active-directoryapachedsspring-security-ldap

Spring Security LDAP: Bind vs. Authenticate against Active Directory in ApacheDS


What works

I developed this against our company's AD:

@Bean
public AuthenticationProvider adProvider() {
    ActiveDirectoryLdapAuthenticationProvider adProvider = new ActiveDirectoryLdapAuthenticationProvider(
            adConfig.getDomain(), adConfig.getUrl(), adConfig.getRootDn());

    adProvider.setSearchFilter(adConfig.getSearchFilter());
    adProvider.setUseAuthenticationRequestCredentials(true);
    adProvider.setConvertSubErrorCodesToExceptions(true);
    adProvider.setAuthoritiesMapper(authorities -> List.of(new FooAuthority("*")));

    return adProvider;
}

This does work; I can log in using my company credentials. Important: I can use my sAMAccountName (which happens to be my uid as well) to log in.

Goal

Now I want to have some automated tests for certain edge cases, using a local AD. I chose ApacheDS for its cross platform availability, plus it has some Docker containers available. I use openmicroscopy/apacheds , because it seemed active, documented and configurable, important for a rookie like me.

Problem

The problem is, I cannot log in. I traced it down to two lines in o.s.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider: while searchForUser(ctx, username) in doAuthentication(...) (line 148 in 5.0.12.RELEASE) works with my sAMAccountName (like foobar), contextFactory.createContext(env) in bindAsUser(...) (line 204 in 5.0.12.RELEASE) requires a fully qualified DN (like cn=foobar,ou=people,dc=acme,dc=com) to work.

So it seems there is some misconfiguration on my side, probably because of my misunderstanding... Seems I do need some different user to authenticate than to search afterwards? How do I configure this, and/but why does our company's AD works just fine? PS: I read about anonymous authentication, maybe our company allows such? But using Apache Directory Studio against the company's AD requires me to log in (as far as I can tell)...


Solution

  • LDAP based simple BIND operation always requires the distinguished name (DN) of the entry and password. Only AD allows to perform the BIND operation with samAccountName. AD is somewhat special.