|
|
|
|
@ -577,19 +577,64 @@
@@ -577,19 +577,64 @@
|
|
|
|
|
</para> |
|
|
|
|
</section> |
|
|
|
|
<section> |
|
|
|
|
<title>The <literal><ldap-provider> Element</literal></title> |
|
|
|
|
<title>The <literal><ldap-provider></literal> Element</title> |
|
|
|
|
<para> |
|
|
|
|
This element is shorthand for the creation of an <classname>LdapAuthenticationProvider</classname> instance. |
|
|
|
|
|
|
|
|
|
By default this will be configured with a <classname>BindAuthenticator</classname> instance and a |
|
|
|
|
<classname>DefaultAuthoritiesPopulator</classname>. |
|
|
|
|
</para> |
|
|
|
|
<section> |
|
|
|
|
<title>The <literal>user-dn-pattern</literal> Attribute</title> |
|
|
|
|
<para> |
|
|
|
|
If your users are at a fixed location in the directory (i.e. you can work out the DN |
|
|
|
|
directly from the username without doing a directory search), you can use this attribute |
|
|
|
|
to map directly to the DN. It maps directly to the <literal>userDnPatterns</literal> |
|
|
|
|
property of <classname>AbstractLdapAuthenticator</classname>. |
|
|
|
|
</para> |
|
|
|
|
</section> |
|
|
|
|
|
|
|
|
|
<section> |
|
|
|
|
<title>The <literal>user-search-base</literal> and <literal>user-search-filter</literal> Attributes</title> |
|
|
|
|
<para> |
|
|
|
|
If you need to perform a search to locate the user in the directory, then you |
|
|
|
|
can set these attributes to control the search. The <classname>BindAuthenticator</classname> will be configured |
|
|
|
|
with a <classname>FilterBasedLdapUserSearch</classname> and the attribute values map directly to the first two |
|
|
|
|
arguments of that bean's constructor. If these attributes aren't set and no <literal>user-dn-pattern</literal> |
|
|
|
|
has been supplied as an alternative, then the default search values of <literal>user-search-filter="(uid={0})"</literal> |
|
|
|
|
and <literal>user-search-base=""</literal> will be used. |
|
|
|
|
</para> |
|
|
|
|
</section> |
|
|
|
|
<section> |
|
|
|
|
<title><literal>group-search-filter</literal>, <literal>group-search-base</literal>, <literal>group-role-attribute</literal> and <literal>role-prefix</literal> Attributes</title> |
|
|
|
|
<para> |
|
|
|
|
The value of <literal>group-search-base</literal> is mapped to the <literal>groupSearchBase</literal> constructor argument |
|
|
|
|
of <classname>DefaultAuthoritiesPopulator</classname> and defaults to "ou=groups". The default filter value is |
|
|
|
|
"(uniqueMember={0})", which assumes that the entry is of type "groupOfUniqueNames". <literal>group-role-attribute</literal> |
|
|
|
|
maps to the <literal>groupRoleAttribute</literal> attribute and defaults to "cn". Similarly <literal>role-prefix</literal> |
|
|
|
|
maps to <literal>rolePrefix</literal> and defaults to "ROLE_". |
|
|
|
|
</para> |
|
|
|
|
</section> |
|
|
|
|
<section> |
|
|
|
|
<title>The <literal><password-compare></literal> Element</title> |
|
|
|
|
<para> |
|
|
|
|
This is used as child element to <literal><ldap-provider></literal> and switches |
|
|
|
|
the authentication strategy from <classname>BindAuthenticator</classname> to |
|
|
|
|
<classname>PasswordComparisonAuthenticator</classname>. This can optionally be supplied with a |
|
|
|
|
<literal>hash</literal> attribute or with a child <literal><password-encoder></literal> |
|
|
|
|
element to hash the password before submitting it to the directory for comparison. |
|
|
|
|
</para> |
|
|
|
|
</section> |
|
|
|
|
</section> |
|
|
|
|
<section> |
|
|
|
|
<title>The <literal><ldap-user-service></literal> Element</title> |
|
|
|
|
<para> |
|
|
|
|
This element configures an LDAP <interfacename>UserDetailsService</interfacename>. The class used |
|
|
|
|
is <classname>LdapUserDetailsService</classname> which is a combination of a <classname>FilterBasedLdapUserSearch</classname> |
|
|
|
|
and a <classname>DefaultAuthoritiesPopulator</classname>. The attributes it supports have the same usage as in |
|
|
|
|
<literal><ldap-provider></literal>. |
|
|
|
|
</para> |
|
|
|
|
</section> |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
</section> |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
</section> |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
</appendix> |
|
|
|
|
|
Luke Taylor
18 years ago