mmflynn Posted February 20, 2008 Share Posted February 20, 2008 Getting external authentication to work with Open LDAP was remarkably easy. Getting Acegi to pick up the LDAP roles took a bit of research. I'm attaching my working applicationContext-security.xml file in hopes that its examples and comments will save others some time. Note: this is for a demo configuration with a very simple directory structure. [file name=applicationContext_security-da25a544c617052f845e5c4613767cf9.xml size=38483] Link to comment Share on other sites More sharing options...
mmflynn Posted August 27, 2008 Author Share Posted August 27, 2008 The attachment was corrupted somehow, so I am reposting. Here are the relevant sections: <!-- For LDAP authentication --> <!-- Credit for explanatory comments go to: Bilal Siddiqui http://www.ibm.com/developerworks/java/library/j-acegi2/ --> <!-- Configure the initial context --> <!-- Sets the root node used for all operations, such as search --> <bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> <constructor-arg value="ldap://susevm:389/dc=vmdomain"/> <!-- Authenticate with LDAP directory server in order to perform search operations --> <property name="managerDn"><value>cn=Administrator,dc=vmdomain</value></property> <property name="managerPassword"><value>jasper</value></property> </bean> <!-- Configure an LDAP filter to locate users --> <!-- Used to find users that LDAP cannot authenticate by constructing a DN from the DN patterns --> <bean id="userSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch"> <constructor-arg index="0"> <value></value> </constructor-arg> <constructor-arg index="1"> <value>(uid={0})</value> </constructor-arg> <constructor-arg index="2"> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="searchSubtree"> <value>true</value> </property> </bean> <!-- Configure the LDAP authentication provider --> <bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> <constructor-arg><ref local="authenticator"/></constructor-arg> <constructor-arg><ref local="populator"/></constructor-arg> </bean> <!-- Configure the authenticator bean --> <bean id="authenticator" class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> <property name="userDnPatterns"> <list> <value>uid={0},ou=people</value> <!-- location where my user names are stored --> <value>uid={0},ou=group</value> <!-- location where my LDAP business roles are stored --> </list> </property> <property name="userSearch"><ref local="userSearch"/></property> </bean> <!-- Configure the populator bean --> <bean id="populator" class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg index="0"><ref local="initialDirContextFactory"/></constructor-arg> <constructor-arg index="1"><value>ou=group</value></constructor-arg> <!-- groupRoleAttribute value = cn if desired role names are stored as LDAP groups --> <!-- groupRoleAttribute value = ou if desired role names are stored as organizational units --> <property name="groupRoleAttribute"><value>cn</value></property> <!-- Optionally, you can specify a "rolePrefix" property to change (or remove) the default ROLE_ prefix for role names. The following properties are shown with their default values: <property name="rolePrefix"><value>ROLE_</value></property> <property name="convertToUpperCase"><value>true</value></property> <property name="searchSubtree"><value>false</value></property> --> <!-- groupSearchFilter may not be necessary depending on how the LDAP directory is set up --> <!-- Modify objectclass value for your environment. --> <!-- uid={0} uses the full DN of the user--> <!-- uid={1} uses the username --> <!-- <property name="groupSearchFilter"><value>(&(uid={0})(objectclass=posixgroup))</value></property> --> </bean> <bean id="JIAuthenticationSynchronizer" class="com.jaspersoft.jasperserver.api.metadata.user.service.impl.MetadataAuthenticationProcessingFilter"> <property name="externalUserService"><ref bean="userAuthorityService"/></property> </bean> Link to comment Share on other sites More sharing options...
gabrielinux Posted September 24, 2008 Share Posted September 24, 2008 Thanks for the info. I also found a few ways to do this (with AD though not Open LDAP) after lots of research: http://blog-gabriel.mongefranco.com/2008/06/active-directory-ad-authentication-for.html Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now