LDAP for 2 weeks vs. $995 per incident

[huwtrimet.org]

Finally, it took me and another network engineer on and off for 2 weeks and WireShark monitoring to figure out how to configure the LDAP with SAMAccoountName authentication.  Now I wonder, maybe the pay for incident service is worth the money if you can save me the time figuring out the configuration.

The trick for LDAP authentication to work with SAMAccountName is to use UserSearch bean ONLY.  You can not use BindAuthenticate with SAMAccountName.

Also, there is a timing issue with the UserSearch, if you had the DAO authentication on while LDAP on, your DAO may reject the LDAP when LDAP user search is slow.

Here is the code to make it work inside applicationContext-security.xml.

<bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
     <constructor-arg value="ldap://server:port/dc=blah,dc=blah" />
     <property name="managerDn"><value>CN=blah,OU=blah,DC=blah,DC=blah</value></property>
     <property name="managerPassword"><value>blah</value></property>
     <!-- must have for user search from root -->
    <property name="extraEnvVars">
        <map>
        <entry>
            <key><value>java.naming.referral</value></key>
            <value>follow</value>
        </entry>
        </map>
    </property>
   </bean>


   <bean id="userSearch"
            class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
     <constructor-arg>
       <value>OU=blah</value>
     </constructor-arg>
     <constructor-arg>
       <value>(sAMAccountName={0})</value>
     </constructor-arg>
     <constructor-arg>
       <ref local="initialDirContextFactory" />
     </constructor-arg>           
     <property name="searchSubtree">
       <value>true</value>
     </property> 

    <!-- must have for user search to work -->
     <property name="derefLinkFlag">
            <value>true</value>
     </property>
   </bean>       

   <!--
   For LDAP authentication -->
  
   <bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
     <constructor-arg>
       <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
          <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
            <property name="userSearch">
            <ref local="userSearch" />
        </property> 
       </bean>
     </constructor-arg>
     <constructor-arg>
       <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
          <constructor-arg index="0"><ref local="initialDirContextFactory"/></constructor-arg>
          <constructor-arg index="1"><value></value></constructor-arg>
        <property name="groupRoleAttribute"><value>OU=blah</value></property>
        <!--
        <property name="groupSearchFilter"><value>(&(uniqueMember={0})(objectclass=groupofuniquenames))</value></property>
               -->
        </bean>
     </constructor-arg>
   </bean>

[gabrielinux]

Very cool.  There is also more information here for those who are looking for AD integration:

http://blog-gabriel.mongefranco.com/2008/06/active-directory-ad-authentication-for.html