  Unfortunately, Apache Directory Studio became non-responsive on multiple developer machines after a restart.

We were unable to get it up and running again so we switched to AD LDS.  This proved to be a better fit for us because Apache Directory Studio was required to run in the foreground.  With AD LDS we could run it in the background.  However, one downside of AD LDS is that you require a client tool, like ADSI Edit to configure it.  Also, there was 1 gotcha.  You need to add your newly created users to the ‘Reader’ role.  You do that by adding them to the ‘member’ attribute of the Reader role.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s