LDAP SPRING : How to authenticate users belonging to different bases

Question

I'm wondering about how to authenticates users belonging to different bases in LDAP Directory

My file configuration is:

<!-- LDAP -->

        <security:ldap-server url="ldap://192.168.10.220:389/o=org" manager-dn="uid=admin,ou=Admins,o=org" manager-password="password" />

        <bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
                <constructor-arg>
                        <bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                                <constructor-arg ref="contextSource" />
                                <property name="userDnPatterns">
                                        <list>
                                                <value>uid={0}</value>
                                        </list>
                                </property>
                        </bean>
                </constructor-arg>
                <constructor-arg>
                        <bean class="edu.mit.kit.userdetails.MappedLdapAuthoritiesPopulator">
                                <property name="admins">
                                        <set>
                                                <value>user1</value>
                                        </set>
                                </property>
                        </bean>
                </constructor-arg>
        </bean>

        <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
                <property name="url" value="ldap://192.168.10.220:389" />
                <property name="base" value="ou=comp,ou=Users,o=org" />
                <property name="userDn" value="admin1,ou=Admins,o=org" />
                <property name="password" value="password" />
        </bean>

        <bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
                <constructor-arg name="contextSource" ref="contextSource" />
       </bean>

My LDAP scheme root is: o=org and each user got a diffrent "ou".

As an example of 3 users:

• user1 : uid=user1,ou=Users,o=org
• user2: uid=user2,ou=comp, ou=Users,o=org
• user3: uid=user3,ou=fi_Users,o=org

So, I'm looking for the the way in which i can authenticate those users without putting all the LDAP scheme in this xml file configuration.

Answer 1

define a 'searchbean'

<beans:bean id="ldapUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
 <beans:constructor-arg value=""/>
 <beans:constructor-arg value="uid={0}"/>
 <beans:constructor-arg ref="contextSource"/>
</beans:bean>

and use

<beans:property name="userSearch" ref="ldapUserSearch"/>

instead of

<property name="userDnPatterns">
 <list>
   <value>uid={0}</value>
 </list>
</property>

This will search for the entry first, which is considered LDAP best practice and not build a DN to be used for LDAP bind operation.

Side note: As the password is transferred in cleartext over the wire during an LDAP bind operation, don't use LDAP but LDAPS. Even using StartTLS extended LDAP operation would allow to send the client the password in cleartext, although you may enforce a secure channel on the server side ... but then it's too late, the password already could have been eavesdropped.