How to get LDAP connection string for my ActiveDirectory
Solution 1
Active Directory Explorer (AdExplorer) utility from Microsoft Windows Sysinternals suite can help you find out DN and Search Base information you needed.
But it's better to get some LDAP concepts to get more control, for example, you want to add more search.filter or to get more attributes (search.attributesToReturn) in search results (you want to get user's phoneNumber too). Useful links:
- Wikipedia: Lightweight Directory Access Protocol
- MSDN: Lightweight Directory Access Protocol (Windows)
Solution 2
By far the most important thing with grails and AD is to use ActiveDirectoryLdapAuthenticationProvider rather than LdapAuthenticationProvider as it will save a world of pain. You can then set up AD authentication in just a few lines:
In resources.groovy:
// Domain 1
ldapAuthProvider1(ActiveDirectoryLdapAuthenticationProvider,
"mydomain.com",
"ldap://mydomain.com/"
)
// Domain 2
ldapAuthProvider2(ActiveDirectoryLdapAuthenticationProvider,
"mydomain2.com",
"ldap://mydomain2.com/"
)
In Config.groovy:
grails.plugin.springsecurity.providerNames = ['ldapAuthProvider1', 'ldapAuthProvider2']
This is all the code you need. You can pretty much remove all other grails.plugin.springsecurity.ldap.* settings in Config.groovy as they don't apply to this AD setup.
For some documentation, see: http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ldap-active-directory
Omnipresent
Updated on September 18, 2022Comments
-
Omnipresent over 1 year
I am trying to get Grails LDAP plugin to work with my Active Directory.
The plugin requires a lot of things which I'm not really familiar with as I don't know much about Active Directory.
Here are the things required by the plugin:
// LDAP config grails.plugins.springsecurity.ldap.context.managerDn = '[distinguishedName]' grails.plugins.springsecurity.ldap.context.managerPassword = '[password]' grails.plugins.springsecurity.ldap.context.server = 'ldap://[ip]:[port]/' grails.plugins.springsecurity.ldap.authorities.ignorePartialResultException = true // typically needed for Active Directory grails.plugins.springsecurity.ldap.search.base = '[the base directory to start the search. usually something like dc=mycompany,dc=com]' grails.plugins.springsecurity.ldap.search.filter="sAMAccountName={0}" // for Active Directory you need this grails.plugins.springsecurity.ldap.search.searchSubtree = true grails.plugins.springsecurity.ldap.auth.hideUserNotFoundExceptions = false grails.plugins.springsecurity.ldap.search.attributesToReturn = ['mail', 'displayName'] // extra attributes you want returned; see below for custom classes that access this data grails.plugins.springsecurity.providerNames = ['ldapAuthProvider', 'anonymousAuthenticationProvider'] // specify this when you want to skip attempting to load from db and only use LDAP // role-specific LDAP config grails.plugins.springsecurity.ldap.useRememberMe = false grails.plugins.springsecurity.ldap.authorities.retrieveGroupRoles = true grails.plugins.springsecurity.ldap.authorities.groupSearchBase ='[the base directory to start the search. usually something like dc=mycompany,dc=com]' // If you don't want to support group membership recursion (groups in groups), then use the following setting // grails.plugins.springsecurity.ldap.authorities.groupSearchFilter = 'member={0}' // Active Directory specific // If you wish to support groups with group as members (recursive groups), use the following grails.plugins.springsecurity.ldap.authorities.groupSearchFilter = '(member:1.2.840.113556.1.4.1941:={0})' // Active Directory specificI'm using Windows 2008 Server and know the following:
IP = 10.10.10.90 Name = bold.foo.bar (This is what I see under Active Directory Users and Computers) Domain =`BOLD` Group = `MANAGERS` Users = USERA (part of MANAGERS group) and USERB (not part of MANAGERS group)Question
Can I get some help on filling in some/most of the configurations required? I have access to the Active Directory Domain Services in Server Manager so if most of the information will come out of there, I can get it.
PS: I don't have the luxury of a Sys Admin helping me on this. So I'm the developer left filling both roles :)
-
Admin over 11 yearsSome of these are already filled out (search.searchSubtree,search.filter) others will depend upon your environment's configuration, these appear to be in square brackets. Which line specifically are you not sure about? Your title mentions "LDAP connection string" but you've got about 20 lines of config here.
-