wrong configuration LDAP and spring security

[wiesel82]

Hi,

I plan to use LDAP on Jboss with Spring Security Framework.
My first test runs successfully with following structure and configuration (buttom).

ou=people,dc=test,dc=server
uid="username"

Now i what to find a way to extend this configuration to find the users in the following structure.

cn="FULL NAME",ou=people,dc=test,dc=server
uid="username"

But i don't know what i need to change in the configuration.
If i have a User "foo bar" with uid "bar" the structure is

cn="foo bar",ou=people,dc=test,dc=server
uid="bar"

Is it possible to get the full name to complete the search string where the user with password can be find?
Or can i use easily wildcard in the constructor-arg of the userSearch Bean.

for example:

Code:

       <bean id="userSearch"
            class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
            <constructor-arg index="0" value="ou=people"/>
            <constructor-arg index="1" value="cn=*"/>
            <constructor-arg index="2" value="(uid={0})"/>
            <constructor-arg index="3" ref="contextSource" />
        </bean>

Code:

    <security:http auto-config="false" access-denied-page="/aa/login/login-repeated.html"
        path-type="regex" entry-point-ref="authenticationProcessingFilterEntryPoint">
        <security:intercept-url pattern="/aa/login[^/].*$" access="IS_AUTHENTICATED_FULLY"/>
        <security:intercept-url pattern="/.*" filters="none" />
        <security:form-login
            authentication-failure-url="/aa/login/login-repeated.html"
            default-target-url="/aa/login/missing-target.html" />
    </security:http>

    <bean id="authenticationProcessingFilterEntryPoint" 
            class="de.escidoc.core.aa.springsecurity.EscidocAuthenticationProcessingFilterEntryPoint">
      <property name="loginFormUrl" value="/aa/login/login.html"/>
    </bean>

        <bean id="contextSource"
            class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
            <constructor-arg value="ldap://127.0.0.1:389/dc=test,dc=server"/>
        </bean>

        <bean id="userSearch"
            class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
            <constructor-arg index="0" value="ou=people"/>
            <constructor-arg index="1" value="(uid={0})"/>
            <constructor-arg index="2" ref="contextSource" />
        </bean>

        <bean id="ldapAuthProvider"
            class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
            <constructor-arg>
                <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
                    <constructor-arg ref="contextSource"/>
                    <property name="userSearch" ref="userSearch" />
                </bean>
            </constructor-arg>
            <constructor-arg>
                <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
                    <constructor-arg ref="contextSource"/>
                    <constructor-arg value="ou=group"/>
                    <property name="groupRoleAttribute" value="cn"/>
                    <property name="groupSearchFilter" value="(memberUid={1})"/>
                    <property name="rolePrefix" value=""/>
                    <property name="convertToUpperCase" value="false"/>
                </bean>
            </constructor-arg>
            <property name="userDetailsContextMapper">
                <bean class="de.escidoc.core.aa.ldap.EscidocLdapContextMapper"/>
            </property>
            <security:custom-authentication-provider />
        </bean>

Best regards
Wiesel

[Rob Winch]

Try using an empty String for the search base. For example:

Code:

<bean id="ldapProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <constructor-arg>
        <bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
            <constructor-arg ref="contextSource" />
            <property name="userSearch">
                <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
                  <constructor-arg index="0" value=""/>
                  <constructor-arg index="1" value="(uid={0})"/>
                  <constructor-arg index="2" ref="contextSource" />
                </bean>
            </property>
        </bean>
    </constructor-arg>
    <constructor-arg>
        <bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
            <constructor-arg ref="contextSource" />
            <constructor-arg value="ou=groups" />
            <property name="groupSearchFilter" value="(member={0})"/>
            <property name="rolePrefix" value="ROLE_"/>
            <property name="searchSubtree" value="true"/>
            <property name="convertToUpperCase" value="true"/>
        </bean>
    </constructor-arg>
</bean>

Depending on your version of Spring Security, you could do something similar with the namespace configuration:

Code:

    <security:authentication-manager>
        <security:ldap-authentication-provider
            group-search-filter="member={0}"
            group-search-base="ou=groups"
            user-search-base=""
            user-search-filter="uid={0}"
        />
    </security:authentication-manager>

[wiesel82]

Hi,
thank you.

It works fine with your solution and i found also a second solution which work.

<bean id="userSearch"
class="org.springframework.security.ldap.search.Fi lterBasedLdapUserSearch">
<constructor-arg index="0" value="ou=people"/>
<constructor-arg index="1" value="(&amp;(uid={0})(cn=*))"/>
<constructor-arg index="2" ref="contextSource" />
</bean>

Best regards

Wiesel