Issue
I am trying to make a validation page with spring boot that validates user that exists in an LDAP server. My code is this:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
import java.util.Arrays;
@Configuration
@EnableGlobalMethodSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and()
.formLogin();
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.ldapAuthentication()
.userSearchBase("ou=people")
.userSearchFilter("(cn={0})")
.contextSource(contextSource())
.passwordCompare()
.passwordAttribute("userPassword");
}
@Bean
public DefaultSpringSecurityContextSource contextSource(){
return new DefaultSpringSecurityContextSource(Arrays.asList("ldap://localhost:389"),"dc=myCompany,dc=org");
}
}
The problem is that I am getting the following error and I don't seem to understand where it is coming from.
Reason: [LDAP: error code 50 - Insufficient Access Rights]; nested exception is javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name 'cn=nameEntered,ou=people'
Any help would helpful.
Solution
The issue is most likely with you trying to pull userPassword as part of the LDAP search query. Most servers protect this attribute as described in this RFC.
So there's potentially two different solutions to this problem:
Talk to your LDAP server administrator and create a process account capable of reading that attribute (manual for OpenLDAP here). This assumes your userPassword attribute is a cleartext password, if it's not you'll need to use a password encoder as described here.
Switch to bind authentication. Instead of using a privileged account to retrieve the password from the user this binds to LDAP as the user you're trying to authenticate as which doesn't require any special permissions. It would only give you access to attributes the user has access to however. This is described here. You can configure it like this:
<ldap-authentication-provider user-dn-pattern="uid={0},ou=people"/>
In either case you should probably switch to ldaps:// instead of ldap:// since passwords (or hashes) will be going over the network in the clear.
Answered By - Michael Powers