Strongbox: Test the LDAP Authorization

Created on 3 Dec 2019  Â·  6Comments  Â·  Source: strongbox/strongbox

Task Description

Strongbox have configurable authentication which can be setup with strongbox-authentication-providers.yaml. By default, only users who are stored in the database can be authorized. Additionally authorization can be configured through an external LDAP server as shown below:

strongbox:
  authentication:
    strongboxUserDetailService:
      order: 1
      enabled: true
    ldapUserDetailsService:
      order: 0
      enabled: true
    passwordAuthenticationProvider:
      order: 0
      enabled: true
    jwtAuthenticationProvider:
      order: 1
      enabled: true
    securityTokenAuthenticationProvider:
      order: 2
      enabled: true
    ldap:
      url: ldap://gw.vm:389/dc=carlspring,dc=com
      managerDn: cn=Admin,dc=carlspring,dc=com
      managerPassword: 1234
      rolesMapping:
        - externalRole: strongbox
          strongboxRole: ADMIN
        - externalRole: Contributors
          strongboxRole: USER_ROLE
      userDnPatterns:
        - uid={0},ou=Users,dc=carlspring,dc=com
      groupSearchBase: ou=Groups,dc=carlspring,dc=com
      groupSearchFilter: (uid={0})
      authorities:
        groupSearchBase: ou=Groups
        groupSearchFilter: (uniqueMember={0})
        convertToUpperCase: false
        groupRoleAttribute: ou
        rolePrefix: ''
        searchSubtree: true

Within this task we need to check how this configuration actually works with Strongbox distribution.

Tasks

The following tasks will need to be carried out:

  • [x] Check that LDAP configuration applied for Strongbox instance
  • [x] Check that LDAP users can be authenticated in Strongbox
  • [x] Check that configured role mappings works for LDAP users
  • [x] Provide the documentation of how to configure LDAP authentication

Task Relationships

Help

  • Our chat
  • Points of contact:

    • @carlspring

    • @fuss86

    • @sbespalov

    • @steve-todorov

help wanted

Most helpful comment

@sbespalov @carlspring I am picking this task.

All 6 comments

@pyashwanthkumar hey, what's the state of this task?

@anki2189 would you like to help with it?

@sbespalov @carlspring I am picking this task.

Findings and testing done so far:

  • LDAP configuration is getting applied to Strongbox instance

  • Users are getting authenticated against external ldap

  • Configured role mappings working fine for LDAP users

Below are assumptions or changes made to test the functionality.

  • strongbox.ldif has raw password strings and PasswordAuthenticationProvider uses BCryptPasswordEncoder to validate password, so we need to change raw password to encoded ones.

  • In strongbox-authentication-provider.xml anonymousReadOnly property in contextSource bean was set as true which is used for anonymous binding on ldap server , this should be changed to false.

  • From strongbox-authentication-providers.yaml ldap configuration managerDn is used for user binding (if anonymousReadOnly is false) for initial authentication on ldap server.

I have tested it with osixia/openldap:1.3.0 docker image provided by @steve-todorov , default admin user for openldap server is cn=admin,dc=carlspring,dc=com and password is 1234 , authentication is working fine with default configs.

î‚° curl -u stodorov:password http://localhost:48080/api/login {"token":"eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJTdHJvbmdib3giLCJqdGkiOiItcFBrY2xsbmcxMDgyQWs2cmtBWFZBIiwic3ViIjoic3RvZG9yb3YiLCJpYXQiOjE1ODA2NjE4OTAsInVzZXJIYXNoIjoiLTUzNzUzOTI2OSIsImV4cCI6MTU4MDY2NTQ5MH0.bqMFWI4_eum_1_me-87EjgT_mKOato00bHL1AzKgv_Q","authorities":["ADMIN_CREATE_REPO","ADMIN_DELETE_REPO","ADMIN_LIST_REPO","ADMIN_UPDATE_REPO","AUTHENTICATED_USER","UI_LOGIN"]}%

Ideally ldap.managerDn should be configured using strongbox.ldif like managerDn: ou=Managers, ou=Employees, ou=Groups, dc=carlspring, dc=com but not able to figure out why its not working , it is giving Invalid credentials while binding managerDn,
and managerDn: uid=mtodorov,ou=Users,dc=carlspring,dc=com is working fine.

@strongbox/core-developers : Could you pls help me on how to proceed further on managerDn part.

I've already mentioned to @anki2189 privately, but am adding it here for the archive.

The managerDn is usually configured at server level. Sometimes this is done with a config file, sometimes using slapd.ldif. It depends on the LDAP server and version.
If you are using Active Directory, this is a whole other story.

I believe what you've done so far is fine regarding the managerDn configuration. This will be used only for testing and in production you'd have an external LDAP server (how it has been configured is out of the scope of this issue).

@sbespalov could you please advice @anki2189 on the PasswordAuthenticationProvider part? In LDAP your user can be using plain password, MD5, SHA, SMD5, SSHA and probably CRYPT. As far as I know the Spring LDAP should be able to automatically guess the encryption type, because the password value in LDAP usually will be {ALGO}hash..... However it looks like the BCryptPasswordEncoder gets in the mix somehow?

Was this page helpful?
0 / 5 - 0 ratings