1

I am attempting to integrate ldap authentication with grails 3. Essentially, here is what I am to do:

enter image description here

When a particular path is invoked, I want to make sure that the user is part of the right "group" in the directory.

To approach this, what I have done is configured the tomcat's server.xml file, to enable the jndi realm.

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
    connectionName="cn=angryIp,ou=People,o=cools,dc=mains,dc=com"
    connectionPassword="angryIp"
    connectionURL="ldap://localhost:10389"
    userPattern="cn={0},ou=People,o=cools,dc=mains,dc=com"
    roleBase="ou=Groups,o=cools,dc=mains,dc=com"
    roleName="cn"
    roleSearch="uniqueMember={1}"
/>

I have a configured version of apache directory studio running, and I am able to query and return back the results. (In another words, the above config so far, is correct)

To take this further, I need to add the security constraints in the web.xml file. However, grails 3 no longer supports the use of web.xml. (I have even created a web.xml file which was placed into the src/main/webapp/WEB-INF dir, as some reccomended for previous versions, but the application then becomes undeployable) This creates a problem for me, as all the tutorials assume we can create that file.

I have also looked at the grails 3 doccumentation for using ldap in the application.yml file, but the problem I have here, is that the connection paramaters are required. Ex: The ldap ip string, username, password, etc. While I know this data for my local env, the war file will be deployed to many clients, and I do not know their IP's.

So the problem/issue i have is that :

a) Since grails 3 does not have a web.xml file, how can I configure the same attributes programmatically? Even though this is horrible for the server admins, and really gives me little benefit.

b) Is there an alternative to the statically typed IP's for the ldap configuration in the application.yml?

angryip
  • 2,140
  • 5
  • 33
  • 67
  • Have you tried using Spring Security Core Plugin for Grails and LDAP Plugin? – monty_bean Mar 04 '16 at 16:57
  • from the documentation I have seen so far, both of those require that the connectionUrl is known in advance. I will not know that. I was hoping of using ldap with jndi to make it easily changable by the customer – angryip Mar 04 '16 at 16:59

1 Answers1

0

Configuration of Grails and most of Grails plugins can be externalized. If you externalize application.groovy file or application.yml file, you can easily customize config on different systems.

There are many examples how to do that on Grails 3. One of them is here: http://grails.1312388.n4.nabble.com/Grails-3-External-config-td4658823.html

We use this method for our apps to customize - email, ldap and other options easily. You can also use command line arguments or system environment, but external config is much more flexible

practical programmer
  • 1,604
  • 10
  • 15
  • 1
    I appreciate the feedback, but I do not see how this is applicable. First, some of the externalized files require the invocation of the Applications.groovy main method. I believe this is for the embedded tomcat, which is certainly not our production env. Next, from the docs that I have read, when you issue the command: dev war, no matter what file you use to fuel the configuration, it will insert those properties into the war. Obviously, I do not want that. I need a dynamic approach, something that jndi provides. Could you elaborate or provide code as to how your approach solves the issue? – angryip Mar 04 '16 at 18:43
  • If you use Spring Security LDAP you can set `grails.plugin.springsecurity.ldap.context.server` option in external config, different on each environment. This option is used to specif host/IP of server. There are many other options with prefix `grails.plugin.springsecurity.ldap.context` to set all other things. I don't understand what you mean by embedded tomcat here. External config is not located in war, it's located in the file system of the server you have application installed on – practical programmer Mar 04 '16 at 19:02
  • 1
    I think you are referencing to this: http://stackoverflow.com/questions/13561127/how-can-update-external-config-files-without-rebuild-war-file-in-grails , and then adding the grails.plugin.springsecurity.ldap.context.server in there. I am just unsure as to how this is beneficial imo. While yes, I can externalize the file, now I am stuck with dealing with its maintenance... It would be so much better imo, if the web.xml file was there, because then i can easily navigate to it in my deployment directory (webapps in tomcat), and make the necessary changes – angryip Mar 04 '16 at 19:11
  • unless i get some solutions to make the web.xl file work, I suppose ill just go with that solution. Possibly implement EnvironmentAware, and the setEnv method, and go from there. /sigh – angryip Mar 04 '16 at 19:52
  • Grails 3 is based on Spring Boot so you should be able to work with `web.xml` in a way described here https://docs.spring.io/spring-boot/docs/current/reference/html/howto-traditional-deployment.html . But I really do not recommend what you want to do. With web.xml you have to manage it as you described. What's more you have to modify web.xml on every deploy as it will get overriden. If you don't want to have external config file, you can use System Environments or command line parameters in your `application.groovy` to set LDAP server connection – practical programmer Mar 04 '16 at 20:02
  • i suppose fate wants me to do it with this plugin. I just dont like that seperate login "view". I wish it was a popup just like the tomcat one. :/ sad face panda – angryip Mar 07 '16 at 15:24