From 894df17a21dad7ac8307ff6f3b09adc1d0482c80 Mon Sep 17 00:00:00 2001
From: Daniel Gerhardt <code@dgerhardt.net>
Date: Thu, 12 Nov 2015 12:20:22 +0100
Subject: [PATCH] Add support for LDAP search patterns

An LDAP search pattern can now be used instead of binding with a DN
pattern.
---
 src/main/java/de/thm/arsnova/config/SecurityConfig.java | 9 ++++++++-
 src/main/resources/arsnova.properties.example           | 4 ++++
 src/test/resources/arsnova.properties.example           | 4 ++++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/main/java/de/thm/arsnova/config/SecurityConfig.java b/src/main/java/de/thm/arsnova/config/SecurityConfig.java
index 03996ab1..d4e736a9 100644
--- a/src/main/java/de/thm/arsnova/config/SecurityConfig.java
+++ b/src/main/java/de/thm/arsnova/config/SecurityConfig.java
@@ -58,6 +58,7 @@ import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
 import org.springframework.security.ldap.authentication.BindAuthenticator;
 import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
 import org.springframework.security.ldap.authentication.LdapAuthenticator;
+import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
 import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 import org.springframework.security.web.AuthenticationEntryPoint;
@@ -99,6 +100,8 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter implements Serv
 	@Value("${security.ldap.enabled}") private boolean ldapEnabled;
 	@Value("${security.ldap.url}") private String ldapUrl;
 	@Value("${security.ldap.user-dn-pattern:}") private String ldapUserDn;
+	@Value("${security.ldap.user-search-base:}") private String ldapSearchBase;
+	@Value("${security.ldap.user-search-filter:}") private String ldapSearchFilter;
 	@Value("${security.ldap.manager-user-dn:}") private String ldapManagerUserDn;
 	@Value("${security.ldap.manager-password:}") private String ldapManagerPassword;
 
@@ -267,7 +270,11 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter implements Serv
 	@Bean
 	public LdapAuthenticator ldapAuthenticator() throws Exception {
 		BindAuthenticator authenticator = new BindAuthenticator(ldapContextSource());
-		authenticator.setUserDnPatterns(new String[] {ldapUserDn});
+		if (!"".equals(ldapSearchFilter)) {
+			authenticator.setUserSearch(new FilterBasedLdapUserSearch(ldapSearchBase, ldapSearchFilter, ldapContextSource()));
+		} else {
+			authenticator.setUserDnPatterns(new String[] {ldapUserDn});
+		}
 
 		return authenticator;
 	}
diff --git a/src/main/resources/arsnova.properties.example b/src/main/resources/arsnova.properties.example
index 66d8e4e6..6e0a1d79 100644
--- a/src/main/resources/arsnova.properties.example
+++ b/src/main/resources/arsnova.properties.example
@@ -112,6 +112,10 @@ security.ldap.image=
 security.ldap.order=0
 security.ldap.url=ldap://example.com:33389/dc=example,dc=com
 security.ldap.user-dn-pattern=uid={0},ou=arsnova
+# Set the following properties if you want to use LDAP search instead of binding
+# with a DN pattern
+#security.ldap.user-search-filter=(uid={0})
+#security.ldap.user-search-base="ou=people"
 # Configure the LDAP manager user if anonymous binding is not allowed
 #security.ldap.manager-user-dn=cn=arsnova-manager,dc=example,dc=com
 #security.ldap.manager-password=arsnova
diff --git a/src/test/resources/arsnova.properties.example b/src/test/resources/arsnova.properties.example
index 66d8e4e6..6e0a1d79 100644
--- a/src/test/resources/arsnova.properties.example
+++ b/src/test/resources/arsnova.properties.example
@@ -112,6 +112,10 @@ security.ldap.image=
 security.ldap.order=0
 security.ldap.url=ldap://example.com:33389/dc=example,dc=com
 security.ldap.user-dn-pattern=uid={0},ou=arsnova
+# Set the following properties if you want to use LDAP search instead of binding
+# with a DN pattern
+#security.ldap.user-search-filter=(uid={0})
+#security.ldap.user-search-base="ou=people"
 # Configure the LDAP manager user if anonymous binding is not allowed
 #security.ldap.manager-user-dn=cn=arsnova-manager,dc=example,dc=com
 #security.ldap.manager-password=arsnova
-- 
GitLab