Latest Posts

Java LDAP Authentication and Integration

Posted on by Rishan Solutions

Loading

LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory information services, such as user authentication and authorization. In Java, you can integrate LDAP for authentication using libraries like Spring Security LDAP or Java Naming and Directory Interface (JNDI). Below is a step-by-step guide to implementing LDAP authentication in a Java application.

1. Add Dependencies

If you’re using Spring Boot, include the Spring Security LDAP dependency in your pom.xml (for Maven) or build.gradle (for Gradle).

Maven:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-data-ldap</artifactId>
</dependency>
<dependency>
    <groupId>com.unboundid</groupId>
    <artifactId>unboundid-ldapsdk</artifactId>
    <version>6.0.6</version>
</dependency>

Gradle:

implementation 'org.springframework.boot:spring-boot-starter-security'
implementation 'org.springframework.boot:spring-boot-starter-data-ldap'
implementation 'com.unboundid:unboundid-ldapsdk:6.0.6'

2. Configure LDAP in application.properties

Define the LDAP server connection details in your application.properties or application.yml.

Example:

# LDAP server URL
spring.ldap.urls=ldap://localhost:389

# Base DN for user search
spring.ldap.base=dc=example,dc=com

# User DN for binding to the LDAP server
spring.ldap.username=cn=admin,dc=example,dc=com

# Password for binding to the LDAP server
spring.ldap.password=adminpassword

3. Implement LDAP Authentication with Spring Security

Configure Spring Security to use LDAP for authentication.

Example Configuration:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/public/**").permitAll() // Allow public access
                .anyRequest().authenticated() // Require authentication for all other endpoints
            )
            .formLogin(); // Enable form-based login
        return http.build();
    }

    @Bean
    public ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
        return new ActiveDirectoryLdapAuthenticationProvider("example.com", "ldap://localhost:389");
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

4. Custom LDAP Authentication with JNDI

If you’re not using Spring Security, you can use Java’s JNDI API to interact with an LDAP server.

Example:

import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import java.util.Hashtable;

public class LdapAuthentication {

    public static void main(String[] args) {
        String username = "user1";
        String password = "password123";

        if (authenticate(username, password)) {
            System.out.println("Authentication successful!");
        } else {
            System.out.println("Authentication failed.");
        }
    }

    public static boolean authenticate(String username, String password) {
        Hashtable<String, String> env = new Hashtable<>();
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, "ldap://localhost:389");
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        env.put(Context.SECURITY_PRINCIPAL, "cn=" + username + ",dc=example,dc=com");
        env.put(Context.SECURITY_CREDENTIALS, password);

        try {
            DirContext ctx = new InitialDirContext(env);
            ctx.close();
            return true;
        } catch (NamingException e) {
            return false;
        }
    }
}

5. LDAP User Details Service

You can customize how user details are loaded from LDAP by implementing a custom UserDetailsService.

Example:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.ldap.userdetails.LdapUserDetailsService;
import org.springframework.security.ldap.userdetails.UserDetailsContextMapper;

@Configuration
public class LdapConfig {

    @Bean
    public UserDetailsService userDetailsService() {
        return new LdapUserDetailsService(userDetailsContextMapper());
    }

    @Bean
    public UserDetailsContextMapper userDetailsContextMapper() {
        return (ctx, username) -> {
            // Custom logic to map LDAP attributes to UserDetails
            return new CustomUserDetails(username);
        };
    }

    static class CustomUserDetails implements UserDetails {
        private final String username;

        public CustomUserDetails(String username) {
            this.username = username;
        }

        @Override
        public String getUsername() {
            return username;
        }

        @Override
        public String getPassword() {
            return null; // Password is not stored in UserDetails
        }

        @Override
        public boolean isAccountNonExpired() {
            return true;
        }

        @Override
        public boolean isAccountNonLocked() {
            return true;
        }

        @Override
        public boolean isCredentialsNonExpired() {
            return true;
        }

        @Override
        public boolean isEnabled() {
            return true;
        }
    }
}

6. Testing LDAP Authentication

To test LDAP authentication:

  1. Set up an LDAP server (e.g., Apache Directory Server or OpenLDAP).
  2. Add users and groups to the LDAP directory.
  3. Run your Java application and verify authentication.

7. Best Practices

  • Use secure connections (LDAPS) to encrypt communication with the LDAP server.
  • Store LDAP connection details (e.g., URLs, credentials) securely (e.g., environment variables or secrets manager).
  • Implement proper error handling for LDAP operations.
  • Regularly update LDAP libraries and dependencies.

Leave a Reply

Your email address will not be published. Required fields are marked *