grails - ldap.rememberMe.usernameMapper.userDnBase (multiple instances of?) (searchSubtree search capability) -
grails - ldap.rememberMe.usernameMapper.userDnBase (multiple instances of?) (searchSubtree search capability) -
i have grails application using latest spring-security-core:2.0-rc4 , spring-security-ldap:2.0-rc2. users can login using grails.plugin.springsecurity.ldap.search.base setting ldap login authentication.
there different setting rememberme userdnbase (mapper) , setting is: grails.plugin.springsecurity.ldap.rememberme.usernamemapper.userdnbase
the ldap authentication grails.plugin.springsecurity.ldap.search.base set ou=people,dc=sitcudy,dc=edu. mentioned above - logins work fine because there property called searchsubtree have set true. unfortunately, searchsubtree setting not hold true , carry through consistently within 'remember-me' portion of code (.ldap.rememberme)*. remember-me portion of code uses map base of operations dn, grails.plugin.springsecurity.ldap.rememberme.usernamemapper.userdnbase set in string in config.groovy file (the same authentication piece) map base of operations dn of ou=people,dc=sitcudy,dc=edu.... gets mapped dn ldap user upon returning application persistence cookie login.
here's problem comes in, users segregated different dit's in our ldap system. example, uses in ou=staff,ou=people,dc=sitcudy,dc=edu while other users in ou=students,ou=people,dc=sitcudy,dc=edu therefore, because of remember me mapping, upon returning application, 1 time verifying cookie, code tries bind users in format, uid=reuben_marcus,ou=people,dc=sitcudy,dc=edu doesn't exist. exist uid=reuben_marcus,ou=staff,ou=people,dc=sitcudy,dc=edu hence cookie destroyed , login (is_authenticated_remembered) never occurs.
if alter grails.plugin.springsecurity.ldap.rememberme.usernamemapper.userdnbase ou=staff,ou=people,dc=sitcudy,dc=edu remember me functionality works perfect staff members, doesn't work other people - students, faculty etc.
the main setting in question below me in issue is: grails.plugin.springsecurity.ldap.rememberme.usernamemapper.userdnbase
since mapping , there isn't allowance multiple userdnbases or searchsubtree search.. how ‘remember-me’ code supposed find users not fall base of operations dn setting...??
i wonder if i'm doing wrong or if feature request have ‘remember me’ code have options multiple mapping userdnbases or allow have searchsubtree search capability.
relevant settings config.groovy:
grails.plugin.springsecurity.ldap.mapper.roleattributes = 'sitprirole,uid' grails.plugin.springsecurity.ldap.context.managerdn = 'uid=sps_bind,ou=people,dc=sitcudy,dc=edu' grails.plugin.springsecurity.ldap.context.managerpassword = 'xxx' grails.plugin.springsecurity.ldap.context.server = 'ldap://ds01.sitcudy.edu:389' grails.plugin.springsecurity.ldap.authorities.groupsearchbase ='ou=groups,dc=sitcudy,dc=edu' grails.plugin.springsecurity.ldap.search.base = 'ou=people,dc=sitcudy,dc=edu' grails.plugin.springsecurity.ldap.search.searchsubtree = true grails.plugin.springsecurity.ldap.auth.hideusernotfoundexceptions = false grails.plugin.springsecurity.ldap.search.attributestoreturn = ['uid', 'sitprirole', 'mail', 'displayname'] grails.plugin.springsecurity.providernames = ['ldapauthprovider', 'anonymousauthenticationprovider', 'remembermeauthenticationprovider'] grails.plugin.springsecurity.ldap.authorities.retrievegrouproles = false grails.plugin.springsecurity.ldap.authorities.retrievedatabaseroles = false grails.plugin.springsecurity.password.algorithm = 'sha-256' grails.plugin.springsecurity.rememberme.persistent = true grails.plugin.springsecurity.rememberme.persistenttoken.domainclassname = 'od.persistentlogin' // role-specific ldap config // grails.plugin.springsecurity.ldap.userememberme = true grails.plugin.springsecurity.ldap.rememberme.detailsmanager.attributestoretrieve = null grails.plugin.springsecurity.ldap.rememberme.detailsmanager.groupmemberattributename = 'uniquemember' grails.plugin.springsecurity.ldap.rememberme.detailsmanager.grouproleattributename = 'cn' grails.plugin.springsecurity.ldap.rememberme.detailsmanager.groupsearchbase = 'ou=groups,dc=sitcudy,dc=edu' grails.plugin.springsecurity.ldap.rememberme.detailsmanager.passwordattributename = 'userpassword' grails.plugin.springsecurity.ldap.rememberme.usernamemapper.userdnbase = 'ou=people,dc=sitcudy,dc=edu' grails.plugin.springsecurity.ldap.rememberme.usernamemapper.usernameattribute = 'uid'
this problem mentioned here: grails - spring security plugin ldap: remember me not working
i found workaround registering custom tokenbasedremembermeservices bean in resources.groovy. didn't utilize persistent logins functionality available in grails-spring-security-ldap plugin, because found incompatible active directory tree layout. probably, customized extending ldapuserdetailsmanager in situation found unnecessary store token in database.
i used regular spring security remember me cookie option without storing user password in cookie. extended next methods tokenbasedremembermeservices
maketokensignature - create token signature without password field processautologincookie- if cookie exists, retrieve username cookie token , fetch ldap user details (i had write own method retrieveuserfromldap() explained later) onloginsuccess - gets triggered when user logs in remember-me alternative checked. here, i'm removing password , saving token signature cookie. to fetch user details , roles ldap might depend on specific implementation method looks this:
static protected userdetails retrieveuserfromldap(string username) { def ldapusersearch = holders.applicationcontext.getbean('ldapusersearch') def usercontextmapper = holders.applicationcontext.getbean('ldapuserdetailsmapper') def authoritiespopulator = holders.applicationcontext.getbean('ldapauthoritiespopulator') def usercontext = ldapusersearch.searchforuser(username) def userauthorities = authoritiespopulator.getgrantedauthorities(usercontext,username) usercontextmapper.mapuserfromcontext(usercontext,username,userauthorities) } grails spring-security grails-plugin remember-me spring-security-ldap
Comments
Post a Comment