Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Configuring grails spring security ldap plugin

here is a part of my perl cgi script (which is working..):


use Net::LDAP;
use Net::LDAP::Entry;
...
$edn = "DC=xyz,DC=com";
$quser ="(&(objectClass=user)(cn=$username))";
$ad = Net::LDAP->new("ip_address...");
$ldap_msg=$ad->bind("$username\@xyz.com", password=>$password);

my $result = $ad->search(       base=>$edn,
                            scope=>"sub",
                            filter=>$quser);
my $entry;
my $myname;
my $emailad;
my @entries = $result->entries;

foreach $entry (@entries) {
$myname = $entry->get_value("givenName");
$emailad = $entry->get_value("mail");
}

So basically, there is no admin/manager account for AD, users credentials are used for binding. I need to implement the same thing in grails.. +Is there a way to configure the plugin to search several ADs, I know I can add more ldap IPs in context.server but for each server I need a different search base...

++ I dont wanna use my DB, just AD. User logins through ldap > I get his email, and use the email for another ldap query but that will probably be another topic :)

Anyway the code so far is:

grails.plugin.springsecurity.ldap.context.managerDn = ''
grails.plugin.springsecurity.ldap.context.managerPassword = ''
grails.plugin.springsecurity.ldap.context.server = 'ldap://address:389'
grails.plugin.springsecurity.ldap.authorities.ignorePartialResultException = true 
grails.plugin.springsecurity.ldap.search.base = 'DC=xyz,DC=com'
grails.plugin.springsecurity.ldap.authenticator.useBind=true
grails.plugin.springsecurity.ldap.authorities.retrieveDatabaseRoles = false
grails.plugin.springsecurity.ldap.search.filter="sAMAccountName={0}" 
grails.plugin.springsecurity.ldap.search.searchSubtree = true
grails.plugin.springsecurity.ldap.auth.hideUserNotFoundExceptions = false
grails.plugin.springsecurity.ldap.search.attributesToReturn = 
            ['mail', 'givenName']
grails.plugin.springsecurity.providerNames= 
            ['ldapAuthProvider',anonymousAuthenticationProvider']


grails.plugin.springsecurity.ldap.useRememberMe = false
grails.plugin.springsecurity.ldap.authorities.retrieveGroupRoles = false
grails.plugin.springsecurity.ldap.authorities.groupSearchBase ='DC=xyz,DC=com'
grails.plugin.springsecurity.ldap.authorities.groupSearchFilter = 'member={0}'

And the error code is: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1

And it's the same code for any user/pass I try :/ Heeeeelp! :)

like image 723
user1611228 Avatar asked Nov 02 '22 04:11

user1611228


1 Answers

The most important thing with grails and AD is to use ActiveDirectoryLdapAuthenticationProvider rather than LdapAuthenticationProvider as it will save a world of pain. To do this, just make the following changes:

In resources.groovy:

// Domain 1
ldapAuthProvider1(ActiveDirectoryLdapAuthenticationProvider,
        "mydomain.com",
        "ldap://mydomain.com/"
)

// Domain 2
ldapAuthProvider2(ActiveDirectoryLdapAuthenticationProvider,
        "mydomain2.com",
        "ldap://mydomain2.com/"
)

In Config.groovy:

grails.plugin.springsecurity.providerNames = ['ldapAuthProvider1', 'ldapAuthProvider2']

This is all the code you need. You can pretty much remove all other grails.plugin.springsecurity.ldap.* settings in Config.groovy as they don't apply to this AD setup.

Documentation: http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ldap-active-directory

like image 90
Cookalino Avatar answered Nov 15 '22 05:11

Cookalino