Spring Security
  1. Spring Security
  2. SEC-1014

minor changes for an easy NTLM / LDAP configuration

    Details

    • Type: Refactoring Refactoring
    • Status: Closed
    • Priority: Trivial Trivial
    • Resolution: Duplicate
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M1
    • Component/s: Core, LDAP
    • Labels:
      None
    • Environment:
      all

      Description

      Following changes are needed for an easy NTLM and LDAP (Active Directory) integration :

      LdapAuthenticationProvider :
      Either accept empty password (then LdapAuthenticationProvider can be used as is), or change scope to protected for the private LdapAuthenticator authenticator; : in that case we can easily override the authenticate() method to avoid password length check, without the need to use another LdapAuthenticator in the overriding class.

      Another change is needed for NTLM : AbstractLdapAuthenticator with no password check.
      PasswordComparisonAuthenticator is final and can't be overrided, despite the only usefull change is to comment last lines in authenticate() to remove password check.
      Because of the class name, it's not easy to change this...
      So may a new class extending LdapAuthenticationProvider exists ( with no password check) ?

      With those 2 changes, we can use NTLM to get username, use it to query LDAP and retrieve user informations (email, name, etc..) then use such informations in a custom UserDetails implementation (via a convenient UserDetailsContextMapper) without any implementation.

      Hope this can help.
      Regards.

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          The issue with LdapAuthenticationProvider has been resolved as part of SEC-1117.

          As far as I can see the additional functionality you're talking about (ignoring the password supplied) is already available via NtlmAwareLdapAuthenticator. let me know if I'm missing something.

          Show
          Luke Taylor added a comment - The issue with LdapAuthenticationProvider has been resolved as part of SEC-1117 . As far as I can see the additional functionality you're talking about (ignoring the password supplied) is already available via NtlmAwareLdapAuthenticator. let me know if I'm missing something.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Fred Gilbart
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: