Performing LDAP User Search

You need to set up the configuration file with search parameters for locating your users in the LDAP directory. The sample files use the BindAuthenticator class to locate LDAP users.

One of the most common problems in configuring LDAP for JasperReports Server is setting up the correct search to locate the users you want to map. LDAP is a rich and complex structure, with many possible variations, and LDAP directories tend to grow in complexity over time. In order to successfully map your users from LDAP to JasperReports Server, you need to understand the directory server tree structure of your LDAP server. Be aware that branches can be password protected and a single keyword can be used in different ways in different contexts. It can be helpful to use an open-source LDAP browser, such as Apache Directory Server/Studio or JXplorer, to view and navigate your LDAP directory while troubleshooting LDAP user search problems.

Configuring BindAuthenticator

In Spring Security, the task of the BindAuthenticator bean is to access the LDAP directory to determine the DN of the user. To do this, it performs a bind authentication on the LDAP directory, which consists of the following steps:

1. Using either the pattern matching or a search for the username, find a candidate user entry based on the login name.
2. Attempt to login to the LDAP server, known as binding, as the candidate with the login password.
3. A successful bind indicates that the right user was found.

The ldapAuthenticationProvider bean must be initialized with a bean of the class BindAuthenticator that encapsulates search parameters for finding users in the LDAP directory. There are two ways of finding users in the directory:

Matching RDN patterns based on the login name provided by the user. Use this method if the login name appears in the DN of your user entries, and your user entries are in a fixed branch of your LDAP directory. Configure the userDnPatterns property in the BindAuthenticator bean to enable matching.
Performing a search for the login name provided by the user. Use this method if the login name is the value of an attribute that does not appear in the RDN, or if your user entries are located in a more complex structure. In particular, if you are authenticating users for one or more organizations, it is likely that user entries are in multiple branches of your directory. Configure the userSearch helper bean to enable this type of search.

In terms of performance, matching patterns is faster because doing so checks for the existence of a DN in the LDAP directory as opposed to performing a search. You can configure both matching and searching by combining the instructions in the following subsections. In this case, the patterns are matched first, and the search is performed only if no match is found.

The purpose of the user search during LDAP authentication is to locate a single user entry that validates the password given during the login process. Also, the LDAP entry located by the user search is later used to map roles and organizations. Regardless of the LDAP entry, the user is assigned the login name given during the login process.

Each time a user logs in, their roles and status are updated via your chosen method and synchronized with the internal jasperserver database. If you want to disable an external user or modify their external roles, you must do so in your LDAP directory.