external authentication using Open LDAP

[mmflynn]

Getting external authentication to work with Open LDAP was remarkably easy. Getting Acegi to pick up the LDAP roles took a bit of research. I'm attaching my working applicationContext-security.xml file in hopes that its examples and comments will save others some time.

Note: this is for a demo configuration with a very simple directory structure. [file name=applicationContext_security-da25a544c617052f845e5c4613767cf9.xml size=38483]

[mmflynn]

The attachment was corrupted somehow, so I am reposting. Here are the relevant sections:

 

   <!-- For LDAP authentication -->

   <!-- Credit for explanatory comments go to:

        Bilal Siddiqui

        http://www.ibm.com/developerworks/java/library/j-acegi2/ -->

   <!-- Configure the initial context -->
   <!-- Sets the root node used for all operations, such as search -->
   <bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
     <constructor-arg value="ldap://susevm:389/dc=vmdomain"/>  
     <!--  Authenticate with LDAP directory server in order to perform search operations  -->
     <property name="managerDn"><value>cn=Administrator,dc=vmdomain</value></property>
     <property name="managerPassword"><value>jasper</value></property>
   </bean>
  
   <!-- Configure an LDAP filter to locate users -->
   <!-- Used to find users that LDAP cannot authenticate by constructing a DN from the DN patterns -->

      <bean id="userSearch"
            class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
     <constructor-arg index="0">
       <value></value>
     </constructor-arg>
     <constructor-arg index="1">
       <value>(uid={0})</value>
     </constructor-arg>
     <constructor-arg index="2">
       <ref local="initialDirContextFactory" />
     </constructor-arg>           
     <property name="searchSubtree">
       <value>true</value>
     </property>           
   </bean>           
  
   <!-- Configure the LDAP authentication provider  -->


   <bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
     <constructor-arg><ref local="authenticator"/></constructor-arg>
     <constructor-arg><ref local="populator"/></constructor-arg>
   </bean>


   <!-- Configure the authenticator bean -->


   <bean id="authenticator" class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
      <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
      <property name="userDnPatterns">
          <list>
              <value>uid={0},ou=people</value>  <!-- location where my user names are stored -->
              <value>uid={0},ou=group</value>   <!-- location where my LDAP business roles are stored -->
          </list>
       </property>
      <property name="userSearch"><ref local="userSearch"/></property>
   </bean>


   <!-- Configure the populator bean -->


   <bean id="populator" class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
      <constructor-arg index="0"><ref local="initialDirContextFactory"/></constructor-arg>
      <constructor-arg index="1"><value>ou=group</value></constructor-arg>

      <!-- groupRoleAttribute value = cn if desired role names are stored as LDAP groups -->

      <!-- groupRoleAttribute value = ou if desired role names are stored as organizational units -->
      <property name="groupRoleAttribute"><value>cn</value></property>
      <!-- Optionally, you can specify a "rolePrefix" property to change

         (or remove) the default ROLE_ prefix for role names.

         The following properties are shown with their default values:

         <property name="rolePrefix"><value>ROLE_</value></property>

         <property name="convertToUpperCase"><value>true</value></property>

         <property name="searchSubtree"><value>false</value></property>

      -->

      <!-- groupSearchFilter may not be necessary depending on how the LDAP directory is set up -->

      <!-- Modify objectclass value for your environment. -->

      <!-- uid={0} uses the full DN of the user-->

      <!-- uid={1} uses the username -->
      <!--
      <property name="groupSearchFilter"><value>(&(uid={0})(objectclass=posixgroup))</value></property>
      -->
   </bean>
  
    <bean id="JIAuthenticationSynchronizer" class="com.jaspersoft.jasperserver.api.metadata.user.service.impl.MetadataAuthenticationProcessingFilter">
       <property name="externalUserService"><ref bean="userAuthorityService"/></property>
    </bean>

 

 

[gabrielinux]

Thanks for the info.  I also found a few ways to do this (with AD though not Open LDAP) after lots of research:

http://blog-gabriel.mongefranco.com/2008/06/active-directory-ad-authentication-for.html