Spring Security Ldap authentication userDn and password from login form

Question

I'am trying to implement a Spring Security LDAP authentication using WebSecurityConfigurerAdapter.

So far it works fine, but the problem in my case is that I don't want the username and password of context to be hard coded. It must be the login and password of the user, so my question is how can I build the context and setting of the username and password from the login form?

This is the code I'm working with:

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .anyRequest().fullyAuthenticated()
                .and()
            .formLogin();
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .ldapAuthentication()
                .userSearchFilter("(sAMAccountName={0})")
                .contextSource(contextSource());
    }

    @Bean
    public BaseLdapPathContextSource contextSource() {
        LdapContextSource bean = new LdapContextSource();
        bean.setUrl("ldap://10.10.10.10:389");
        bean.setBase("DC=myDomaine,DC=com");
        //instead of this i want to put here the username and password provided by the user
        bean.setUserDn("myDomaine\\username");
        bean.setPassword("password");
        bean.setPooled(true);
        bean.setReferral("follow");
        bean.afterPropertiesSet();
        return bean;
    }
}

Thank you!

Answer 1

Your code should work perfectly fine. The hardcoded username and password is used only to create a bind with the ldap server. The username and password provided in login form is only being authenticated using your code.

I use the following code to perform ldap authentication.

public void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication().userSearchFilter("sAMAccountName={0}").contextSource().url(this.ldapUrl).managerDn(this.managerDn)
    .managerPassword(this.managerPassword);
}

Where the manager is the ldap account used to create a bind with the server.

Answer 2

the userDN and password parameter in contextSource is a required parameter. It is like admin username and password for you to be able to acquire or create initial connection to the ldap server.

For you to be able to authenticate the username and password from login form. You can use the ldapTemplate:

        @Bean
    public BaseLdapPathContextSource contextSource() {
        LdapContextSource bean = new LdapContextSource();
        bean.setUrl("ldap://10.10.10.10:389");
        bean.setBase("DC=myDomaine,DC=com");
        //instead of this i want to put here the username and password provided by the user
        bean.setUserDn("myDomaine\\username");
        bean.setPassword("password");
        bean.setPooled(true);
        bean.setReferral("follow");
        bean.afterPropertiesSet();
        return bean;
    }



  @Bean
  public LdapTemplate ldapTemplate() {
      LdapTemplate template = new LdapTemplate(contextSource());

      return template;
  }

Then use this in your service class implementation:

@Service
public class LdapUserServiceImpl implements LdapUserService, BaseLdapNameAware {
    @Autowired
    protected ContextSource contextSource;
    @Autowired
    protected LdapTemplate ldapTemplate;

    @Override
    public boolean authenticate(String userDn, String credentials) {
        AndFilter filter = new AndFilter();
        filter.and(new EqualsFilter("sAMAccountName", userDn));

        return ldapTemplate.authenticate("", filter.toString(), credentials);
    }

}

Then call this service passing the username and password from login form like this:

boolean isAuthenticated = ldapUserService.authenticate(loginForm.getUsername(), loginForm.getPassword());