Software Programming: LDAP

LDAP (Lightweight Directory Access Protocol) authentication in a Spring Boot.

LDAP
(Lightweight Directory Access Protocol) authentication in a Spring Boot application typically involves using Spring Security to configure LDAP authentication properly, ensuring that sensitive data like passwords is protected and communication with the LDAP server is secure.
Here’s a basic guide to securing LDAP authentication in a Spring Boot application:
Add Dependencies:In your pom.xml, add the following dependencies for Spring Security and LDAP:

LDAP Configuration: In your application.properties or application.yml, configure the LDAP server details:

# application.properties

spring.ldap.urls=ldap://localhost:389

spring.ldap.base=dc=example,dc=com

spring.ldap.username=uid=admin,ou=system

spring.ldap.password=password

spring.ldap.embedded.enabled=false

Spring Security Configuration :You can configure Spring Security to authenticate using LDAP by defining a SecurityConfig class.
Here is an example:

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
import org.springframework.security.ldap.authentication.LdapAuthoritiesPopulator;
import org.springframework.security.ldap.authentication.LdapAuthenticationProviderConfigurer;
import org.springframework.security.ldap.core.LdapTemplate;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .antMatchers("/login", "/error").permitAll()  // Allowing login and error pages
            .anyRequest().authenticated()  // Other requests require authentication
            .and()
            .formLogin()  // Enable form login
            .loginPage("/login")
            .permitAll()
            .and()
            .logout().permitAll();  // Allow logout
    }
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // LDAP Authentication configuration
        auth
            .ldapAuthentication()
            .userDnPatterns("uid={0},ou=users")
            .groupSearchBase("ou=groups")
            .contextSource()
            .url("ldap://localhost:389/dc=example,dc=com")
            .managerDn("cn=admin,dc=example,dc=com")
            .managerPassword("adminpassword")
            .and()
            .passwordCompare()
            .passwordEncoder(new org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder())
            .passwordAttribute("userPassword");
    }
}

Enable Secure LDAP Connections:
If you are using LDAP over TLS/SSL (LDAPS), it’s critical to ensure that your LDAP communication is secured. Change the URL to:
spring.ldap.urls=ldaps://localhost:636
Ensure that your LDAP server supports LDAPS and that proper certificates are installed on the server. If you are using SSL, you can also import the certificate into your Java Keystore (JKS).
Secure Password Handling:In the above configuration, passwords are compared using passwordCompare(). It's recommended to use a hashed password encoder like BCryptPasswordEncoder, which is configured in the example to secure the passwords.
Customizing the Login Page:You can customize your login page if needed by creating a controller for the login and error handling views:

Role Mapping (Optional):If you want to map roles from LDAP groups or other attributes, you can use LdapAuthoritiesPopulator to fetch roles.

This will ensure the roles are properly populated from LDAP.
Test the Application:Start your Spring Boot application, and it should authenticate users against the LDAP server. Make sure you test with the proper credentials to confirm everything is working securely.

Summary of Key Points:

LDAP Configuration: Use spring.ldap properties to configure the LDAP server details.
Spring Security: Configure Spring Security to handle LDAP authentication with ldapAuthentication().
SSL/TLS: Ensure the LDAP communication is encrypted (use ldaps://).
Password Encoding: Use a secure password encoder like BCryptPasswordEncoder.
Role Mapping: Map roles from LDAP as needed using LdapAuthoritiesPopulator. This setup will help you integrate LDAP securely in your Spring Boot application.

Simple LDAP sign-on Authentication Using Ldap-a143mkJar

java , java 8 , LDAP 1 comment :

LDAP sign-on is an authentication scheme that allows a user to log in with a single ID to any of several related, independent, software systems or web applications. In this post user will login through Outlook Mail. Ldap-a143mkJar.jar

Process of Ldap sign-On (LSO) Authentication:

Download the jar file and implement some methods / functions have been used, the names of the methods are as follows:

Call Class object LdapClient ldapClientClass=new LdapClient();

A143mkLdapConnection(ldapUrl, ldapDnConn, userEmailId, password);

There are some parameters in methods, which we initialize by creating configuration object like this.

String ldapUrl= "ldap://172.0.0.0:389/";

String lDapDnConn="dc=domainName,dc=com";

String userEmailId="EmailMail@mailDomen.com";

String password="mailPassword";

How to create a project/main class/other class to follow us.

while creating the controller/main class Ldapconn.java.

package ldapconn;
import ldap.a143mkjar.LdapClient;
import ldap.a143mkjar.LdapConnUser;
/**
 *
 * @author manoj.vishwakarma
 */
public class Ldapconn { 
     public static void main(String[] args) {
         //ldap-server configuration
        String ldapUrl= "ldap://172.0.0.0:389/";
        String lDapDnConn="dc=domainName,dc=com";
        String userEmailId="EmailMail@mailDomen.com";
        String password="mailPassword";
        
