Reputation: 1178
Disabling SSL Certificate Validation for Active Directory server using spring-ldap 1.3.1
I'm able to authenticate to Active Directory if there is need to configure only one AD server. The solution is given as Active Directory authentication through ssl as anonymous user by me.
Now I'm stuck when there is multiple ADs running behind a Load Balancer.
Since Load Balancer is in between, I will get the Host name only and the IP of AD will be replaced with the Host name behind the Load Balancer based on the availability. Therefore, I won't be able to know which Active Directory server will be used to process my request of authentication. So , I won't be able to generate the certificate in advance. Also, I can't get the IPs of ADs my client is using for balancing the load(for security reasons). so there is no point of generating jssecacert. All I need to do is to disable the certificate validation. I'm using LdapTemplate class(using spring-ldap 1.3.1) to authenticate the user. My spring Config looks like this...
<bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
<property name="contextSource" ref="contextSource" />
<property name="ignorePartialResultException" value="yes" />
</bean>
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldaps://xxx.xxx.xxx.xxx:636" />
</bean>
The authenticate method:
public boolean login(String username, String password) {
System.setProperty("javax.net.ssl.trustStore",
.../jssecacerts");
boolean authenticate=false;
AndFilter filter = new AndFilter();
filter.and(new EqualsFilter("xyz","xyz"));
filter.and(new EqualsFilter("xyz", xyz));
authenticate = this.ldapTemplate.authenticate(base, filter.encode(), password);
return authenticate;
}
Since we don't need to have certificate System.setProperty("javax.net.ssl.trustStore",
.../jssecacerts");
will not be needed.
What changes I need to make to disable the certificate validation.
I'm pretty new in LDAP stuff. , Kindly help with appropriate answer.
Upvotes: 9
Views: 13327
Answers (1)
Reputation: 1178
Well, Thanks to Darren Hauge for providing a tricky solution that will not care about ssl certificate. Rewriting the solution here :
public static void trustSelfSignedSSL() {
try {
SSLContext ctx = SSLContext.getInstance("TLS");
X509TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
ctx.init(null, new TrustManager[]{tm}, null);
SSLContext.setDefault(ctx);
} catch (Exception ex) {
ex.printStackTrace();
}
}
All we need to create a utility class and put this method inside that. Call this method wherever you need.
Any comment on this solution is welcome.
Thanks.
Upvotes: 15
Related Questions
- LDAP authentication using Spring security 2.0.3
- How to authenticate against Active Directory via LDAP over TLS?
- SSLHandshakeException while connection to LDAPS(Active Directory)
- Certificate Authentication against LDAP with Spring Boot/ Spring Secruity
- How to configure SSL in Spring LDAP?
- using spring-ldap with ssl
- Active Directory authentication through ssl as anonymous user
- Spring security, ssl ldap and no certificate
- Spring security ldap ad authentication
- spring-security : Using user's certificate to authenticate against LDAP