Strongbox have configurable authentication which can be setup with strongbox-authentication-providers.yaml. By default, only users who are stored in the database can be authorized. Additionally authorization can be configured through an external LDAP server as shown below:
strongbox:
authentication:
strongboxUserDetailService:
order: 1
enabled: true
ldapUserDetailsService:
order: 0
enabled: true
passwordAuthenticationProvider:
order: 0
enabled: true
jwtAuthenticationProvider:
order: 1
enabled: true
securityTokenAuthenticationProvider:
order: 2
enabled: true
ldap:
url: ldap://gw.vm:389/dc=carlspring,dc=com
managerDn: cn=Admin,dc=carlspring,dc=com
managerPassword: 1234
rolesMapping:
- externalRole: strongbox
strongboxRole: ADMIN
- externalRole: Contributors
strongboxRole: USER_ROLE
userDnPatterns:
- uid={0},ou=Users,dc=carlspring,dc=com
groupSearchBase: ou=Groups,dc=carlspring,dc=com
groupSearchFilter: (uid={0})
authorities:
groupSearchBase: ou=Groups
groupSearchFilter: (uniqueMember={0})
convertToUpperCase: false
groupRoleAttribute: ou
rolePrefix: ''
searchSubtree: true
Within this task we need to check how this configuration actually works with Strongbox distribution.
The following tasks will need to be carried out:
@pyashwanthkumar hey, what's the state of this task?
@anki2189 would you like to help with it?
@sbespalov @carlspring I am picking this task.
Findings and testing done so far:
LDAP configuration is getting applied to Strongbox instance
Users are getting authenticated against external ldap
Configured role mappings working fine for LDAP users
Below are assumptions or changes made to test the functionality.
strongbox.ldif has raw password strings and PasswordAuthenticationProvider uses BCryptPasswordEncoder to validate password, so we need to change raw password to encoded ones.
In strongbox-authentication-provider.xml anonymousReadOnly property in contextSource bean was set as true which is used for anonymous binding on ldap server , this should be changed to false.
From strongbox-authentication-providers.yaml ldap configuration managerDn is used for user binding (if anonymousReadOnly is false) for initial authentication on ldap server.
I have tested it with osixia/openldap:1.3.0 docker image provided by @steve-todorov , default admin user for openldap server is cn=admin,dc=carlspring,dc=com and password is 1234 , authentication is working fine with default configs.
î‚° curl -u stodorov:password http://localhost:48080/api/login
{"token":"eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJTdHJvbmdib3giLCJqdGkiOiItcFBrY2xsbmcxMDgyQWs2cmtBWFZBIiwic3ViIjoic3RvZG9yb3YiLCJpYXQiOjE1ODA2NjE4OTAsInVzZXJIYXNoIjoiLTUzNzUzOTI2OSIsImV4cCI6MTU4MDY2NTQ5MH0.bqMFWI4_eum_1_me-87EjgT_mKOato00bHL1AzKgv_Q","authorities":["ADMIN_CREATE_REPO","ADMIN_DELETE_REPO","ADMIN_LIST_REPO","ADMIN_UPDATE_REPO","AUTHENTICATED_USER","UI_LOGIN"]}%
Ideally ldap.managerDn should be configured using strongbox.ldif like managerDn: ou=Managers, ou=Employees, ou=Groups, dc=carlspring, dc=com but not able to figure out why its not working , it is giving Invalid credentials while binding managerDn,
and managerDn: uid=mtodorov,ou=Users,dc=carlspring,dc=com is working fine.
@strongbox/core-developers : Could you pls help me on how to proceed further on managerDn part.
I've already mentioned to @anki2189 privately, but am adding it here for the archive.
The managerDn is usually configured at server level. Sometimes this is done with a config file, sometimes using slapd.ldif. It depends on the LDAP server and version.
If you are using Active Directory, this is a whole other story.
I believe what you've done so far is fine regarding the managerDn configuration. This will be used only for testing and in production you'd have an external LDAP server (how it has been configured is out of the scope of this issue).
@sbespalov could you please advice @anki2189 on the PasswordAuthenticationProvider part? In LDAP your user can be using plain password, MD5, SHA, SMD5, SSHA and probably CRYPT. As far as I know the Spring LDAP should be able to automatically guess the encryption type, because the password value in LDAP usually will be {ALGO}hash..... However it looks like the BCryptPasswordEncoder gets in the mix somehow?
Most helpful comment
@sbespalov @carlspring I am picking this task.