From 541e4018ec251ea371fd64b198b916b9fd198d99 Mon Sep 17 00:00:00 2001 From: Roman Zabaluev Date: Fri, 15 Jul 2022 18:06:49 +0400 Subject: [PATCH] Active Directory support for LDAP (#2056) * AD support for LDAP * Review suggestions, documentation update --- documentation/compose/auth-ldap.yaml | 7 ++++++- .../ui/config/auth/LdapSecurityConfig.java | 20 +++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/documentation/compose/auth-ldap.yaml b/documentation/compose/auth-ldap.yaml index 7c25adce5d..12069639f2 100644 --- a/documentation/compose/auth-ldap.yaml +++ b/documentation/compose/auth-ldap.yaml @@ -29,14 +29,19 @@ services: AUTH_TYPE: "LDAP" SPRING_LDAP_URLS: "ldap://ldap:10389" SPRING_LDAP_DN_PATTERN: "cn={0},ou=people,dc=planetexpress,dc=com" -# USER SEARCH FILTER INSTEAD OF DN + +# ===== USER SEARCH FILTER INSTEAD OF DN ===== + # SPRING_LDAP_USERFILTER_SEARCHBASE: "dc=planetexpress,dc=com" # SPRING_LDAP_USERFILTER_SEARCHFILTER: "(&(uid={0})(objectClass=inetOrgPerson))" # LDAP ADMIN USER # SPRING_LDAP_ADMINUSER: "cn=admin,dc=planetexpress,dc=com" # SPRING_LDAP_ADMINPASSWORD: "GoodNewsEveryone" +# ===== ACTIVE DIRECTORY ===== +# OAUTH2.LDAP.ACTIVEDIRECTORY: true +# OAUTH2.LDAP.AСTIVEDIRECTORY.DOMAIN: "memelord.lol" ldap: image: rroemhild/test-openldap:latest diff --git a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/auth/LdapSecurityConfig.java b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/auth/LdapSecurityConfig.java index 0d629a8836..9681c36bc9 100644 --- a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/auth/LdapSecurityConfig.java +++ b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/auth/LdapSecurityConfig.java @@ -14,8 +14,10 @@ import org.springframework.security.authentication.ReactiveAuthenticationManager import org.springframework.security.authentication.ReactiveAuthenticationManagerAdapter; import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity; import org.springframework.security.config.web.server.ServerHttpSecurity; +import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider; import org.springframework.security.ldap.authentication.BindAuthenticator; import org.springframework.security.ldap.authentication.LdapAuthenticationProvider; +import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider; import org.springframework.security.ldap.search.FilterBasedLdapUserSearch; import org.springframework.security.ldap.search.LdapUserSearch; import org.springframework.security.web.server.SecurityWebFilterChain; @@ -39,6 +41,11 @@ public class LdapSecurityConfig extends AbstractAuthSecurityConfig { @Value("${spring.ldap.userFilter.searchFilter:#{null}}") private String userFilterSearchFilter; + @Value("${oauth2.ldap.activeDirectory:false}") + private boolean isActiveDirectory; + @Value("${oauth2.ldap.aсtiveDirectory.domain:#{null}}") + private String activeDirectoryDomain; + @Bean public ReactiveAuthenticationManager authenticationManager(BaseLdapPathContextSource contextSource) { BindAuthenticator ba = new BindAuthenticator(contextSource); @@ -51,9 +58,15 @@ public class LdapSecurityConfig extends AbstractAuthSecurityConfig { ba.setUserSearch(userSearch); } - LdapAuthenticationProvider lap = new LdapAuthenticationProvider(ba); + AbstractLdapAuthenticationProvider authenticationProvider; + if (!isActiveDirectory) { + authenticationProvider = new LdapAuthenticationProvider(ba); + } else { + authenticationProvider = new ActiveDirectoryLdapAuthenticationProvider(activeDirectoryDomain, ldapUrls); + authenticationProvider.setUseAuthenticationRequestCredentials(true); + } - AuthenticationManager am = new ProviderManager(List.of(lap)); + AuthenticationManager am = new ProviderManager(List.of(authenticationProvider)); return new ReactiveAuthenticationManagerAdapter(am); } @@ -71,6 +84,9 @@ public class LdapSecurityConfig extends AbstractAuthSecurityConfig { @Bean public SecurityWebFilterChain configureLdap(ServerHttpSecurity http) { log.info("Configuring LDAP authentication."); + if (isActiveDirectory) { + log.info("Active Directory support for LDAP has been enabled."); + } http .authorizeExchange()