       LdapClient ldapClientClass=  new LdapClient();
       LdapConnUser get=ldapClientClass.A143mkLdapConnection(ldapUrl, lDapDnConn, userEmailId, password);
       if(get.getErrorLdapConn()==null){
          System.out.println(" DNParaMeter: "+get.getLdapDNParaMeter()+
                             "\n UserFirstName: "+get.getLdapUserFirstName()+
                             "\n UserSN: "+get.getLdapUserSN()+
                             "\n UserMailID: "+get.getLdapUserMailID()+
                              "\n accPassExpires: "+get.getAccPassExpires()+
                               "\n department: "+get.getDepartment()+
                                "\n description: "+get.getDescription()+
                                 "\n st: "+get.getSt()+
                                   "\n streetAddress: "+get.getStreetAddress());
          
  } else{
         System.out.println(get.getErrorLdapConn());
       }
     }
    
    
}

Output :

LDAP Authentication with Spring Boots

java , LDAP , Spring Boot 3 comments :

LDAP is a lightweight version of the Directory Access Protocol (DAP).LDAP’s primary function is enabling users to find data about organizations, persons, and more. It accomplishes this goal by storing data in the LDAP directory and authenticating users to access the directory. It also provides the communication language that applications require to send and receive information from directory services.

Step-by-step authentication process with Some Ldap properties.
The client (an LDAP-ready system or application) sends a request to access information stored within an LDAP database. The client provides their LDAP server user credentials (username and password). The LDAP server cross-checks the user’s submitted credentials against the core user identity data stored in its LDAP database. If the provided credentials match the stored core user identity, the client can access the requested information. Incorrect credentials will lead to denied access to the LDAP database.

Some Ldap properties.

ldap.enable=true	Enable / disable LDAP support.
ldap.ldapUrl=ldap://HostIP:389	The URL/IP to your LDAP server, including port
ldap.ldapSystemDN=cn=Administrator,dc=olattest,dc=org	System user: used for getting all users and connection testing
ldap.ldapSystemPW=mySuperPassword	The LDAP password of the system user
ldap.ldapBases= ou=person,dc=olattest,dc=org	List of bases where to find users. To use multiple bases you must edit the config file manually
ldap.sslEnabled = false	Enable SSL connection
ldap.trustStoreLocation=/usr/lib/j2sdk1.5-sun/jre/lib/security/cacerts	Location of the Java trust store
ldap.trustStorePwd=changeit	The Java trust store password
ldap.trustStoreType=JKS	The Java trust store type
ldap.cacheLDAPPwdAsOLATPwdOnLogin=true	When users log in via LDAP, the system can keep a copy of the password as encrypted hash in the database. This makes OLAT more independent from an offline LDAP server and users can use their LDAP password to use the WebDAV functionality. When setting to true (recommended), make sure you configured password.change.allowed=false
ldap.convertExistingLocalUsersToLDAPUsers=true	When the system detects an LDAP user that does already exist in OLAT but is not marked as LDAP user, the OLAT user can be converted to an LDAP managed user. When enabling this feature you should make sure that you don't have a user 'administrator' in your ldapBases (not a problem but not recommended)
ldap.deleteRemovedLDAPUsersOnSync=false	Users that have been created vial LDAP sync but now can't be found on the LDAP anymore can be deleted automatically. If unsure, set to false and delete those users manually in the LDAP administration panel.
ldap.deleteRemovedLDAPUsersPercentage=50	Sanity check when deleteRemovedLDAPUsersOnSync is set to 'true': if more than the defined percentages of user accounts are not found on the LDAP server and thus recognized as to be deleted, the LDAP sync will not happen and require a manual triggering of the delete job from the admin interface. This should prevent accidential deletion of OLAT user because of temporary LDAP problems or user relocation on the LDAP side. Value= 0 (never delete) to 100 (always delete).
ldap.ldapSyncOnStartup=true	Should users be created and synchronized automatically on startup? If you set this and the cron configuration to false, the users will be generated on-the-fly when they log in the first time.
ldap.ldapSyncCronSync=true	Should users be created and synchronized periodically, not just during startup? If you set this and the startup configuration to false, the users will be generated on-the-fly when they log in the first time.
ldap.ldapSyncCronSyncExpression=0 0 * * * ?	Set the rule how often the LDAP synchronization should take place. Default is every hour. For the cron syntax see quartz cron syntax documentation
ldap.ldapUserObjectClass=person	Configuration for syncing user attributes during login or cron and batch sync. The user object class to use.
ldap.ldapUserCreatedTimestampAttribute=createdTimestamp	The LDAP attribute that tells the creation date of the LDAP user. In active Directory this is typically "whenCreated", in OpenLDAP "createdTimestamp". If not available, use the same as for the last modified date.
ldap.ldapUserLastModifiedTimestampAttribute=modifyTimestamp	The LDAP attribute that tells the creation date of the LDAP user. In active Directory this is typically "whenChanged", in OpenLDAP "modifiedTimestamp"
ldap.attributename.useridentifyer=uid	Mapping of the LDAP user identifyer to an OLAT user. In Active Directory this is typically "sAMAccountName", in OpenLDAP "uid".
ldap.attributename.email=mail	Mapping of the mandatory OLAT user properties. In this example the LDAP attribute "mail" will be mapped to the OLAT user property "email"
ldap.attributename.firstName=givenName	Mapping of the mandatory OLAT user properties. In this example the LDAP attribute "givenName" will be mapped to the OLAT user property "firstname"
ldap.attributename.lastName=sn	Mapping of the mandatory OLAT user properties. In this example the LDAP attribute "sn" will be mapped to the OLAT user property "lastName"
olatprovider.enable=false	Disable the normal OLAT login screen. When you set ldap.cacheLDAPPwdAsOLATPwdOnLogin=true, a fallback to the normal OLAT login is made in case the LDAP server can not be reached. You can set this variable also to true to have the OLAT and the LDAP login screen available
default.auth.provider=LDAP	Use the LDAP login screen as the default login screen.

