Announcement Announcement Module
No announcement yet.
spring-ws, acegi and ldap? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • spring-ws, acegi and ldap?

    I have a web service that I've created using spring-ws and acegisecurity. It works well sending a username and password via basic authentication against an in-memory dao for testing. I'd like to swap that userDetailsService for one that uses Ldap. Maybe I'm missing something obvious (I hope I am) but it isn't clear to me how to proceed. Is there an LdapDaoImpl that would work here?

  • #2
    Well, there is certainly LDAP support in Acegi, see Theoretically, you can replace the DaoAuthenticationProvider with the LdapAuthenticationProvider.

    I haven't tried this though, so you're probably better off asking help about this in the Acegi forum.

    Good luck!


    • #3
      making progress

      I have made progress with various authentication mechanisms, including LDAP with Spring-ws and acegi. It is a bit more than just replacing daoAuthenticationProvider with LdapAuthenticationProvider since Dao... uses a userDetailsService whereas ldap doesn't and has a more complicated config.
      The xml for both is included below.
      I'm testing authentication from .Net to Spring-ws with
      hashed password to memory, hashed to jdbc,
      plaintext to memory, plaintext to jdbc and plaintext to ldap.
      I'm still trying to see if I can find a way to get hashed to ldap to work, but since the password is used for the ldap bind this approach is different than the comparision of the entered password and the stored password of the other approaches.
      Just thought I'd follow up on this thread since the previous entry indicated that ldap integration should be possible - and it is.

      <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
            <property name="providers">
                <bean class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
                    <property name="userDetailsService" ref="userDetailsService"/>
      <bean id="ldapAuthProvider" class="springSupport.LdapAuthenticationProvider" >
      <bean class="springSupport.BindAuthenticator">
      <constructor-arg><ref local="initialDirContextFactory" /></constructor-arg>
      <property name="userSearch" ref="userSearch" /> 
      <constructor-arg index="1">
      <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
      <constructor-arg index="0"><ref local="initialDirContextFactory" /></constructor-arg>
      <constructor-arg index="1"><value>OU=Security Groups,OU=myDomain,DC=mytest,DC=com</value></constructor-arg>
      <property name="convertToUpperCase">
      <property name="rolePrefix">
      <property name="searchSubtree">
      <property name="groupSearchFilter">
      <property name="groupRoleAttribute">


      • #4
        Great news!


        • #5
          That's really impressive farrellr.

          You say, WS-Security cleartext-pw to ldap is no problem? That's something i also wanted to try. Thank you!

          I also would find it interessting to know if "hashed to ldap" is possible. I'm not quite sure, but if i use WS-Security, my password hash is created with a nonce and a timestamp. Is it possible to do an authentication at ldap with a nonce and a timestamp as "parameter"?




          • #6

            I'm currently working against active directory using Ldap.
            I do think there are potential ways to pass a hashed password to ldap for that but I haven't gotten around to doing it. I think it depends on how you configure the schema in the ldap directory.
            What I've read on the MS side makes me think it's possible but I need to do it.


            • #7
              a few more comments

              I should also point out that MS active directory ldap is accessed a bit different than the more standard implementation (sun, iplanet, oracle, ...).
              I'm happy to post my example for anyone interested but it would probably need some changes in the searching for the other directories (but functionally should be equivlanet).
              This thread here shows some examples that are helpful in determining that part.