What is LDAP?
The Lightweight Directory Access Protocol (LDAP) is an application protocol for reading and editing directories over an IP network. A directory is an organized set of records. For example, the telephone directory is an alphabetical list of persons and organizations, with each record having an address and phone number. A directory information tree often follows political, geographic, or organizational boundaries. LDAP directories often use Domain Name System (DNS) names for the highest levels. Deeper inside the directory might appear entries for people, departments, teams, printers, and documents.If this is your first time to LDAP, you might be wondering how is this different from an RDBMS. I suggest my readers to visit the following article Should I Use a Directory, a Database, or Both?
Source: http://en.wikipedia.org/wiki/LDAP
We'll start immediately with the spring-security.xml configuration.
spring-security.xml
Honestly, this is the only file that you need to change from the Spring Security 3 - MVC: Using a Simple User-Service Tutorial.
Actually, we just deleted a couple of entries. The old configuraiton contains an in-memory user-service provider:
The new configuration contains an LDAP authentication provider:
The real tricky part here is ensuring that you can connect to your LDAP server and ensuring that you've mapped correctly the attribute names from your ldap-authentication-provider to the LDAP Directory Information Tree.
To get a better understanding, let's examine the directory structure of the server. You will gain better insight if you've read first LDAP - Apache Directory Studio: A Basic Tutorial.
Here's server's structure:
mojoHere's a screenshot of the server's directory:
|
|--groups
| |
| |--Admin
| |--User
|
|--users
|
|--guy1
|--guy2
|--guy3
|--guy4
Let's focus on the elements of the ldap-authentication-provider
The attribute value of the user-search-filter="(uid={0})" corresponds to the attribute we've declared for the users
The value of the user-search-base="ou=users" corresponds to the attribute we've declared in the directory tree
The attribute value of the group-search-filter="(uniqueMember={0})" corresponds to the attribute we've declared for the groups
The value of the group-search-base="ou=groups" corresponds to the attribute we've declared in the directory tree
The attribute value of the group-role-attribute="cn" corresponds to the attribute we've declared for the groups. Spring Security uses this value of this attribute to determine the authorization level of the user.
The value of the role-prefix="ROLE_" is used to indicate what prefix should be added on the values received from group-role-attribute="cn". If you examine carefully the server's structure, we have two roles declared as cn=Admin and cn=User
The LDAP Server
Let's examine ldap-server tag.
The url ldap://localhost:10389/o=mojo is composed of the server's url and port number ldap://localhost:10389/ and the base parent path o=mojo
The attribute manager-dn="uid=admin,ou=system" is based on the Distinguished Name of the admin. Normally, you will be provided by your administrator with a custom access, but for this tutorial we're relying on the default values to make things simple.
That's it. We've setup a simple Spring MVC 3 application, secured by Spring Security. Our users are authenticated against an LDAP provider. We've also explored how the various attributes map to an existing directory structure. This also means we can customize our mappings and assign different attribute names.
The best way to learn further is to try the actual application.
Download the project
You can access the project site at Google's Project Hosting at http://code.google.com/p/spring-security-ldap/
You can download the project as a Maven build. Look for the spring-security-ldap.zip in the Download sections.
You can run the project directly using an embedded server via Maven.
For Tomcat: mvn tomcat:run
For Jetty: mvn jetty:run
0 komentar:
Post a Comment