Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

sample active directory ldif file with apacheds

Tags:

spring-security

spring-security-ldap

ldif

Here there is a spring-security example, ldap-xml, which runs a ldap server and imports a LDIF file for testing:

https://github.com/spring-projects/spring-security/blob/master/samples/ldap-xml/src/main/webapp/WEB-INF/applicationContext-security.xml

[...]
    <s:ldap-server ldif="classpath:users.ldif" port="33389"/>

    <s:authentication-manager>
        <s:ldap-authentication-provider
            group-search-filter="member={0}"
            group-search-base="ou=groups"
            user-search-base="ou=people"
            user-search-filter="uid={0}"
        />
        <s:authentication-provider ref='secondLdapProvider' />
    </s:authentication-manager>
[...]

https://github.com/spring-projects/spring-security/blob/master/samples/ldap-xml/src/main/webapp/WEB-INF/classes/users.ldif

[...]
dn: uid=rod,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Rod Johnson
sn: Johnson
uid: rod
userPassword: koala
[...]

I need to modify this working example, in where the user-search-criteria is based on sAMAccountName instead of uid. I modify the users.ldif as follows:

[...]
dn: cn=rod,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Rod Johnson
sn: Johnson
sAMAccountName: rod
userPassword: koala
[...]

but apacheds shows a warning when importing users.ldif:

OID for name 'samaccountname' was not found within the OID registry

It seems that I need to add this new attribute, sAMAccountName, by modifing the LDAP schema. how to do that in the ldap-xml example?

In this gist example they modify the schema using "changetype: add". however adding this in users.ldif results in an error We cannot have entries when reading a file which already contains changes. In the gist example, they mention to update the schema running the ldifdecommand. How should I modify the ldap-xml project to do this?

How I need to modify the ldap-xml project, so that my users.ldif can contain a sAMAccountName attribute?

like image 433
David Portabella Avatar asked May 05 '14 14:05

David Portabella

People also ask

How do I import LBC into Apache Directory Studio?

Run Apache Directory Studio. Right-click in the Connections pane in the bottom left of the window. Select Import > Import Connections from the drop-down menu. Click Browse.

How do I export data from Apache Directory Studio connection?

Highlight the user or group in Apache Directory Studio. Right-click on the user or group. Choose Export -> LDIF Export.

Does Apache Directory Studio use Log4J?

ApacheDS internally uses SLF4J as a facade for logs and Log4J is bundled in the standalone ApacheDS distributions.

What is LDAP Apache?

Apache Directory Studio is a complete directory tooling platform intended to be used with any LDAP server however it is particularly designed for use with the ApacheDS. It is an Eclipse RCP application, composed of several Eclipse (OSGi) plugins, that can be easily upgraded with additional ones.

1 Answers

Add the following (it's the minimal fragment of Microsoft's schema that contains sAMAccountName) at the beginning of users.ldif file:

dn: cn=microsoft, ou=schema
objectclass: metaSchema
objectclass: top
cn: microsoft

dn: ou=attributetypes, cn=microsoft, ou=schema
objectclass: organizationalUnit
objectclass: top
ou: attributetypes

dn: m-oid=1.2.840.113556.1.4.221, ou=attributetypes, cn=microsoft, ou=schema
objectclass: metaAttributeType
objectclass: metaTop
objectclass: top
m-oid: 1.2.840.113556.1.4.221
m-name: sAMAccountName
m-equality: caseIgnoreMatch
m-syntax: 1.3.6.1.4.1.1466.115.121.1.15
m-singleValue: TRUE

dn: ou=objectclasses, cn=microsoft, ou=schema
objectclass: organizationalUnit
objectclass: top
ou: objectClasses

dn: m-oid=1.2.840.113556.1.5.6, ou=objectclasses, cn=microsoft, ou=schema
objectclass: metaObjectClass
objectclass: metaTop
objectclass: top
m-oid: 1.2.840.113556.1.5.6
m-name: securityPrincipal
m-supObjectClass: top
m-typeObjectClass: AUXILIARY
m-must: sAMAccountName

[rest of users.ldif]

Now add new objectClass to person entries:

[...]
dn: cn=rod,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: securityPrincipal   <--- new objectClass
cn: Rod Johnson
sn: Johnson
sAMAccountName: rod
userPassword: koala
[...]

