From 5ab42e18d6b9362d3097dfbcde2db65f14670934 Mon Sep 17 00:00:00 2001 From: Jason Han Date: Thu, 22 Sep 2022 11:06:54 -0700 Subject: [PATCH 1/2] Adding some changes for ActiveDirectory --- .../openmbee/mms/ldap/LdapSecurityConfig.java | 46 ++++++++++++++++--- 1 file changed, 40 insertions(+), 6 deletions(-) diff --git a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java index 2f798a260..c18e01c02 100644 --- a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java +++ b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java @@ -21,11 +21,15 @@ import org.springframework.ldap.core.support.BaseLdapPathContextSource; import org.springframework.ldap.core.support.LdapContextSource; import org.springframework.ldap.filter.*; +import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.config.annotation.authentication.configurers.ldap.LdapAuthenticationProviderConfigurer; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.ldap.SpringSecurityLdapTemplate; +import org.springframework.security.ldap.authentication.LdapAuthenticationProvider; +import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider; import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator; import org.springframework.transaction.annotation.EnableTransactionManagement; @@ -36,6 +40,12 @@ public class LdapSecurityConfig { private static Logger logger = LoggerFactory.getLogger(LdapSecurityConfig.class); + @Value("${ldap.ad.enabled:false}") + private Boolean adEnabled; + + @Value("${ldap.ad.domain:#{null}}") + private String adDomain; + @Value("${ldap.provider.url:#{null}}") private String providerUrl; @@ -75,6 +85,12 @@ public class LdapSecurityConfig { @Value("${ldap.group.search.filter:(uniqueMember={0})}") private String groupSearchFilter; + @Value("${ldap.user.search.base:#{''}}") + private String userSearchBase; + + @Value("${ldap.user.search.filter:(uid={0})}") + private String userSearchFilter; + private UserRepository userRepository; private GroupRepository groupRepository; @@ -99,12 +115,21 @@ public void configureLdapAuth(AuthenticationManagerBuilder auth, We redefine our own LdapAuthoritiesPopulator which need ContextSource(). We need to delegate the creation of the contextSource out of the builder-configuration. */ - String[] a = userDnPattern.toArray(new String[0]); - auth.ldapAuthentication().userDnPatterns(a).groupSearchBase(groupSearchBase) - .groupRoleAttribute(groupRoleAttribute).groupSearchFilter(groupSearchFilter) - .rolePrefix("") - .ldapAuthoritiesPopulator(ldapAuthoritiesPopulator) - .contextSource(contextSource); + if (adEnabled) { + auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider()); + } else { + String[] userPatterns = userDnPattern.toArray(new String[0]); + LdapAuthenticationProviderConfigurer authProviderConfigurer = auth.ldapAuthentication(); + authProviderConfigurer.userDnPatterns(userPatterns); + authProviderConfigurer.userSearchBase(userSearchBase); + authProviderConfigurer.userSearchFilter(userSearchFilter); + authProviderConfigurer.groupSearchBase(groupSearchBase); + authProviderConfigurer.groupRoleAttribute(groupRoleAttribute); + authProviderConfigurer.groupSearchFilter(groupSearchFilter); + authProviderConfigurer.rolePrefix(""); + authProviderConfigurer.ldapAuthoritiesPopulator(ldapAuthoritiesPopulator); + authProviderConfigurer.contextSource(contextSource); + } } } @@ -202,6 +227,15 @@ public Collection getGrantedAuthorities( } + @Bean + public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() { + ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider(adDomain, providerUrl, providerBase); + provider.setSearchFilter(userSearchFilter); + provider.setConvertSubErrorCodesToExceptions(true); + provider.setUseAuthenticationRequestCredentials(true); + return provider; + } + @Bean public LdapContextSource contextSource() { LdapContextSource contextSource = new LdapContextSource(); From ee34d48ab86bfdb4dbb3a2815ce024218dd956da Mon Sep 17 00:00:00 2001 From: Jason Han Date: Tue, 4 Oct 2022 10:59:27 -0700 Subject: [PATCH 2/2] Adding some changes for ActiveDirectory --- gradle.properties | 2 +- .../org/openmbee/mms/ldap/LdapSecurityConfig.java | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index 2d386856d..de52d9b49 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,4 +1,4 @@ -version=4.0.10 +version=4.0.11 group=org.openmbee.mms springBootVersion=2.6.7 diff --git a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java index c18e01c02..48e7c14c5 100644 --- a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java +++ b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java @@ -33,6 +33,8 @@ import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator; import org.springframework.transaction.annotation.EnableTransactionManagement; +import javax.naming.Context; + @Configuration @Conditional(LdapCondition.class) @EnableTransactionManagement @@ -230,6 +232,16 @@ public Collection getGrantedAuthorities( @Bean public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() { ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider(adDomain, providerUrl, providerBase); + + Hashtable env = new Hashtable<>(); + env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); + env.put(Context.PROVIDER_URL, providerUrl); + env.put(Context.SECURITY_AUTHENTICATION, "simple"); + env.put(Context.SECURITY_PRINCIPAL, providerUserDn); + env.put(Context.SECURITY_CREDENTIALS, providerPassword); + + provider.setContextEnvironmentProperties(env); + provider.setSearchFilter(userSearchFilter); provider.setConvertSubErrorCodesToExceptions(true); provider.setUseAuthenticationRequestCredentials(true);