We could configure a good chunk of Spring security for LDAP (probably other places too) simply with application.properties:

security.ldap.url=ldaps://example.com
security.ldap.user-dn-pattern=uid={0},ou=Users,o=example
security.ldap.group-dn=ou=example,ou=Roles,o=example
security.ldap.group-search-base=(uniqueMember={0})
security.ldap.auth.user-dn=uid=exampleAuthUser,ou=Users,o=example
security.ldap.auth.password=somePassword

I have code that I can contribute if there is interest.

Comment From: shakuzen

@bbrouwer FYI, support for auto-configuring LDAP was recently added with Spring Boot 1.5 RC1. See the release notes and new documentation section for more details. Perhaps this covers (some of) what you had in mind already?

Comment From: bbrouwer

That is pretty cool. I didn't know about that yet. My use case is specifically related to security, not a generic use that Spring Data LDAP gives me. Is Spring Security going to switch to use Spring Data LDAP? I didn't find anything specifically saying that, but it would make sense.

I could definitely see being able to write a custom UserDetails implementation that would use the Spring Data LDAP repositories to get the user details and roles that Spring Security needs, but I'm hoping for something that simply requires setting a few properties.

It looks like Spring Data LDAP provides a few of the properties I'm looking for:

spring.ldap.urls=ldap://myserver:1235
spring.ldap.username=admin
spring.ldap.password=secret

But that leaves the needing to specify the group-dn, group-search-base, user-dn-pattern, user-role-attribute, ...

Comment From: wilkinsona

Thank you for the suggestion and the offer of a contribution.

We want to simplify our auto-configuration for Spring Security in Boot 2.0 and, unfortunately, this feels like a step in the wrong direction. I think we'd end up with an auto-configured WebSecurityConfigurerAdapter that kicked in when some spring.security.ldap properties were set.

We'd prefer that people use Spring Security's Java DSL to set this up rather than us trying to recreate that DSL in configuration properties.

Comment From: ffroliva

@jzheaux suggested I should open an issue here, for spring-boot team, instead of in spring security project.

I feel here is the right submit my request and perhaps this thread can be reopen. Please let me know if you want to submit my request in a different (separate) issue.

I am currently working to integrate ActiveDirectoryLdapAuthenticationProvider with SecurityFilterChain.

To configure ActiveDirectoryLdapAuthenticationProvider I need to provide the following properties (or a combination of them).

        private final String domain;

    private final String rootDn;

    private final String url;

    private String searchFilter = "(&(objectClass=user)(userPrincipalName={0}))";

Currenty, there is no spring configuration properties that would allow me to externalize the configuration from application.properties or application.yml. I have to create a custom bean for that purpose.

Spring provides LdapProperties for ldap configuration.

My suggestion would be to take similar approach. An initial suggestion for the list of properties would be:

package org.springframework.security.ldap.authentication.ad;

import lombok.Getter;
import lombok.Setter;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Configuration;


@Getter
@Setter
@Configuration
@ConfigurationProperties(prefix = "spring.security.ldap.active-directory")
public class LdapSecurityProperties {
    String domain;
    String url;
    String rootDn;
    String searchFilter;
}

Then in application.properties we would have:

spring.security.ldap.activeDirectory.url=ldap://localhost:389
spring.security.ldap.activeDirectory.domain=
spring.security.ldap.activeDirectory.rootDn=dc=example,dc=com
spring.security.ldap.activeDirectory.searchFilter=(sAMAccountName={0})

My current approach to configuring AD authentication provider looks this:

    @Bean
    public AuthenticationProvider activeDirectoryLdapAuthenticationProvider(LdapSecurityProperties ldapProperties) {
        ActiveDirectoryLdapAuthenticationProvider provider =
                new ActiveDirectoryLdapAuthenticationProvider(
                        ldapProperties.getDomain(),
                        ldapProperties.getUrl(),
                        ldapProperties.getRootDn());

        // to parse AD failed credentials error message due to account - expiry,lock | credentials - expiry,lock
        provider.setConvertSubErrorCodesToExceptions(true);
        provider.setUseAuthenticationRequestCredentials(true);
        provider.setSearchFilter(ldapProperties.getSearchFilter());
        return provider;
    }

Comment From: philwebb

Thanks for the suggestion @ffroliva, we'll re-open this one to see what we can do.

Comment From: rfelgent

Hi @ffroliva and @philwebb ,

in my current project I use lldap, too. And I encountered some missing "features" that I am used to when developing a Spring Boot application - missing "customizer" feature for AbstractLdapAuthenticationManagerFactory and/or LdapBindAuthenticationManagerFactory and - missing declarative configuration/application.yaml for a few "ldap" settings, e.g. "searchPattern" (as mentioned in this thread) and - sub-optimal @ServiceConnection support for ldap containers other than "osixia/openldap" (addressed by #44057) and - "misc" stuff like, e.g. #44249 ?!

Anyway, I would like to hava the customizer feature. Should I raise another issue or can it be addressed here ?

Comment From: philwebb

@rfelgent Sorry for the delay replying. I new issue would be good (if you've not already raised one)