Comments on: SpringOne 2GX Sample Apps – Spring Security LDAP Login http://burtbeckwith.com/blog/?p=228 Burt Beckwith's Java Blog Thu, 26 Aug 2010 12:11:31 -0400 http://wordpress.org/?v=2.9.2 hourly 1 By: Bob White http://burtbeckwith.com/blog/?p=228&cpage=1#comment-31474 Bob White Tue, 11 May 2010 00:11:55 +0000 http://burtbeckwith.com/blog/?p=228#comment-31474 I am using STS. I found it necessary, after installing the acegi plugin and running "create-auth-domains" to right-click on the project, select Grails Tools -> Refresh Dependencies. I am using STS. I found it necessary, after installing the acegi plugin and running “create-auth-domains” to right-click on the project, select Grails Tools -> Refresh Dependencies.

]]> By: Bob White http://burtbeckwith.com/blog/?p=228&cpage=1#comment-31219 Bob White Wed, 05 May 2010 04:13:43 +0000 http://burtbeckwith.com/blog/?p=228#comment-31219 Oh, and thanks a million to Burt for this article! Oh, and thanks a million to Burt for this article!

]]> By: Bob White http://burtbeckwith.com/blog/?p=228&cpage=1#comment-31218 Bob White Wed, 05 May 2010 04:11:32 +0000 http://burtbeckwith.com/blog/?p=228#comment-31218 In an ideal situation, one knows exactly what LDAP values to use with one's LDAP database. I did not. I was using Active Directory. Here are the values I eventually ended up using in my SecurityConfig.groovy class: useLdap = true ldapServer = 'ldap://myADserver:389' ldapManagerDn = 'mydomain\\myuser' ldapManagerPassword = 'myPrivatePasswd' ldapSearchBase = 'OU=Someplace,DC=corp,DC=myCompany,DC=com' ldapSearchFilter = '(sAMAccountName={0})' ldapGroupSearchBase = 'OU=Users,DC=corp,DC=myCompany,DC=com' ldapGroupSearchFilter = '(member={0})' ldapUsePassword = false I never got the ldapGroup query to return any values, but that may be because my company does not use them that way. Instead, there was a "memberOf" attribute in the LDAP entry for each user. (I don't know if this is a standard, a best practice or just what my company uses). To set breakpoints in spring code, one must first download the appropriate sources jars and link to them in STS. I downloaded the jars (see below) and put them in my c:\grails-1.2.2\lib folder. For the acegi plugin sources, I downloaded the plugin as a zip and put it in c:\grails-plugins. To link to them, one has to know the class names of the relevant Spring classes. Jar files: spring-security-core-2.0.4-sources.jar spring-ldap-1.2.1-sources.jar Relevant classes & methods: org.springframework.security... ...ldap.SpringSecurityLdapTemplate.searchForSingleEntry() ...ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues() ...providers.ldap.authenticator.BindAuthenticator.bindWithDn() ...userdetails.ldap.LdapUserDetailsMapper.mapUserFromContext() org.springframework.ldap.core.LdapTemplate.search() And from the acegi plugin zip: grails-acegi-0.5.3.zip org.codehaus.groovy.grails.plugins.springsecurity... ...GrailsDaoImpl.loadUserByUserName() ...ldap.GrailsUserDetailsMapper.mapUserFromContext() I hope this helps somebody get started debugging using LDAP with the grails-acegi plugin. In an ideal situation, one knows exactly what LDAP values to use with one’s LDAP database. I did not.

