LDAP: add admin auth and search filter (#1403)

Co-authored-by: Roman Zabaluev <rzabaluev@provectus.com>
2022-01-28 13:33:27 +01:00 · 2022-01-28 13:33:27 +01:00 · 2c6a197cb3
commit 2c6a197cb3
parent afca54d374
2 changed files with 29 additions and 2 deletions
--- a/docker/auth-ldap.yaml
+++ b/docker/auth-ldap.yaml
@ -29,6 +29,14 @@ services:
      AUTH_TYPE: "LDAP"
      SPRING_LDAP_URLS: "ldap://ldap:10389"
      SPRING_LDAP_DN_PATTERN: "cn={0},ou=people,dc=planetexpress,dc=com"
+#     USER SEARCH FILTER INSTEAD OF DN
+#     SPRING_LDAP_USERFILTER_SEARCHBASE: "dc=planetexpress,dc=com"
+#     SPRING_LDAP_USERFILTER_SEARCHFILTER: "(&(uid={0})(objectClass=inetOrgPerson))"
+#     LDAP ADMIN USER
+#     SPRING_LDAP_ADMINUSER: "cn=admin,dc=planetexpress,dc=com"
+#     SPRING_LDAP_ADMINPASSWORD: "GoodNewsEveryone"
+
+

  ldap:
    image: rroemhild/test-openldap:latest
--- a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/auth/LdapSecurityConfig.java
+++ b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/auth/LdapSecurityConfig.java
@ -16,6 +16,8 @@ import org.springframework.security.config.annotation.web.reactive.EnableWebFlux
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.ldap.authentication.BindAuthenticator;
 import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
+import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
+import org.springframework.security.ldap.search.LdapUserSearch;
 import org.springframework.security.web.server.SecurityWebFilterChain;

@Configuration
@ -26,13 +28,28 @@ public class LdapSecurityConfig extends AbstractAuthSecurityConfig {

  @Value("${spring.ldap.urls}")
  private String ldapUrls;
-  @Value("${spring.ldap.dn.pattern}")
+  @Value("${spring.ldap.dn.pattern:#{null}}")
  private String ldapUserDnPattern;
+  @Value("${spring.ldap.adminUser:#{null}}")
+  private String adminUser;
+  @Value("${spring.ldap.adminPassword:#{null}}")
+  private String adminPassword;
+  @Value("${spring.ldap.userFilter.searchBase:#{null}}")
+  private String userFilterSearchBase;
+  @Value("${spring.ldap.userFilter.searchFilter:#{null}}")
+  private String userFilterSearchFilter;

  @Bean
  public ReactiveAuthenticationManager authenticationManager(BaseLdapPathContextSource contextSource) {
    BindAuthenticator ba = new BindAuthenticator(contextSource);
-    ba.setUserDnPatterns(new String[]{ldapUserDnPattern});
+    if (ldapUserDnPattern != null) {
+      ba.setUserDnPatterns(new String[]{ldapUserDnPattern});
+    }
+    if (userFilterSearchFilter != null) {
+      LdapUserSearch userSearch =
+              new FilterBasedLdapUserSearch(userFilterSearchBase, userFilterSearchFilter, contextSource);
+      ba.setUserSearch(userSearch);
+    }

    LdapAuthenticationProvider lap = new LdapAuthenticationProvider(ba);

@ -45,6 +62,8 @@ public class LdapSecurityConfig extends AbstractAuthSecurityConfig {
  public BaseLdapPathContextSource contextSource() {
    LdapContextSource ctx = new LdapContextSource();
    ctx.setUrl(ldapUrls);
+    ctx.setUserDn(adminUser);
+    ctx.setPassword(adminPassword);
    ctx.afterPropertiesSet();
    return ctx;
  }