help configuring LDAP server with externalized variables

**jrod** · Jul 23rd, 2012, 01:51 PM

I'm creating a POC based on the Spring Security LDAP sample, but want to externalize my LDAP config settings (url, manager-DN, manager-password) into JNDI environment entries. The only way I can see this being possible is by going from a config this:

Code:

  <s:ldap-server ldif="classpath:users.ldif" port="33389"/>
    <s:authentication-manager>
        <s:ldap-authentication-provider
            group-search-filter="member={0}"
            group-search-base="ou=groups"
            user-search-base="ou=people"
            user-search-filter="uid={0}"
        />
    </s:authentication-manager>

to something like this:

Code:

<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">		
        <beans:constructor-arg>
		<jee:jndi-lookup jndi-name="jndi/common/ldap/providerUrl"/>
        </beans:constructor-arg>        
	<beans:property name="userDn">
		<jee:jndi-lookup jndi-name="jndi/common/ldap/principal"/>			
	</beans:property>
     	<beans:property name="password">
		<jee:jndi-lookup jndi-name="jndi/common/ldap/credentials"/>     	
     	</beans:property>
    </beans:bean>

    <beans:bean id="ldapProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
       		<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
       			<beans:constructor-arg ref="contextSource"/>
       			<beans:property name="userDnPatterns">
       				<beans:list>
       					<beans:value>uid={0},cn=users</beans:value>
       				</beans:list>
       			</beans:property>
       		</beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
        	<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
       			<beans:constructor-arg ref="contextSource"/>
				<beans:constructor-arg value="cn=groups"/>
        	</beans:bean>
        </beans:constructor-arg>
</beans:bean>

But is all this extra setup necessary? Is there no way to simply wire the <ldap-server> tag with the appropriate settings? I see that the tag has "url", "manager-dn", and "manager-password" attributes, but can JNDI values be injected into attribute values?

This JIRA request is similar to what I'm lookin for, sans the part about using Tomcat realms:
https://jira.springsource.org/browse/SEC-871

**Rob Winch** · Jul 23rd, 2012, 02:46 PM

You can use property placeholders or SpEL expressions. An example of each can be seen below, but you can see the previous links for more details:

Code:

<ldap-server ldif="classpath:users.ldif" 
    manager-dn="#{env['username']}"
    manager-password="#{ldapPassword}"
    url="${url}"/>

<context:property-placeholder properties-ref="env"/>

<util:properties id="env">
  <prop key="username">uid=admin,ou=system</prop>
  <prop key="url">ldap://127.0.0.1:33388/dc=springframework,dc=org</prop>
</util:properties>

<jee:jndi-lookup jndi-name="jndi/common/ldap/credentials" id="ldapPassword"/>

**jrod** · Jul 31st, 2012, 11:43 PM

That worked, thanks. But I do get a warning "Referenced bean 'org.springframework.security.securityContextSourc e' not
found". Why might that be?

Code:

	<ldap-server url="#{ldapUrl}" manager-dn="#{ldapUserDN}" manager-password="#{ldapPassword}"/>

	<authentication-manager>
		<ldap-authentication-provider 
				user-search-base="cn=users" 
				user-search-filter="uid={0}" 
				group-search-base="cn=groups" 
				group-search-filter="member={0}"
		/>
	</authentication-manager>

	<jee:jndi-lookup jndi-name="jndi/common/ldap/providerUrl" id="ldapUrl"/>
	<jee:jndi-lookup jndi-name="jndi/common/ldap/principal" id="ldapUserDN"/>
	<jee:jndi-lookup jndi-name="jndi/common/ldap/credentials" id="ldapPassword"/>

**Rob Winch** · Aug 1st, 2012, 09:18 AM

When do you get this warning (i.e. in STS, in the console at startup, when a user logs in)?

**jrod** · Aug 1st, 2012, 09:52 AM

Oops, sorry for not being clear on that. When applying the fix above on my Macbook Pro, OS X 10.7.4, two warning alerts appear along the side of the <authentication-manager> tag when I view the security context XML in STS:

1) Referenced bean 'org.springframework.security.securityContextSourc e' not found
2) Method 'setRolePrefix' is marked deprecated

When I attempt the same fix on my Windows 7 environment, the warnings do not appear.

Both environments use STS 2.9.2.RELEASE, build 201205071000.

**Rob Winch** · Aug 1st, 2012, 10:21 AM

My guess is that one project has marked the project as a Spring Project with the xml file being validated and the other is not. The warnings are really nothing to worry about. If you are interested #2 will be resolved in Spring Security 3.1.2 as part of SEC-1909. I am not sure exactly what is causing #1, but I logged SEC-2021 to look into it. In short, the warnings are annoying, but will not cause any problems.

**jrod** · Aug 1st, 2012, 10:33 AM

Understood. Thanks for the thorough and quick response!

**jrod** · Nov 12th, 2012, 03:42 PM

Similar to the original post in this thread, how can I configure <ldap-authentication-provider> to load my custom authorities mapper?

Basically, given THIS:
AbstractLdapAuthenticationProvider.setAuthoritiesM apper(GrantedAuthoritiesMapper authoritiesMapper)

and THIS:

<beans:bean id="authoritiesMapper2" class="***.***.CustomAuthoritiesMapper">
<beans:property name="rolesMap">
<beans:map>
<beans:entry key="ldapGroup1" value="role1"/>
<beans:entry key="ldapGroup2" value="role2"/>
</beans:map>
</beans:property>
</beans:bean>

I would like to do THIS:
<security:ldap-authentication-provider ... authorities-mapper="authoritiesMapper2"/>

Is this possible?

Thread: help configuring LDAP server with externalized variables

Thread Tools

Display

help configuring LDAP server with externalized variables

Tags for this Thread

Posting Permissions