Create Spring Boot Java (Microservices) Project Example

Create Spring Boot Java (Microservices).

Project Name: LdapAuthenticationConfigSpringBoots.
Group:Ldap-Auth-a143mk.
Artifactid:Ldap-Auth-a143mk.
Description:Learn-Configure LDAP Authentication.
Package:LDAPAutha143mk.

Select the technologies and library(Maven Dependency ) to be.

Spring Web
Spring ldap
ldapsdk
ldap security

while creating the project pom.xml file and some maven dependency, main class is automatically created when web add any dependency like.

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>1.5.4.RELEASE</version>
		<relativePath/> 
	</parent>
	<groupId>Ldap-Auth-a143mk</groupId>
	<artifactId>Ldap-Auth-a143mk</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<name>LdapAuthenticationConfigSpringBoots</name>
	<description>Learn-Configure LDAP Authentication</description>
	<properties>
		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
		<java.version>1.8</java.version>
	</properties>
	<dependencies>

<dependency>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
		<groupId>org.springframework.ldap</groupId>
		<artifactId>spring-ldap-core</artifactId>
</dependency>
<dependency>
		<groupId>org.springframework.security</groupId>
		<artifactId>spring-security-ldap</artifactId>
</dependency>
<dependency>
		<groupId>com.unboundid</groupId>
		<artifactId>unboundid-ldapsdk</artifactId>
</dependency>

<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>
		
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-devtools</artifactId>
			<scope>runtime</scope>
			<optional>true</optional>
		</dependency>
		
</dependencies>
	<build>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
			</plugin>
		</plugins>
	</build>
	<repositories>
		<repository>
			<id>spring-milestones</id>
			<name>Spring Milestones</name>
			<url>https://repo.spring.io/milestone</url>
			<snapshots>
				<enabled>false</enabled>
			</snapshots>
		</repository>
		<repository>
			<id>spring-snapshots</id>
			<name>Spring Snapshots</name>
			<url>https://repo.spring.io/snapshot</url>
			<releases>
				<enabled>false</enabled>
			</releases>
		</repository>
	</repositories>
	<pluginRepositories>
		<pluginRepository>
			<id>spring-milestones</id>
			<name>Spring Milestones</name>
			<url>https://repo.spring.io/milestone</url>
			<snapshots>
				<enabled>false</enabled>
			</snapshots>
		</pluginRepository>
		<pluginRepository>
			<id>spring-snapshots</id>
			<name>Spring Snapshots</name>
			<url>https://repo.spring.io/snapshot</url>
			<releases>
				<enabled>false</enabled>
			</releases>
		</pluginRepository>
	</pluginRepositories>

</project>

Configure application.properties

Create ldap-data.ldif :
Directory Server uses LDAP Data Interchange Format is a standard text format for representing LDAP objects and LDAP updates (add, modify, delete, modify DN) in a textual form.

WebSecurityConfig ClassCreate new package, named LDAPAutha143mk.config. In this package, create Configuration class name is WebSecurityConfig.java as below:

package LDAPAutha143mk.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class WebSecurityConfig  extends WebSecurityConfigurerAdapter{
	
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin();
		http.csrf().disable();
	}
	  @Autowired
	  public void configure(AuthenticationManagerBuilder auth) throws Exception {
	    auth
	      .ldapAuthentication()
	        .userDnPatterns("uid={0},ou=people")
	        .groupSearchBase("ou=groups")
	        .contextSource()
	          .url("ldap://localhost:8389/dc=springframework,dc=org")
	          .and()
	        .passwordCompare().passwordAttribute("userPassword");      
	  }
}

Create Controllers
Create new package named LDAPAutha143mk.controller. In this package, create new java class named LoginWelcomeController.java

Run Project