Spring 启动 LDAP 检查用户是否属于特定组

Question

I'm building an application which will allow only a specific set of users in my org. to login. Only those users that belong to a particular AD Group can login. Eg: GDL - MyTeam is a GDL, only who's members I want to allow to get in. I checked out Atlassian's tutorial , and confluent's tutorial as well as Megha's answer here .

What is different in my case, compared to other stack overflow questions is that I'm using ActiveDirectoryLdapAuthenticationProvider as can be seen in my code snippet below. That is the one to be dictating the terms.

However, My application would still allow any user in the org to get in to my application. I'm really not able to understand what criteria is it using to allow anyone. I'm a totally newbie to ldiff syntax and filtering ldap using Java. Combine with springboot, I really don't know if I should use group search base or user search base. I just want people of my GDL to be able to get in. Rest should receive an authentication failure.

Here is my code file for reference:

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {

        configureLdap(auth);
        configureActiveDirectory(auth);

    }

    private void configureLdap(AuthenticationManagerBuilder auth) throws Exception {

        auth
            .ldapAuthentication()
            .contextSource(contextSource())
            .userSearchFilter("(&(objectClass=user)(sAMAccountName=*)(memberOf=cn=GDL-MyTeam,ou=users,dc=myCompany,dc=com)))")
            .passwordCompare()
            .passwordEncoder(passwordEncoder())
            .passwordAttribute("userPassword");
    }

    private void configureActiveDirectory(AuthenticationManagerBuilder auth) {
        ActiveDirectoryLdapAuthenticationProvider adProvider = activeDirectoryLdapAuthenticationProvider();
        if (adProvider != null) {
            auth.authenticationProvider(adProvider);
            auth.eraseCredentials(false);
        }
    }

    @Bean(BeanIds.AUTHENTICATION_MANAGER)
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public LdapContextSource contextSource() {

        LdapContextSource contextSource = new LdapContextSource();
        contextSource.setUrl(ldapUrls); //mycompany.com:389
        contextSource.setBase(ldapBaseDn); //dc=myCompany,dc=com
        contextSource.setUserDn(env.getProperty(ldapSecurityPrincipal));
        contextSource.setPassword(env.getProperty(ldapPrincipalPassword));
        contextSource.setReferral("follow");

        contextSource.afterPropertiesSet();

        return contextSource;
    }


    @Bean
    protected ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider() {


        ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("myCompany.com", ldapUrls,
            ldapBaseDn);
        provider.setConvertSubErrorCodesToExceptions(true);
        provider.setUseAuthenticationRequestCredentials(true);
        provider.setUserDetailsContextMapper(new CustomUserDetailsContextMapper());

        return provider;
    }

    @Bean
    public LdapTemplate ldapTemplate() {
        LdapTemplate template = new LdapTemplate();
        template.setContextSource(contextSource());
        template.setIgnoreNameNotFoundException(true);
        template.setIgnorePartialResultException(true);
        return template;
    }

I believe this filter is the place where I have specified the correct matching criteria, but for some reason it's allowing everyone and not just My team's specific GDL.

.userSearchFilter("(&(objectClass=user)(sAMAccountName=*)(memberOf=cn=GDL-MyTeam,ou=users,dc=myCompany,dc=com)))")

Can anyone please provide guidance as to where I am going wrong. Thanks a ton!

EDIT: I figured out that ActiveDirectoryLdapAuthenticationProvider is dictating the terms. I believe this is the place where I need to put in the search filter. If I put in the exact same filter as the other answers

In order to perform this operation a successful bind must be completed on the connection., data 0, v3839]; remaining name '/'

But I really don't understand what to put in here. Suggestions please?

Answer 1

I wonder if this might be the issue:

.userSearchFilter("(&(objectClass=user)(sAMAccountName=*)(memberOf=cn=GDL-MyTeam,ou=users,dc=myCompany,dc=com)))")

You use sAMAccountName=* (with the *). Looks like wild card to me, meaning anyone?. What if you replace that with {1} like in

.userSearchFilter("(&(objectClass=user)(sAMAccountName={1})(memberOf=cn=GDL-MyTeam,ou=users,dc=myCompany,dc=com)))")