I developed this against our company's AD:
@Bean
public AuthenticationProvider adProvider() {
ActiveDirectoryLdapAuthenticationProvider adProvider = new ActiveDirectoryLdapAuthenticationProvider(
adConfig.getDomain(), adConfig.getUrl(), adConfig.getRootDn());
adProvider.setSearchFilter(adConfig.getSearchFilter());
adProvider.setUseAuthenticationRequestCredentials(true);
adProvider.setConvertSubErrorCodesToExceptions(true);
adProvider.setAuthoritiesMapper(authorities -> List.of(new FooAuthority("*")));
return adProvider;
}
This does work; I can log in using my company credentials. Important: I can use my sAMAccountName
(which happens to be my uid
as well) to log in.
Now I want to have some automated tests for certain edge cases, using a local AD. I chose ApacheDS for its cross platform availability, plus it has some Docker containers available. I use openmicroscopy/apacheds , because it seemed active, documented and configurable, important for a rookie like me.
The problem is, I cannot log in. I traced it down to two lines in o.s.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider
: while searchForUser(ctx, username)
in doAuthentication(...)
(line 148 in 5.0.12.RELEASE) works with my sAMAccountName
(like foobar), contextFactory.createContext(env)
in bindAsUser(...)
(line 204 in 5.0.12.RELEASE) requires a fully qualified DN (like cn=foobar,ou=people,dc=acme,dc=com) to work.
So it seems there is some misconfiguration on my side, probably because of my misunderstanding... Seems I do need some different user to authenticate than to search afterwards? How do I configure this, and/but why does our company's AD works just fine? PS: I read about anonymous authentication, maybe our company allows such? But using Apache Directory Studio against the company's AD requires me to log in (as far as I can tell)...
LDAP based simple BIND operation always requires the distinguished name (DN) of the entry and password. Only AD allows to perform the BIND operation with samAccountName. AD is somewhat special.