4

I have the Grails Spring Security plugin connecting to one Active Directory server with no problems. However, I need to connect to multiple servers. We have some users on one AD server and other users on a different server, so we need to try looking for users in both locations.

For example, in Java I have this working as below:

<authentication-manager>
    <authentication-provider ref="provider1"/>
    <authentication-provider ref="provider2"/>
...
</authentication-manager>

<ldap-server id="provider1"
             url="ldap://LDAPSERVER1.mycompany.intranet"
             manager-dn="OU=std_users,OU=users,DC=mycompany,DC=intranet"
             manager-password="blah"/>

<ldap-server id="provider2"
             url="ldap://DIFFERENT_LDAPSERVER.mycompany.intranet"
             manager-dn="OU=std_users,OU=external_users,DC=mycompany,DC=intranet"
             manager-password="blah"/>

In Grails I can configure one AD server but cannot work out how to configure more than one:

// LDAP config
grails.plugin.springsecurity.ldap.context.managerDn = 'CN=blah,OU=std_users,OU=users,DC=mycompany,DC=intranet'
grails.plugin.springsecurity.ldap.context.managerPassword = 'the_password'
grails.plugin.springsecurity.ldap.context.server = 'ldap://theserver.mycompany.intranet'

grails.plugin.springsecurity.ldap.authorities.ignorePartialResultException = true // typically needed for Active Directory
grails.plugin.springsecurity.ldap.search.base = 'OU=std_users,OU=users,DC=mycompany,DC=intranet'
grails.plugin.springsecurity.ldap.search.filter="sAMAccountName={0}" // for Active Directory you need this
grails.plugin.springsecurity.ldap.search.searchSubtree = true
grails.plugin.springsecurity.ldap.auth.hideUserNotFoundExceptions = false

I know that you can create a space-separated list of servers but this won't work for me as it will only try one of the servers once it has a connection, whereas I need it to try looking for users in both.

I think I probably need to get stuck into the resources.groovy file but don't know where to start with this - has anyone configured multiple AD locations?

The only other idea I have is to create a virtual directory which brings together all the users in one directory. Can anyone suggest a good way of doing this? I have been looking at http://myvd.sourceforge.net/usecases.html

Any help would be appreciated. Have been googling all day and I am no closer to a solution.

Cookalino
  • 1,559
  • 14
  • 19
  • Hi, thanks for answering. Please move your comment to an answer so that you are eligible for the bounty. This pointed me in the right direction and I have had some success with this today. I will update more tomorrow. – Cookalino Oct 15 '14 at 16:14

2 Answers2

5

Andrew's answer pointed me in the right direction and I now have this working.

It was A LOT easier to make this work using ActiveDirectoryLdapAuthenticationProvider. This is done as below:

In resources.groovy:

// Domain 1
ldapAuthProvider1(ActiveDirectoryLdapAuthenticationProvider,
        "mydomain.com",
        "ldap://mydomain.com/"
)

// Domain 2
ldapAuthProvider2(ActiveDirectoryLdapAuthenticationProvider,
        "mydomain2.com",
        "ldap://mydomain2.com/"
)

In Config.groovy:

grails.plugin.springsecurity.providerNames = ['ldapAuthProvider1', 'ldapAuthProvider2']

This is all the code you need. You can pretty much remove all other grails.plugin.springsecurity.ldap.* settings in Config.groovy as they don't apply to this AD setup.

For documentation, see: http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ldap-active-directory

If you aren't using AD and want the 'pure LDAP' version:

In resources.groovy:

// Create another ldap authentication provider
ldapAuthProvider2(org.springframework.security.ldap.authentication.LdapAuthenticationProvider,
        ref("ldapAuthenticator2"),
        ref("ldapAuthoritiesPopulator") // Use default
) {
    // Can set other auth provider settings here
}

ldapAuthenticator2(org.springframework.security.ldap.authentication.BindAuthenticator, ref("contextSource2")) {
    userSearch = ref("ldapUserSearch2")
}

// Set up the manager to read LDAP
contextSource2(DefaultSpringSecurityContextSource, grailsApplication.config.grails.plugin.springsecurity.ldap.context.server2) {
    userDn = grailsApplication.config.grails.plugin.springsecurity.ldap.context.managerDn2 // Manager DN
    password = grailsApplication.config.grails.plugin.springsecurity.ldap.context.managerPassword2
}

// Configuration for searching for user
ldapUserSearch2(FilterBasedLdapUserSearch, grailsApplication.config.grails.plugin.springsecurity.ldap.search.base2, grailsApplication.config.grails.plugin.springsecurity.ldap.search.filter2, ref('contextSource2')) {
}

And then in Config.groovy:

// Config for second LDAP AuthenticationProvider - used in resources.groovy
grails.plugin.springsecurity.ldap.context.managerDn2 = 'CN=MANAGER_USER,OU=Users,DC=mycompany,DC=com'
grails.plugin.springsecurity.ldap.context.managerPassword2 = 'manager_password'
grails.plugin.springsecurity.ldap.context.server2 = "ldap://the-ldap-server.com"

grails.plugin.springsecurity.ldap.search.base2 = 'OU=Users,DC=mycompany,DC=com'
grails.plugin.springsecurity.ldap.search.filter2 = "sAMAccountName={0}" // for Active Directory you need this

// Add the AuthenticationProvider to the list
grails.plugin.springsecurity.providerNames = ['ldapAuthProvider', 'ldapAuthProvider2']

This link was very useful for finding out how to set this up: https://github.com/grails-plugins/grails-spring-security-ldap/blob/master/SpringSecurityLdapGrailsPlugin.groovy

Cookalino
  • 1,559
  • 14
  • 19
3

The basic idea would be to construct a second, custom AuthenticationProvider bean within your application's grails-app/conf/spring/resources.groovy file, perhaps modeling it after ldapAuthProvider in https://github.com/grails-plugins/grails-spring-security-ldap/blob/master/SpringSecurityLdapGrailsPlugin.groovy Then, you could add this custom LDAP authenticator bean to the grails.plugin.springsecurity.providerNames list in Config.groovy (or equivalent)

Andrew
  • 2,239
  • 13
  • 7