1

I'm trying to implement Spring Boot LDAP Security, and I'm using the unboundid-ldapsdk embedded LDAP server for testing (like the tutorial here). I configured the web security to use LDAP Binding for authentication, and tested successfully using plaintext passwords. But if I change the password to a hashed version, the authentication fails. Am I missing some configuration?

Here's my security configuration:

@Configuration
@EnableWebSecurity
public class MyWebSecurityConfiguration extends WebSecurityConfigurerAdapter
{

    ...

    @Override
    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder)
        throws Exception
    {
        authenticationManagerBuilder.
            ldapAuthentication().
                userSearchFilter(this.ldapUserSearchFilter).
                userSearchBase(this.ldapUserSearchBase).
                contextSource(this.contextSource()).
                ldapAuthoritiesPopulator(this.authoritiesPopulator());
    }


    @Bean
    public DefaultSpringSecurityContextSource contextSource()
    {
        DefaultSpringSecurityContextSource securityContextSource =
            new DefaultSpringSecurityContextSource(
                Collections.singletonList(this.ldapUrl),
                this.ldapBaseDn);
        return securityContextSource;
    }

    ...

}

The embedded LDAP properties:

spring.ldap.embedded.ldif=classpath:ldap-test.ldif
spring.ldap.embedded.base-dn=dc=testing,dc=com
spring.ldap.embedded.port=8389

And the the LDIF file:

dn: dc=testing,dc=com
objectclass: top
objectclass: domain
objectclass: extensibleObject
dc: testing

dn: ou=TestingUsers,dc=testing,dc=com
objectclass: top
objectclass: organizationalUnit
ou: TestingUsers

dn: uid=testUser,ou=TestingUsers,dc=testing,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Blah_1
sn: Blah_2
uid: testingUser
userPassword: pass

Using these settings, I can authenticate with the username testingUser and password pass. But if I use the hashed password:

userPassword: {SHA}9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684

I cannot authenticate, and get this exception:

javax.naming.AuthenticationException: [LDAP: error code 49 - Unable to bind as user 'uid=testingUser,ou=TestingUsers,dc=testing,dc=com' because the provided password was incorrect.]

Thank you for your help!

UPDATE:

I found that with hashed passwords, I can authenticate by entering the hash itself, rather than the original password. So maybe unboundid-ldapsdk does not recognize the {SHA} notation?

Improve this question

2 Answers 2

Reset to default
1

I just stumbled upon the same problem and I filed a bug since hashed passwords seem not to be handled correctly by the library (I'm not sure whether they are supported at all).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

If you set a password encoder, then Spring Security will wire a PasswordComparisonAuthenticator instead of binding to the LDAP server:

authenticationManagerBuilder
    .ldapAuthentication()
        .passwordEncoder(new LdapShaPasswordEncoder())
         // ...

Note that as of Spring Security 6, publishing the AuthenticationManager directly is preferred:

@Bean
AuthenticationManager ldapAuthenticationManager(
        BaseLdapPathContextSource contextSource) {
    LdapPasswordComparisonAuthenticationManagerFactory factory = 
        new LdapPasswordComparisonAuthenticationManagerFactory(
            contextSource, new LdapShaPasswordEncoder());
    // ...
    return factory.createAuthenticationManager();
}

You can follow this same pattern using any of Spring Security's password encoders, BCryptPasswordEncoder and others being more common these days.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.