I was using Active Directory. Here are the values I eventually ended up using in my SecurityConfig.groovy class:
useLdap = true
ldapServer = ‘ldap://myADserver:389′
ldapManagerDn = ‘mydomain\\myuser’
ldapManagerPassword = ‘myPrivatePasswd’
ldapSearchBase = ‘OU=Someplace,DC=corp,DC=myCompany,DC=com’
ldapSearchFilter = ‘(sAMAccountName={0})’
ldapGroupSearchBase = ‘OU=Users,DC=corp,DC=myCompany,DC=com’
ldapGroupSearchFilter = ‘(member={0})’
ldapUsePassword = false

I never got the ldapGroup query to return any values, but that may be because my company does not use them that way. Instead, there was a “memberOf” attribute in the LDAP entry for each user. (I don’t know if this is a standard, a best practice or just what my company uses).

To set breakpoints in spring code, one must first download the appropriate sources jars and link to them in STS. I downloaded the jars (see below) and put them in my c:\grails-1.2.2\lib folder.

For the acegi plugin sources, I downloaded the plugin as a zip and put it in c:\grails-plugins.

To link to them, one has to know the class names of the relevant Spring classes.

Jar files:
spring-security-core-2.0.4-sources.jar
spring-ldap-1.2.1-sources.jar

Relevant classes & methods:
org.springframework.security…

…ldap.SpringSecurityLdapTemplate.searchForSingleEntry()

…ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues()

…providers.ldap.authenticator.BindAuthenticator.bindWithDn()

…userdetails.ldap.LdapUserDetailsMapper.mapUserFromContext()

org.springframework.ldap.core.LdapTemplate.search()

And from the acegi plugin zip:
grails-acegi-0.5.3.zip

org.codehaus.groovy.grails.plugins.springsecurity…

…GrailsDaoImpl.loadUserByUserName()

…ldap.GrailsUserDetailsMapper.mapUserFromContext()

I hope this helps somebody get started debugging using LDAP with the grails-acegi plugin.

]]> By: Bob White http://burtbeckwith.com/blog/?p=228&cpage=1#comment-31166 Bob White Mon, 03 May 2010 20:52:19 +0000 http://burtbeckwith.com/blog/?p=228#comment-31166 I got the sample app working, and am now trying to bind to my corporate LDAP server. I think the bind is failing because I cannot login using my username/password (credentials I know to be correct). However, although I can get DEBUG logging messages from springsecurity when the authentication request fails, I am not getting any debug messages regarding binding. I think the parameters I am using in SecurityConfig.groovy are wrong, but I cannot debug them without visibility. I would love to set breakpoints and walk through the spring code, but I cannot figure out how to do this using STS. I can hit breakpoints in my code and select acegi plugin classes, but not in spring code (e.g. org.springframework.security.providers.ldap.authenticator.BindAuthenticator.java). I got the sample app working, and am now trying to bind to my corporate LDAP server. I think the bind is failing because I cannot login using my username/password (credentials I know to be correct). However, although I can get DEBUG logging messages from springsecurity when the authentication request fails, I am not getting any debug messages regarding binding.

I think the parameters I am using in SecurityConfig.groovy are wrong, but I cannot debug them without visibility.

I would love to set breakpoints and walk through the spring code, but I cannot figure out how to do this using STS. I can hit breakpoints in my code and select acegi plugin classes, but not in spring code (e.g. org.springframework.security.providers.ldap.authenticator.BindAuthenticator.java).

]]> By: John Cee http://burtbeckwith.com/blog/?p=228&cpage=1#comment-27480 John Cee Wed, 24 Feb 2010 01:35:59 +0000 http://burtbeckwith.com/blog/?p=228#comment-27480 Hi Burt, Really good tutorial. Thanks! We have a couple thousand users we'd like to authenticate and authorize against an LDAP server. Is there any way to avoid having to duplicate those users in the database? We'd like to authorize and authenticate just from LDAP and if a user has a matching entry in the database to include those roles as well. Regards, John Hi Burt,
Really good tutorial. Thanks! We have a couple thousand users we’d like to authenticate and authorize against an LDAP server. Is there any way to avoid having to duplicate those users in the database? We’d like to authorize and authenticate just from LDAP and if a user has a matching entry in the database to include those roles as well.
Regards,
John

]]>