Announcement Announcement Module
No announcement yet.
RememberMeServices and LDAP Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • RememberMeServices and LDAP


    I've currently got Acegi's ProviderManager using an inmemDaoProvider followed by an LDAP Dao Provider (old school LdapPasswordAuthenticationDao). I have RememberMeServices setup to use the inmemdao.

    What I actually need is for the remembermeservices to apply to the LDAP authenticating users. Therefore, I need an LDAP implementation of UserDetailsService. Surely, i'm not the first one... has somebody else implemented this already?

    Bottomline: How can I get RememberMeServices to authenticate the cookie's of LDAP users?
    Last edited by James K; Feb 9th, 2006, 04:04 PM.

  • #2

    I gave quite a bit of thought to the provision of a UserDetailsService as part of the LDAP provider when I was writing it. However, the authentication process is often directly linked to retrieving the user information (via a bind), so it doesn't quite fit the pattern in that case.

    So it's been on my mind that an LDAP version is something that's likely to be of use elsewhere in the project. I just haven't got round to creating it. My initial thoughts were that it should be possible to combine a UserSearch instance and an AuthoritiesPopulator (from the LDAP provider package). If you configure these beans in the same way as they are used for authentication, the user details service would then be straightforward enough - something like:

    LdapUserDetailsService implements UserDetailsSerice {
        LdapUserSearch search;
        LdapAuthoritiesPopulator populator;
        public UserDetails loadUserByUsername(String username) {
            LdapUserInfo ldapUser = search.searchForUser(username);
            Attributes attrs = ldapUser.getAttributes();
            GrantedAuthority[] authorities =  
                                      usernave, ldapUser.getDN(), attrs);
           // Combine retrieved information to create a UserDetails object.

    P.S. Of course this is only relevant with the new classes.


    • #3
      does anybody have a working example of this?

      i'm not sure how to correctly wire in my customLdapUserDetailsService for normal authenication. if i need a custom user object would i better off adding to my customLdapUserDetailService or to extend the LdapAuthenticationProvider bean and override the createUserDetails method (

      Last edited by denov; Aug 31st, 2006, 07:11 PM.


      • #4
        A simple LdapDaoImpl class

        Since i needed this support as well, i wrote a class that seems to work, but has not been put through the wringer. Your mileage may vary.

        package org.acegisecurity.userdetails.ldap;
        import org.acegisecurity.GrantedAuthority;
        import org.acegisecurity.ldap.LdapUserSearch;
        import org.acegisecurity.providers.ldap.LdapAuthoritiesPopulator;
        import org.acegisecurity.userdetails.User;
        import org.acegisecurity.userdetails.UserDetails;
        import org.acegisecurity.userdetails.UserDetailsService;
        import org.springframework.beans.factory.InitializingBean;
        import org.springframework.util.Assert;
        public class LdapDaoImpl implements UserDetailsService, InitializingBean
            LdapUserSearch           ldapUserSearch;
            LdapAuthoritiesPopulator ldapAuthoritiesPopulator;
            public void afterPropertiesSet() throws Exception
                Assert.notNull(this.ldapUserSearch, "An LDAP search object must be set");
                Assert.notNull(this.ldapAuthoritiesPopulator, "An LDAP authorities populator must be set");
            public UserDetails loadUserByUsername(String username)
                LdapUserDetails ldapUserDetails = ldapUserSearch.searchForUser(username);
                GrantedAuthority[] authorities = ldapAuthoritiesPopulator.getGrantedAuthorities(ldapUserDetails);
                return new User(username, "empty_password", true, true, true, true, authorities);
            public LdapAuthoritiesPopulator getLdapAuthoritiesPopulator()
                return ldapAuthoritiesPopulator;
            public void setLdapAuthoritiesPopulator(LdapAuthoritiesPopulator ldapAuthoritiesPopulator)
                this.ldapAuthoritiesPopulator = ldapAuthoritiesPopulator;
            public LdapUserSearch getLdapUserSearch()
                return ldapUserSearch;
            public void setLdapUserSearch(LdapUserSearch ldapUserSearch)
                this.ldapUserSearch = ldapUserSearch;
        The relevant beans from the xml:

            <bean id="ldapDaoImpl" class="org.acegisecurity.userdetails.ldap.LdapDaoImpl">
                <property name="ldapUserSearch" ref="ldapUserSearch" />
                <property name="ldapAuthoritiesPopulator" ref="ldapAuthoritiesPopulator" />
            <bean id="ldapAuthoritiesPopulator"
                <constructor-arg index="0" ref="initialDirContextFactory" />
                <constructor-arg index="1" value="OU=Groups,OU=Main,DC=yourcompany,DC=com" />
                <property name="groupRoleAttribute" value="CN" />
                <property name="rolePrefix" value="ROLE_" />
                <property name="convertToUpperCase" value="true" />
                <property name="searchSubtree" value="true" />
                <property name="groupSearchFilter" value="(member={0})" />
            <bean id="ldapUserSearch" class="">
                <constructor-arg index="0" value="OU=Locations,OU=Main,DC=yourcompany,DC=com" />
                <constructor-arg index="1" value="uid={0}" />
                <constructor-arg index="2" ref="initialDirContextFactory" />
                <property name="searchSubtree" value="true" />
            <bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
                <constructor-arg value="ldap://" />
                <property name="managerDn" value="simple_login_with_ldap_access" />
                <property name="managerPassword" value="simple_login_s_password" />