With reference to class org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider, used to perform Active Directory authentication in all of our web applications, I have been asked the following question by our customer, which poses me a doubt:
What is the security protocol used during authentication – LDAP SSL / NTLM / KERBEROS ? If you are just using LDAP and not LDAPS (secure LDAP) then it would be a concern as we would then be transmitting credentials in clear text between the web server and Active Directory.
Example configuration:
<b:bean id="adAuthenticationProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<b:constructor-arg value="${ldap.domain}" />
<b:constructor-arg value="${ldap.url}" />
<b:property name="userDetailsContextMapper" ref="adUserDetailsContextMapper" />
<b:property name="convertSubErrorCodesToExceptions" value="false" />
</b:bean>
Now that I think about it, none of us in my development team ever cared about the security of the AD password (most of our customers don't even enforce SSL).
I can't find reference on Spring documentation. Spring Security LDAP version is 3.2.5
Does somebody know if and how Spring LDAP protects password when authenticating against Active Directory?
