| An
org.acegisecurity.providers.AuthenticationProvider implementation that provides integration with an
LDAP server.
There are many ways in which an LDAP directory can be configured so this class delegates most of
its responsibilites to two separate strategy interfaces,
LdapAuthenticator and
LdapAuthoritiesPopulator .
LdapAuthenticator
This interface is responsible for performing the user authentication and retrieving
the user's information from the directory. Example implementations are
org.acegisecurity.providers.ldap.authenticator.BindAuthenticator BindAuthenticator which authenticates the user by
"binding" as that user, and
org.acegisecurity.providers.ldap.authenticator.PasswordComparisonAuthenticatorPasswordComparisonAuthenticator which performs a comparison of the supplied password with the value stored in the
directory, either by retrieving the password or performing an LDAP "compare" operation.
The task of retrieving the user attributes is delegated to the authenticator because the permissions on the
attributes may depend on the type of authentication being used; for example, if binding as the user, it may be
necessary to read them with the user's own permissions (using the same context used for the bind operation).
LdapAuthoritiesPopulator
Once the user has been authenticated, this interface is called to obtain the set of granted authorities for the
user.
The
org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator DefaultLdapAuthoritiesPopulator can be configured to obtain user role information from the user's attributes and/or to perform a search for
"groups" that the user is a member of and map these to roles.
A custom implementation could obtain the roles from a completely different source, for example from a database.
Configuration
A simple configuration might be as follows:
<bean id="initialDirContextFactory" class="org.acegisecurity.providers.ldap.DefaultInitialDirContextFactory">
<constructor-arg value="ldap://monkeymachine:389/dc=acegisecurity,dc=org"/>
<property name="managerDn"><value>cn=manager,dc=acegisecurity,dc=org</value></property>
<property name="managerPassword"><value>password</value></property>
</bean>
<bean id="ldapAuthProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
<property name="userDnPatterns"><list><value>uid={0},ou=people</value></list></property>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
<constructor-arg><value>ou=groups</value></constructor-arg>
<property name="groupRoleAttribute"><value>ou</value></property>
</bean>
</constructor-arg>
</bean>
This would set up the provider to access an LDAP server with URL
ldap://monkeymachine:389/dc=acegisecurity,dc=org. Authentication will be performed by attempting to bind
with the DN uid=<user-login-name>,ou=people,dc=acegisecurity,dc=org. After successful
authentication, roles will be assigned to the user by searching under the DN
ou=groups,dc=acegisecurity,dc=org with the default filter (member=<user's-DN>). The role
name will be taken from the "ou" attribute of each match.
The authenticate method will reject empty passwords outright. LDAP servers may allow an anonymous
bind operation with an empty password, even if a DN is supplied. In practice this means that if
the LDAP directory is configured to allow unauthenitcated access, it might be possible to
authenticate as any user just by supplying an empty password.
More information on the misuse of unauthenticated access can be found in
draft-ietf-ldapbis-authmeth-19.txt.
author:
Luke Taylor
version:
$Id: LdapAuthenticationProvider.java 1995 2007-08-30 21:12:16Z luke_t $
See Also: org.acegisecurity.providers.ldap.authenticator.BindAuthenticator
See Also: org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator | 