Announcement Announcement Module
Collapse
No announcement yet.
help configuring LDAP server with externalized variables Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • help configuring LDAP server with externalized variables

    I'm creating a POC based on the Spring Security LDAP sample, but want to externalize my LDAP config settings (url, manager-DN, manager-password) into JNDI environment entries. The only way I can see this being possible is by going from a config this:

    Code:
      <s:ldap-server ldif="classpath:users.ldif" port="33389"/>
        <s:authentication-manager>
            <s:ldap-authentication-provider
                group-search-filter="member={0}"
                group-search-base="ou=groups"
                user-search-base="ou=people"
                user-search-filter="uid={0}"
            />
        </s:authentication-manager>
    to something like this:

    Code:
    <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">		
            <beans:constructor-arg>
    		<jee:jndi-lookup jndi-name="jndi/common/ldap/providerUrl"/>
            </beans:constructor-arg>        
    	<beans:property name="userDn">
    		<jee:jndi-lookup jndi-name="jndi/common/ldap/principal"/>			
    	</beans:property>
         	<beans:property name="password">
    		<jee:jndi-lookup jndi-name="jndi/common/ldap/credentials"/>     	
         	</beans:property>
        </beans:bean>
    
        <beans:bean id="ldapProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
            <beans:constructor-arg>
           		<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
           			<beans:constructor-arg ref="contextSource"/>
           			<beans:property name="userDnPatterns">
           				<beans:list>
           					<beans:value>uid={0},cn=users</beans:value>
           				</beans:list>
           			</beans:property>
           		</beans:bean>
            </beans:constructor-arg>
            <beans:constructor-arg>
            	<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
           			<beans:constructor-arg ref="contextSource"/>
    				<beans:constructor-arg value="cn=groups"/>
            	</beans:bean>
            </beans:constructor-arg>
    </beans:bean>
    But is all this extra setup necessary? Is there no way to simply wire the <ldap-server> tag with the appropriate settings? I see that the tag has "url", "manager-dn", and "manager-password" attributes, but can JNDI values be injected into attribute values?

    This JIRA request is similar to what I'm lookin for, sans the part about using Tomcat realms:
    https://jira.springsource.org/browse/SEC-871

  • #2
    You can use property placeholders or SpEL expressions. An example of each can be seen below, but you can see the previous links for more details:

    Code:
    <ldap-server ldif="classpath:users.ldif" 
        manager-dn="#{env['username']}"
        manager-password="#{ldapPassword}"
        url="${url}"/>
    
    <context:property-placeholder properties-ref="env"/>
    
    <util:properties id="env">
      <prop key="username">uid=admin,ou=system</prop>
      <prop key="url">ldap://127.0.0.1:33388/dc=springframework,dc=org</prop>
    </util:properties>
    
    <jee:jndi-lookup jndi-name="jndi/common/ldap/credentials" id="ldapPassword"/>
    Last edited by Rob Winch; Aug 1st, 2012, 10:18 AM.

    Comment


    • #3
      That worked, thanks. But I do get a warning "Referenced bean 'org.springframework.security.securityContextSourc e' not
      found". Why might that be?

      Code:
      	<ldap-server url="#{ldapUrl}" manager-dn="#{ldapUserDN}" manager-password="#{ldapPassword}"/>
      
      	<authentication-manager>
      		<ldap-authentication-provider 
      				user-search-base="cn=users" 
      				user-search-filter="uid={0}" 
      				group-search-base="cn=groups" 
      				group-search-filter="member={0}"
      		/>
      	</authentication-manager>
      
      	<jee:jndi-lookup jndi-name="jndi/common/ldap/providerUrl" id="ldapUrl"/>
      	<jee:jndi-lookup jndi-name="jndi/common/ldap/principal" id="ldapUserDN"/>
      	<jee:jndi-lookup jndi-name="jndi/common/ldap/credentials" id="ldapPassword"/>

      Comment


      • #4
        When do you get this warning (i.e. in STS, in the console at startup, when a user logs in)?

        Comment


        • #5
          Oops, sorry for not being clear on that. When applying the fix above on my Macbook Pro, OS X 10.7.4, two warning alerts appear along the side of the <authentication-manager> tag when I view the security context XML in STS:

          1) Referenced bean 'org.springframework.security.securityContextSourc e' not found
          2) Method 'setRolePrefix' is marked deprecated

          When I attempt the same fix on my Windows 7 environment, the warnings do not appear.

          Both environments use STS 2.9.2.RELEASE, build 201205071000.

          Comment


          • #6
            My guess is that one project has marked the project as a Spring Project with the xml file being validated and the other is not. The warnings are really nothing to worry about. If you are interested #2 will be resolved in Spring Security 3.1.2 as part of SEC-1909. I am not sure exactly what is causing #1, but I logged SEC-2021 to look into it. In short, the warnings are annoying, but will not cause any problems.

            Comment


            • #7
              Understood. Thanks for the thorough and quick response!

              Comment


              • #8
                Similar to the original post in this thread, how can I configure <ldap-authentication-provider> to load my custom authorities mapper?

                Basically, given THIS:
                AbstractLdapAuthenticationProvider.setAuthoritiesM apper(GrantedAuthoritiesMapper authoritiesMapper)

                and THIS:
                <!-- implements GrantedAuthoritiesMapper -->
                <beans:bean id="authoritiesMapper2" class="***.***.CustomAuthoritiesMapper">
                <beansroperty name="rolesMap">
                <beans:map>
                <beans:entry key="ldapGroup1" value="role1"/>
                <beans:entry key="ldapGroup2" value="role2"/>
                </beans:map>
                </beansroperty>
                </beans:bean>

                I would like to do THIS:
                <security:ldap-authentication-provider ... authorities-mapper="authoritiesMapper2"/>

                Is this possible?

                Comment

                Working...
                X