It's not enough to have new entries. ApacheDS' configuration in Spring Security has disabled schema interceptor, so new schema entries are not created by default. We can turn it on by creating BeanPostProcessor that fixes this:

package com.example.test.spring;

import java.util.List;

import org.apache.directory.server.core.interceptor.Interceptor;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.security.ldap.server.ApacheDSContainer;

import static org.springframework.util.CollectionUtils.isEmpty;

public class ApacheDSContainerConfigurer implements BeanPostProcessor {

    private List<Interceptor> interceptors;

    @Override
    public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {
        if (bean instanceof ApacheDSContainer){
            ApacheDSContainer dsContainer = ((ApacheDSContainer) bean);
            setInterceptorsIfPresent(dsContainer);
        }
        return bean;
    }

    private void setInterceptorsIfPresent(ApacheDSContainer container) {
        if (!isEmpty(interceptors)) {
            container.getService().setInterceptors(interceptors);
        }
    }

    @Override
    public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
        return bean;
    }

    public void setInterceptors(List<Interceptor> interceptors) {
        this.interceptors = interceptors;
    }

}

We have to register and configure bean in application context:

<bean class="com.example.test.spring.ApacheDSContainerConfigurer">
    <property name="interceptors">
        <list>
            <bean class="org.apache.directory.server.core.normalization.NormalizationInterceptor"/>
            <bean class="org.apache.directory.server.core.authn.AuthenticationInterceptor"/>
            <bean class="org.apache.directory.server.core.referral.ReferralInterceptor"/>
            <!--<bean class="org.apache.directory.server.core.authz.AciAuthorizationInterceptor"/>-->
            <!--<bean class="org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor"/>-->
            <bean class="org.apache.directory.server.core.exception.ExceptionInterceptor"/>
            <!--<bean class="org.apache.directory.server.core.changelog.ChangeLogInterceptor"/>-->
            <bean class="org.apache.directory.server.core.operational.OperationalAttributeInterceptor"/>
            <bean class="org.apache.directory.server.core.schema.SchemaInterceptor"/>
            <bean class="org.apache.directory.server.core.subtree.SubentryInterceptor"/>
            <!--<bean class="org.apache.directory.server.core.collective.CollectiveAttributeInterceptor"/>-->
            <!--<bean class="org.apache.directory.server.core.event.EventInterceptor"/>-->
            <!--<bean class="org.apache.directory.server.core.trigger.TriggerInterceptor"/>-->
            <!--<bean class="org.apache.directory.server.core.journal.JournalInterceptor"/>-->
        </list>
    </property>
</bean>

It should be working now.

like image 54
Karol Lewandowski Avatar answered Sep 16 '22 18:09

Karol Lewandowski
Sign in to Comment

Related questions

Using spring embedded ldap to simulate active directory for integration tests
Alternative for OAuth2FeignRequestInterceptor that depends on a deprecated class
Angular 5 unable to get XSRF token from HttpXsrfTokenExtractor
Spring custom authentication filter and provider not invoking controller method
Configure actuator endpoints security
Spring adds a JSESSIONID despite stateless session management
Multi-Factor Authentication with Spring Boot 2 and Spring Security 5
How to add filter after the HTTP BasicAuthenticationFilter when using @EnableAuthorizationServer
What is the best way to handle Invalid CSRF token found in the request when session times out in Spring security
Spring Security 3 - always return error 302
Spring security with multiple login pages
Store token from OAuth2 server in cookie using Spring OAuth
Change locale on login
Spring 3 Security j_spring_security_check
adding a custom login controller with spring security
Cannot get rid of "An Authentication object was not found in the SecurityContext" in a Spring Boot application without @WithMockUser
Spring: Annotation equivalent of security:authentication-manager and security:global-method-security
Spring Security with oidc: refresh the tokens
Spring Security custom UserDetailsService and custom User class

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!