0

I'm trying to implement REST services over LDAP directory. Both have Kerberos-protected access. I already have working code (based on Security Server Spnego and Form Auth Sample sample), which login user and store autentication object in users session. Then I make REST call to my app with sessionID and Spring Security pass it through - that's ok. But now in REST controller I want to make an LDAP call on behalf of logged user using for example Spring's LdapTemplate class. I have KerberosUsernamePasswordAuthenticationToken instance from user session. From it how can I make KerberosLdapContextSource which is needed for LdapTemplate to make an LDAP calls?

Whether such an approach is correct and implementable at all? If so, could you please suggest some sample code.

Artur Satarov
  • 3
  • 2
  • Why do you explicitly need the creds of the user? Does the user have more permission in the directory? – Michael-O Jul 27 '23 at 19:11
  • Rather the opposite case - the user may have fewer rights than the app/service. And in order to not implement user authorization in the application and shift this responsibility to the directory itself. – Artur Satarov Jul 29 '23 at 16:54
  • I don't see a problem here. Regular users never ever have write access to Active Directory. I'd never elevate a personal account to write to AD, only a specific, ACL'ed functional account. A user account can read the entire DIT. I don't see a problem here you cannot solve without the sytem keytab or the service keytab. Yet another problem, you cannot pool those connections. – Michael-O Aug 01 '23 at 13:50

0 Answers0