Spring LDAP Authentication的用户帐户概念

Question

I am developing an authentication function of a Spring web application. The customer already have an existing Active Directory with their staff data. Any staff in the AD can use their exiting username and password to login into my web application, by which the web app should use the given username and password to get the staff data from the AD and then automatically register the staff with the web app by creating a user account record in DB using the data from the AD.

Following is the above-mentioned actions put in sequence.

1. User submit a login form with username and password.
2. Web app query the staff data from AD using the given username and password.
3. Web app create a user account record in DB using the staff data.

I am stuck with step 2. as this is the first time I ever use LDAP, my understanding of the topic is very shallow.

Currently I can successfully list all person names in the AD using the following code.

@SpringBootApplication
public class Main implements ApplicationRunner {

    private static final Logger logger = LoggerFactory.getLogger(Main.class);

    @Autowired
    private LdapTemplate ldapTemplate;

    public static void main(String[] args) {
        SpringApplication.run(Main.class, args);
    }

    @Override
    public void run(ApplicationArguments args) throws Exception {
        logger.info("----------------------");
        logger.info(getAllPersonNames().toString());
        logger.info("----------------------");
    }

    private List getAllPersonNames() {
        EqualsFilter filter = new EqualsFilter("objectclass", "person");
        return ldapTemplate.search(DistinguishedName.EMPTY_PATH, filter.encode(),
                (AttributesMapper) attrs -> attrs.get("cn").get());
    }

    @Bean
    public LdapContextSource contextSource(Environment env) {
        LdapContextSource contextSource = new LdapContextSource();

        contextSource.setUrl("ldap://localhost:5555");
        contextSource.setBase("DC=myorg,DC=com");
        contextSource.setUserDn("username");
        contextSource.setPassword("password");
        return contextSource;
    }

    @Bean
    public LdapTemplate ldapTemplate(Environment env) {
        return new LdapTemplate(contextSource(env));
    }

}

This code has a problem. I put the username and password in the LdapContextSource bean which will be used at application startup time. This is not what I want because the username and password have to be given by the user at runtime.

But! I found this example and started confused. In the example, there are 2 set of usernames and passwords, one used to setup the LdapContextSource and one provided by the user at runtime.

So I think I might have some misunderstanding. Please help clarify whether the username/password set in LdapContextSource should be provided by the user or I should have a separated username/password only use for my application?

Answer 1

I'm not sure if my answer will clarify the problem but I'll try anyway.

I had the same issue when I wanted to integrate Camunda BPMN in an existing application. And as a beginner, it took me some time to realize how LDAP protocol works.

Check it, it might be useful:

https://docs.camunda.org/manual/7.7/user-guide/process-engine/identity-service/

If anyone find that I'm wrong, please comment bellow and correct me.

In fact, the hard coded credentials should be the manager's which will check if the given username and password of any user (dynamically within the app) are accepted.

The manager's info is also used to collect LDAP group information that can't be read by a normal user.

To bypass this issue, I implemented my own authentication class that tries to connect to LDAP with the user's credentials and if it throws an exception, it means that the given information is wrong. However, you will lose the ability to provide the user's group info and so on.

I'm sorry I can't provide the code because I don't have it anymore.

Good luck