CODEWITHSUNDEEP
javaspringldap
Tom McCobb
Tom McCobb

Reputation: 13

Spring LDAP adding user to Group

I am using Spring LDAP 2.04 and OpenLDAP. Using the model code at http://docs.spring.io/autorepo/docs/spring-ldap/current/reference/#dns-as-attribute-values I am trying to add an LDAP user to a group. This is my code:

public void addPersonToRole(String roleName, IUser user){
        Name roleDn = buildGroupDn(roleName);
        Name userDn = buildDn(user);
        DirContextOperations ctx = ldapTemplate.lookupContext(roleDn);
        ctx.addAttributeValue("uniqueMember",userDn);
        try{
            ldapTemplate.modifyAttributes(ctx);
        }catch(Exception ex){
            System.out.println(ex.getMessage());
        }
    }

    protected Name buildDn(IUser user){
        return buildUserDnFromString("People",user.getUid());
    }

    protected Name buildUserDnFromString(String company, String userID){
        return LdapNameBuilder.newInstance()
                .add("ou", company)
                .add("uid", userID)
                .build();
    }


    protected Name buildGroupDn(String groupName){
        return LdapNameBuilder.newInstance("ou=Roles")
                .add("cn",groupName)

                .build();
    }

This works up to a point. The user will be added to the group as a uniqueMember, but without the fully qualified LDAP name, ie., instead of uid=user, ou=People, dc=company,dc=com only uid=user, ou=People is added. The buildDn() method is also called in my create() method and the full LDAP path gets included to successfully create the new user.

public void create(IUser user) {
        DirContextAdapter context = new      DirContextAdapter(buildDn(user));
        mapToContext(user, context);
        try{
        ldapTemplate.bind(context);
        }catch(Exception ex){
            System.out.println(ex.getMessage());
        }
    }

protected void mapToContext(IUser user, DirContextOperations context){
        context.setAttributeValues("objectclass", new String[] { "top",
                "person", "pilotPerson", "OpenLDAPperson" });
        context.setAttributeValue("uid", user.getUid());
        context.setAttributeValue("cn", user.getFullName());
        context.setAttributeValue("sn", StringUtils.substringAfterLast(user.getFullName()," "));
        if(StringUtils.isNotBlank(user.getDescription())) context.setAttributeValue("description", user.getDescription());
        if(StringUtils.isNotBlank(user.getUserPassword())) context.setAttributeValue("userPassword", user.getUserPassword());
        if(StringUtils.isNotBlank(user.getEmail())) context.setAttributeValue("mail",user.getEmail());
    }

Is the mapToContect() call making a difference? If I try to explicitly add the company info to the User DN then I get a Malformed uniqueMember object error.

My java class implements BaseLdapNameAware and the following is included in the beans definition XML:

<bean class="org.springframework.ldap.core.support.BaseLdapPathBeanPostProcessor"/>

Two questions: 1. Are there any errors in my code preventing the group add? 2. Why is the company info (i.e., LDAP Base Path) dropped on the Group Add and not on the Create?

Upvotes: 1

Views: 9589

Answers (1)

Guillermo R
Guillermo R

Reputation: 633

The difference between the two operations ("create user" and "add user to group") is that while the first one creates a user entry (with DN=userDN), the second one updates a group entry (with DN=groupDN). In other words, these two operations are performed against two different "types" of entries if you will.

Spring will automatically append the base DN (dc=company,dc=com) to the DN used to create the context but it will not add it to other attributes like for example uniqueMember.

When you create a user you use the user DN's to create the context:

DirContextAdapter context = new DirContextAdapter(buildDn(user));

When you update the group you use the groupDN's instead:

DirContextOperations ctx = ldapTemplate.lookupContext(roleDn);

That being said, to fix your code you need to set the uniqueMember attribute to the user's full DN like in the below example:

ctx.addAttributeValue("uniqueMember","uid=user, ou=People, dc=company,dc=com");

Hope this answers your question

Upvotes: 3

Related Questions