LDAP Login with UID and MAIL

[Catscratch]

Hi,

I want all users to be able to login either with login name (uid) or mail address (mail).

Therefor, I modified the spring security bean configuration to enable both ways.

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:...">

    <security:authentication-manager alias="authenticationManager">
      <security:authentication-provider ref="ldapAuthProvider" />
    </security:authentication-manager>

    <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
      <beans:constructor-arg value="MY SERVER URL"/>
      <beans:property name="userDn" value="cn=ldap"/>
      <beans:property name="password" value="MY PWD"/>
    </beans:bean>

    <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
	
      <beans:constructor-arg>
        <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
          <beans:constructor-arg ref="contextSource"/>
          <beans:property name="userSearch" ref="userSearch"/>
        </beans:bean>
      </beans:constructor-arg>
	  
      <beans:constructor-arg>
        <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
          <beans:constructor-arg ref="contextSource"/>
          <beans:constructor-arg value="ou=groups,dc=myrealm"/>
          <beans:property name="groupSearchFilter" value="uniqueMember={0}"/>
          <beans:property name="groupRoleAttribute" value="uid"/>
          <beans:property name="searchSubtree" value="true" />
          <beans:property name="convertToUpperCase" value="false" />
          <beans:property name="rolePrefix" value="" /> 
		  <beans:property name="defaultRole" value="ROLE_USER" />
        </beans:bean>
      </beans:constructor-arg>
	  
    </beans:bean>

    <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
      <beans:constructor-arg index="0" value="ou=people,dc=myrealm" />
      <beans:constructor-arg index="1" value="(|(uid={0})(mail={0}))" />
      <beans:constructor-arg index="2" ref="contextSource" />
      <beans:property name="searchSubtree" value="true" />
    </beans:bean>

</beans:beans>

This is working great! The magic happens here:

Code: Select all

<beans:constructor-arg index="1" value="(|(uid={0})(mail={0}))" />

Ok, but now the problem.

Since the user logged in, his permissions are only available when he uses his UID to login. When he uses his MAIL attribute, no permissions are applied. Means, the user can't the e.g. folders he got read permissions. So it seems, somewhere the attribute used for login is used to match the ldap user specified in permissions. And when he uses MAIL no match is found.

For completeness the ldap configuration inside OpenKM.

Code: Select all

principal.ldap.mail.attribute:       mail
principal.ldap.mail.search.base:     ou=people,dc=myrealm
principal.ldap.mail.search.filter:  (&(objectClass=person)(uid={0}))
principal.ldap.role.attribute:       cn
principal.ldap.role.search.base:     ou=groups,dc=myrealm
principal.ldap.role.search.filter:   (objectClass=groupOfUniqueNames)
principal.ldap.roles.by.user.attribute: memberOf
principal.ldap.roles.by.user.search.base: ou=people,dc=myrealm
principal.ldap.roles.by.user.search.filter: (&(objectClass=person)(uid={0}))
principal.ldap.security.credentials:  MY PWD
principal.ldap.security.principal:    cn=ldap
principal.ldap.server:                ldaps://myrealm.myserver.net:389
principal.ldap.user.attribute:        uid
principal.ldap.user.search.base:      ou=people,dc=myrealm
principal.ldap.user.search.filter:    (objectClass=person)
principal.ldap.username.attribute:     cn
principal.ldap.username.search.base:   ou=people,dc=myrealm
principal.ldap.username.search.filter: (uid={0})
principal.ldap.users.by.role.attribute: uniqueMember
principal.ldap.users.by.role.search.base: cn={0},ou=groups,dc=myrealm
principal.ldap.users.by.role.search.filter: (objectClass=groupOfUniqueNames)
principal.ldap.users.from.roles:       Inactive

Thanks for hints.

I don't know if it is a spring security related problem or a configuration problem inside OpenKM or if it is simply not possible to use both login methods at the same time.

Regards!

[jllort]

This kind of configuration will be conflictive because for application you got two logged id, for example user XXX with mail XXXX@mail Well the problem comes into application because for it the session is set to XXX or XXXX@mail this ID are distinct, in someplace on spring you should change XXXX@mail to XXX user otherwise you got on session mail id not user session.

I suspect you should try to solve it from a new spring security class and not on LdapPrincipalAdapter - also is possible modify the openkm ldap adapter - there should receive the userId not the mailId althought it has been user for login purpose.

[Catscratch]

Ok thanks for clarifying. I might have known it.

Do you have any idea how to start configuring spring security in this way, it replaces the mail address by the users identifier so that the OpenKM LdapAdapter is working again?

[jllort]

I think a good starting point could be writing your own FilterBasedLdapUserSearch class
https://github.com/spring-projects/spri ... earch.java