How to get Spring Boot Actuator LdapHealthIndicator running with Ldap from Spring Security?

Question

I'm developing a spring boot 2.3 application using spring security. Authentication and authorization is done via spring security against an AD. So I'm using spring-security-ldap and the following code.

public class SecurityConfiguration extends WebSecurityConfigurerAdapter  {
...
    public AuthenticationProvider adAuthenticationProvider() {

        ActiveDirectoryLdapAuthenticationProvider adProvider =
            new ActiveDirectoryLdapAuthenticationProvider(ldapDomain, ldapUrl);
        adProvider.setSearchFilter(ldapSearchFilter);

        adProvider.setAuthoritiesMapper(authorities -> {
            Collection gaCollection = new ArrayList<>();
            for (GrantedAuthority authority : authorities) {
                if ("admin".equals(authority.getAuthority())) {
                    gaCollection.add(new SimpleGrantedAuthority(Role.ADMIN));
                }
            }
            return gaCollection;
        });
        return adProvider;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        auth.authenticationProvider(adAuthenticationProvider());
        auth.eraseCredentials(false);
    }

}

The relevant dependencies should be this:

    
        
            
                org.springframework.boot
                spring-boot-dependencies
                ${spring-boot.version}
                pom
                import
            
        
...
    

    
        
        
            org.springframework.boot
            spring-boot
        
        
            org.springframework.boot
            spring-boot-autoconfigure
        
        
            org.springframework.boot
            spring-boot-starter-data-jpa
            
                
                    org.apache.tomcat
                    tomcat-juli
                
                
                    org.apache.tomcat
                    tomcat-jdbc
                
            
        
        
            org.springframework
            spring-web
        

        
            org.springframework.boot
            spring-boot-starter-actuator
        
        
            org.springframework.boot
            spring-boot-starter-web
        
        
            org.springframework.security
            spring-security-web
        
        
            org.springframework.security
            spring-security-config
        
        
            org.springframework.security
            spring-security-ldap
        
        
            org.springframework.security
            spring-security-test
            test
        
        
...

This works fine.

Now I decided to use Spring Boot Actuators via spring-boot-starter-actuator dependency for application monitoring.

Via auto config it detects the actuator for my data source and the LdapHealthIndicator. While datasource is ok, the LdapHealthIndicator always reports the following error.

CONDITIONS EVALUATION REPORT (only LDAP lines)

positive matches:
   LdapAutoConfiguration matched:
      - @ConditionalOnClass found required class 'org.springframework.ldap.core.ContextSource' (OnClassCondition)

   LdapAutoConfiguration#ldapContextSource matched:
      - @ConditionalOnMissingBean (types: org.springframework.ldap.core.support.LdapContextSource; SearchStrategy: all) did not find any beans (OnBeanCondition)

   LdapAutoConfiguration#ldapTemplate matched:
      - @ConditionalOnMissingBean (types: org.springframework.ldap.core.LdapOperations; SearchStrategy: all) did not find any beans (OnBeanCondition)

   LdapHealthContributorAutoConfiguration matched:
      - @ConditionalOnClass found required class 'org.springframework.ldap.core.LdapOperations' (OnClassCondition)
      - @ConditionalOnEnabledHealthIndicator management.health.ldap.enabled is true (OnEnabledHealthIndicatorCondition)
      - @ConditionalOnBean (types: org.springframework.ldap.core.LdapOperations; SearchStrategy: all) found bean 'ldapTemplate' (OnBeanCondition)

   LdapHealthContributorAutoConfiguration#ldapHealthContributor matched:
      - @ConditionalOnMissingBean (names: ldapHealthIndicator,ldapHealthContributor; SearchStrategy: all) did not find any beans (OnBeanCondition)

negative matches:
   EmbeddedLdapAutoConfiguration:
      Did not match:
         - @ConditionalOnClass did not find required class 'com.unboundid.ldap.listener.InMemoryDirectoryServer' (OnClassCondition)

   LdapRepositoriesAutoConfiguration:
      Did not match:
         - @ConditionalOnClass did not find required class 'org.springframework.data.ldap.repository.LdapRepository' (OnClassCondition)

o.s.b.actuate.ldap.LdapHealthIndicator   : LDAP health check failed
org.springframework.ldap.CommunicationException: localhost:389; nested exception is 
javax.naming.CommunicationException: localhost:389 
[Root exception is java.net.ConnectException: Connection refused: connect]

My AD is running on a remote server and not localhost. Spring security is working fine.

So why does the LdapHealthIndicator try to validate ldap server on localhost? What is the designed way to let LdapHealthIndicator use my AuthenticationProvider from my SecurityConfiguration?

jzheaux · Accepted Answer

There could possibly be other issues; however, the primary problem appears to be that you are missing the spring-ldap-core dependency from your pom:


    org.springframework.ldap
    spring-ldap-core

Including this will place it on the classpath. In combination with the correct properties, Spring Boot's LDAP auto-configuration will engage.

Also, the reference docs state that the property is spring.ldap.urls, so I believe it should be changed to that instead.

How to get Spring Boot Actuator LdapHealthIndicator running with Ldap from Spring Security?

Answers (1)

Related Questions