Spring boot security against AD with UPN different than domain name

Question

Users in my Active directory logs on to their accounts with either e-mail address 'firstname.lastname@company.no' or full name 'firstname lastname'. The AD-domain is 'company.local'.

Problem is that when Spring does it's LDAP-query it searches for 'firstname lastname@company.local'. And that gives no matches. I can omit the error by changin the upn-suffix for the account to .local but that's not an option for production.

How can i configure Spring Boot to not append the domain in the query?

Configured Spring Boot with Spring Security with the following setup (followed this tutorial).

Relevant configuration:

@configuration
public class MyWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
    @Bean
    public AuthenticationProvider activeDirectoryAuthenticationProvider() {
        ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("company.local","ldap://domaincontroller:389");
        provider.setSearchFilter("(cn={0})");
        return provider;
    }
}

score 0 · Answer 1 · answered Jun 12 '17 at 12:02

I figured it out myself by using another constructor for ActiveDirectoryLdapAuthenticationProvider, setting the domain string to nothing and adding rootDN:

ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("","ldap://domaincontroller:389","DC=company,DC=local");

Spring boot security against AD with UPN different than domain name

1 Answers1