How to authenticate user against Active Directory from java?

0
votes

I need to authenticate users against Active Directory from java. In order to understand what is going on under the hood I've started with openldap docker instance and spring tutorial from here: https://spring.io/guides/gs/authenticating-ldap/

What I understand from many debug sessions is that Spring retrieves password attribute from ldap and compares it with hashed user password or it just filters users by uid and hashed password and if there is an entry then the password is correct.

Ok, sounds good. Now I'm trying to do the same thing against Active Directory. The problem is is that when I retrieve user from it, it gives me many attributes, but it doesn't give me any attribute which look like hashed password. So maybe Active Directory doesn't allow to get password attribute and I should filter users by this attribute. But I don't know it's name and don't know where to get it.

So my questions are: 1. Do I understand everything right? 2. Do I need to just filter users by uid and hashed password? 3. If the second one is correct, then what is the query for users filtration? 4. If the second one is not correct, then what did I understand wrong and how should I authenticate users against Active Directory from java?

1
javaspringauthenticationactive-directory

1 Answers

2
votes

I would proceed with using the bind authentication approach with Active Directory. I have used this approach in the past without any problems against Active Directory (or ADAM). With a bind scenario you simply use the username and password supplied by the user and allow the LDAP instance to perform the comparison (authentication). Here is reference section from Spring Documentation:

18.3.2 Using Bind Authentication

This is the most common LDAP authentication scenario.

This simple example would obtain the DN for the user by substituting the user login name in the supplied pattern and attempting to bind as that user with the login password. This is OK if all your users are stored under a single node in the directory. If instead you wished to configure an LDAP search filter to locate the user, you could use the following:

If used with the server definition above, this would perform a search under the DN ou=people,dc=springframework,dc=org using the value of the user-search-filter attribute as a filter. Again the user login name is substituted for the parameter in the filter name. If user-search-base isn't supplied, the search will be performed from the root.

You may want to read through the content regarding LDAP Authentication (Chapter 18 in Spring 3.x Documentation). There may be other information you find useful.