Announcement Announcement Module
Collapse
No announcement yet.
New Property for ldap-authentication-priovider Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • New Property for ldap-authentication-priovider

    Hi:
    My compliments on the Security 2.0. It is really less verbose than Acegi 1.xx and I appreciate it. I'm still finding my way and I note one inconsistency (or at least what I think is inconsistent). The ldap-authentication-provider bean lacks a "searchSubtree" property. For the moment I have overcome it with my own version of DefaultLdapAuthoritiesPopulator with a default subtree search. Conceivably, I could go back to the Acegi format but the new structure is just too attractive. Could we or should we have a boolean to set the subtree search?
    Regards,
    Bob N-

  • #2
    I am hoping for the same thing.

    If you have your own populator, how do you configure spring security to use it using the new namespace configuration? Do you have to repackage your spring-security.jar?

    Thanks.

    -Feng

    Comment


    • #3
      The default should definitely be to do a subtree search, so that should certainly be changed if it's not the case at the moment. Repackaging the jar isn't a very good idea though. A BeanPostProcessor could be used to set the property on the DefaultLdapAuthoritiesPopulator and would be less drastic.

      Comment


      • #4
        I solved this by declaring ldap authenticator using the conventional bean definition syntax so that I can set the searchSubtree property to true for the ldap authorities populator. My configuration follows. It is not as concise as the namespace configuration but will be good enough for now.

        Code:
        <ldap-server id="ldapServer" url="ldap://myadserver:389/dc=mycompany,dc=com" manager-dn="domain\manager" manager-password="secret" /> <ldap-user-service user-search-base="ou=people" user-search-filter="(sAMAccountName={0})" server-ref="ldapServer"/> <beans:bean id="ldapAuthProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider" autowire="default"> <custom-authentication-provider/> <beans:constructor-arg> <beans:bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator"> <beans:constructor-arg ref="ldapServer"/> <beans:property name="userSearch"> <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> <beans:constructor-arg index="0" value="ou=people"/> <beans:constructor-arg index="1" value="(sAMAccountName={0})"/> <beans:constructor-arg index="2" ref="ldapServer" /> </beans:bean> </beans:property> </beans:bean> </beans:constructor-arg> <beans:constructor-arg> <beans:bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator"> <beans:constructor-arg ref="ldapServer"/> <beans:constructor-arg value="ou=Groups"/> <beans:property name="groupRoleAttribute" value="cn"/> <beans:property name="groupSearchFilter" value="(member={0})"/> <beans:property name="searchSubtree" value="true"/> </beans:bean> </beans:constructor-arg> </beans:bean>
        Should I open a JIRA request to make subtree search default behavior?

        Thanks.

        -Feng

        Comment


        • #5
          Please do. It should certainly be the default, at least for the namespace configuration.

          Comment


          • #6
            JIRA item created:
            http://jira.springframework.org/browse/SEC-836

            Comment

            Working...
            X