Tuesday, November 27, 2012

Grails: How to Configure the LDAP Plugin to Work With the Active Directory

The LDAP authentication support for the Spring Security plugin provides access to directory services via LDAP. That's really easy to configure. Once you learn how to do it you'll not spent more than 10 minutes to get it working as well. In this post I'll show you how to have your Active Directory authentication service working very quickly.

To that post let's suppose that we have a Active Directory server running with the follow access data:
Port: 389
Domain: mydomain.com
Admin user: admin
Admin password: pass

So, the first thing we need to do is install the LDAP authentication plugin:
grails install-plugin spring-security-ldap

The command above will install the LDAP authentication support for the Spring Security plugin as your dependency, the Spring Security Core plugin.

After that, we can already configure our communication with the Active Directory server. On conf/config.groovy file, write the follow lines and adapt them for your access data:

grails.plugins.springsecurity.ldap.context.managerDn = 'admin' 
grails.plugins.springsecurity.ldap.context.managerPassword = 'pass' 
grails.plugins.springsecurity.ldap.context.server = 'ldap://' 
grails.plugins.springsecurity.ldap.authorities.ignorePartialResultException = true
grails.plugins.springsecurity.ldap.search.base = 'dc=mydomain,dc=com' 
grails.plugins.springsecurity.ldap.search.filter = "sAMAccountName={0}"
grails.plugins.springsecurity.ldap.search.searchSubtree = true 
grails.plugins.springsecurity.ldap.auth.hideUserNotFoundExceptions = false 
grails.plugins.springsecurity.ldap.search.attributesToReturn = ['mail', 'displayName'] // extra attributes you want returned
grails.plugins.springsecurity.providerNames = ['ldapAuthProvider', 'anonymousAuthenticationProvider']

// role-specific LDAP config
grails.plugins.springsecurity.ldap.useRememberMe = false 
grails.plugins.springsecurity.ldap.authorities.retrieveGroupRoles = true 
grails.plugins.springsecurity.ldap.authorities.groupSearchBase = 'dc=mydomain,dc=com' 
grails.plugins.springsecurity.ldap.authorities.groupSearchFilter = 'member={0}'

If you've configured your server correctly your Grails application can already communicate with your AD server. So, now we can create our log-in page. But don't worry, Grails and its plugins do the hard work for us. For that, just run the follow command to create your login page:
grails s2-quickstart <your package, e.g. com.myproject> User Role

That command will create the User, Rule and UserRole domain classes, as well, its controllers and views. The views will be created in the views/login folder.

Now you must be able to access your login page that will authenticate your users checking them on the Active Directory. Try access something like that:

If you want to do some customization you can check the User, Rule, UserRole domains, controllers and views for that.

Hope that help you!

No comments:

Post a Comment