I am working on implementing spring security into my project. I need to use the username which Spring Security extracts from the certificate CN as the uid on the LDAP server. I am not sure of the proper way to approach this problem. I am unsure how to pass the CN value from the x509 into the LDAP authenticator. Anyone done this before or have any ideas?
Note: I do not need to pass the entire certificate to the LDAP server as they aren’t stored there, only the username from the CN.
Edit: Here is some of the configuration in my spring security xml file:
<http>
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<anonymous />
<x509 subject-principal-regex="CN=(.*?)," /> <!-- user-service-ref needed? -->
</http>
<ldap-server id="ldapServer" url="ldap://localhost:389/dc=example,dc=com" manager-dn="cn=manager,dc=example,dc=com" manager-password="myPassword" />
<authentication-manager>
<ldap-authentication-provider
user-dn-pattern="uid={0},ou=people"
user-search-filter="(uid={0})"
user-search-base="ou=people,dc=example,dc=com"
group-search-filter="(member={0})"
group-search-base="ou=groups"
group-role-attribute="cn" />
</authentication-manager>
You should use an
ldap-user-service. Here’s an example configuration from the Spring Security test suite. Spring Security should then automatically substitute the username it extracts from the certificate CN in place of the{0}marker in the LDAP search filter.The
ldap-authentication-providerelement is intended for authenticating users with a username and password, which isn’t what you want with X.509, where the validation of the certificate by the container is regarded as performing the authentication.Spring Security’s X.509 authentication filter needs a
UserDetailsServiceto load information for the user, so you need one in your configuration. As explained in the manual you don’t need to use theuser-service-refattribute if there is only one, so just adding anldap-user-servicedeclaration should be sufficient.