Skip to content

Feature for using different bind user in active directory LDAP authentication provider #3933

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,8 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends
private final String url;
private boolean convertSubErrorCodesToExceptions;
private String searchFilter = "(&(objectClass=user)(userPrincipalName={0}))";
private String bindUser;
private String bindPassword;

// Only used to allow tests to substitute a mock LdapContext
ContextFactory contextFactory = new ContextFactory();
Expand Down Expand Up @@ -141,10 +143,25 @@ protected DirContextOperations doAuthentication(
String username = auth.getName();
String password = (String) auth.getCredentials();

DirContext ctx = bindAsUser(username, password);
DirContext ctx;
if (StringUtils.hasText(bindUser) && StringUtils.hasText(bindPassword)) {
ctx = bindAsUser(bindUser, bindPassword);
} else {
ctx = bindAsUser(username, password);
}

try {
return searchForUser(ctx, username);
DirContextOperations result = searchForUser(ctx, username);
if (StringUtils.hasText(bindUser) && StringUtils.hasText(bindPassword)) {
// attempt another authentication, now with the user's password
Hashtable<String, String> authEnv = new Hashtable<String, String>();
authEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
authEnv.put(Context.PROVIDER_URL, url);
authEnv.put(Context.SECURITY_PRINCIPAL, result.getNameInNamespace());
authEnv.put(Context.SECURITY_CREDENTIALS, password);
contextFactory.createContext(authEnv);
}
return result;
}
catch (NamingException e) {
logger.error("Failed to locate directory entry for authenticated user: "
Expand Down Expand Up @@ -397,6 +414,19 @@ public void setSearchFilter(String searchFilter) {
this.searchFilter = searchFilter;
}

/**
* By default, the connection to the AD server will use the credentials being authenticated.
* If another M2M AD account shall be used for connecting to the AD server, these credentials
* can be provided here.
*
* @param userName the name of the M2M user
* @param password the password of the M2M user
*/
public void setBindUser(String userName, String password) {
this.bindUser = userName;
this.bindPassword = password;
}

static class ContextFactory {
DirContext createContext(Hashtable<?, ?> env) throws NamingException {
return new InitialLdapContext(env, null);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.mockito.ArgumentCaptor;
import org.mockito.invocation.InvocationOnMock;
import org.mockito.stubbing.Answer;
import org.springframework.dao.IncorrectResultSizeDataAccessException;
import org.springframework.ldap.core.DirContextAdapter;
import org.springframework.ldap.core.DistinguishedName;
Expand All @@ -36,12 +38,7 @@
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;

import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import javax.naming.Name;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.*;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
Expand Down Expand Up @@ -393,6 +390,44 @@ public void rootDnProvidedSeparatelyFromDomainAlsoWorks() throws Exception {

}

@Test
public void differentUserForBindOperation() throws Exception {
// given
ArgumentCaptor<Hashtable> bindCapture = ArgumentCaptor.forClass(Hashtable.class);
ArgumentCaptor<Object[]> userCapture = ArgumentCaptor.forClass(Object[].class);

final DirContext ctx = mock(DirContext.class);
when(ctx.getNameInNamespace()).thenReturn("");

DirContextAdapter dca = new DirContextAdapter();
SearchResult sr = new SearchResult("CN=Joe Jannsen,CN=Users", dca,
dca.getAttributes());
when(
ctx.search(any(Name.class), any(String.class), userCapture.capture(),
any(SearchControls.class))).thenReturn(
new MockNamingEnumeration(sr));
ContextFactory contextFactory = mock(ContextFactory.class);
when(contextFactory.createContext(bindCapture.capture())).thenAnswer(new Answer<DirContext>() {
@Override
public DirContext answer(final InvocationOnMock invocation) throws Throwable {
Hashtable args = (Hashtable) invocation.getArguments()[0];
assertThat(args.get(Context.SECURITY_PRINCIPAL)).isIn("[email protected]", "");
return ctx;
}
});

ActiveDirectoryLdapAuthenticationProvider customProvider = new ActiveDirectoryLdapAuthenticationProvider(
"mydomain.eu", "ldap://192.168.1.200/");
customProvider.contextFactory = contextFactory;
customProvider.setBindUser("bindUser", "bindPassword");

// when
Authentication result = customProvider.authenticate(joe);

// then
assertThat(result.isAuthenticated()).isTrue();
}

ContextFactory createContextFactoryThrowing(final NamingException e) {
return new ContextFactory() {
@Override
Expand Down