Setting up LDAP with Pebble 2.0 M2 (and Acegi)

Here’s what you’ll want to do:

First, modify WEB-INF/applicationContext-acegi-security.xml.

First, add the LDAP provider to the list in the provider manager:

<bean id="authenticationManager"
  class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
	<list>
      <ref local="ldapAuthProvider"/>
      <ref local="daoAuthenticationProvider"/>
      <ref local="rememberMeAuthenticationProvider"/>
    </list>
  </property>
</bean>

Next add the LDAP provider configuration:

<!-- LDAP CONFIGURATION -->
<bean id="initialDirContextFactory"
  class="org.acegisecurity.providers.ldap.DefaultInitialDirContextFactory">
  <constructor-arg value="ldap://localhost:389/<b>BASE_DN_HERE</b>"/>
<property name="managerDn">
    <value><b>ADMIN_DN_HERE</b></value>
  </property>
<property name="managerPassword">
    <value><b>ADMIN_PASSWORD_HERE</b></value>
  </property>
</bean>

<bean id="ldapAuthProvider"
  class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
  <constructor-arg>
    <bean
      class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
      <constructor-arg>
        <ref local="initialDirContextFactory"/>
      </constructor-arg>
<property name="userDnPatterns">
	<list>
          <value>uid={0},ou=People</value>
        </list>
      </property>
    </bean>
  </constructor-arg>
  <constructor-arg>
    <bean
      class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
      <constructor-arg>
        <ref local="initialDirContextFactory"/>
      </constructor-arg>
      <constructor-arg>
        <value>ou=PebbleRoles</value>
      </constructor-arg>
<property name="groupRoleAttribute">
        <value>ou</value>
      </property>
    </bean>
  </constructor-arg>
</bean>

This is almost straight from the Acegi docs. It assumes that your users reside under the organizational unit People in the base DN.

Then, to do the roles you need to create the organizational unit PebbleRoles, and list under that a number of entries of class groupOfNames. They can be named anything friendly, but each should have a list of members under the People unit, eg: uid=brett,ou=People,dc=maven,dc=org. Each also needs to have it's own ou entry set to the Pebble role name, without the ROLE_ prefix, eg. PEBBLE_ADMIN, BLOG_CONTRIBUTOR, BLOG_OWNER.

This is enough to authenticate your user with appropriate roles (assuming the user has a password set in LDAP).

The last thing you'll find is that the posts are all listed "by null". It turns out Pebble doesn't load anything but auth data from LDAP, so you'll still need the same realm.properties as you'll need for the DAO auth. provider setup. The password and roles can be anything (just not blank), but the name, emailAddress and website are all used. Hopefully that'll change in later versions.

Advertisements

3 responses to “Setting up LDAP with Pebble 2.0 M2 (and Acegi)

  1. The last thing you’ll find is that the posts are all listed “by null”. It turns out Pebble doesn’t load anything but auth data from LDAP, so you’ll still need the same realm.properties as you’ll need for the DAO auth. provider setup.

    I knew this would crop up once somebody started using something other than the bespoke realm. I’ll abstract the functionality up into an interface, then it should be an easy job to write create a new bean, wire your LDAP provider and grab the user details from there.

  2. Guy I know is going to write and hopefully get added the LdapDaoImpl for this acegi interface soon:

    UserDetailsService

    Keep an eye out…

  3. In seccion LDAP CONFIGURATION on example say:
    org.acegisecurity.providers.ldap.DefaultInitialDirContextFactory
    and must be say:
    org.acegisecurity.ldap.DefaultInitialDirContextFactory

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s