Use of PoolingContextSource with BindAuthenticator spring, class, following, security, created

amy

Have been looking at spring security to see if we can use PoolingContextSource with BindAuthenticator. The PasswordComparisonEncoder is created with a BaseLdapPathContextSource  but the BindAuthenticator takes a SpringSecurityAuthenticator. Using the following ContextSource (app context entries below the code)

public class TvLdapPoolingContextSource extends PoolingContextSource implements BaseLdapPathContextSource
{   @Override   public DistinguishedName getBaseLdapPath()   {       return null;   }   @Override   public String getBaseLdapPathAsString()   {       return null;   }
}

Am using the following in my spring app context:

lt;bean id=quot;poolingContextSourcequot; class=quot;com.iex.tv.services.impl.core.model.service  .ldap.TvLdapPoolingContextSourcequot;gt;     lt;property name=quot;contextSourcequot; ref=quot;contextSourcequot; /gt;     lt;property name=quot;dirContextValidatorquot; ref=quot;dirContextValidatorquot; /gt;     lt;property name=quot;testOnBorrowquot; value=quot;truequot; /gt;     lt;property name=quot;testWhileIdlequot; value=quot;truequot; /gt;
lt;/beangt;

lt;bean id=quot;dirContextValidatorquot;         class=quot;org..ldap.pool.validation.De  faultDirContextValidatorquot; /gt;        
lt;bean id=quot;contextSourcequot; class=quot;org..ldap.core.support.LdapC  ontextSourcequot;gt;
lt;!--   ucls will be replaced with user defined ones (can be more than one --gt;     lt;property name=quot;uclquot; value=quot;ldap--lt;someservergt;:389quot; /gt;     lt;property name=quot;pooledquot; value=quot;falsequot;/gt;     lt;property name=quot;cacheEnvironmentPropertiesquot; value=quot;falsequot;/gt;      
lt;/beangt;

I can create a PasswordComparisonAuthenticator with the TvLdapPoolingContextSource but cannot use the same one for BindAuthenticator (as it needs a SpringSecurityContextSource). Am I missing something? Or do I need to implement a BindAuthenticator myself that is created with a BaseLdapPathContextSource .

Also, we have a application where user can specify multiple Ldap servers to use for authentication (first one where authentication succeeds is used) and I saw the following in the Spring Ldap documentation:

quot;The PoolingContextSource assumes that all DirContext objects retrieved from
ContextSource.getReadOnlyContext() will have the same environment and likewise that all DirContext objects retrieved from ContextSource.getReadWriteContext() will have the same environment. This means
that wrapping a LdapContextSource configured with an AuthenticationSource in a PoolingContextSource
will not function as expected. The pool would be populated using the credentials of the first user and unless
new connections were needed subsequent context requests would not be filled for the user specified by the
AuthenticationSource for the requesting thread.quot;

Will it be a problem when using PoolingContextSource and using multiple servers and a single LdapContextSource within it? Or do we just create a LdapContextSource for each ucl and inject it into PoolingContextSource when accessing one server? All the examples I have seen create a ContextSource with a single ucl and inject that into a PoolingContextSource. So, I am not sure if multiple ucls in the contextsource should be a problem based on the segment of documentation above.

Thanks

By definition, an LDAP bind operation supplies the authentication information for a connection. It doesn't really usually make sense to use pooling with individually authenticated connections, and as you have quoted, PoolingContextSource doesn't appear to support this anyway (though the Sun LDAP provider does). Why do you want to use it?

We need to  use connection pooling for LDAP. PoolingContextSource seemed like a good fit as we did not want to set system properties (which is what is required for Java LDAP pooling) and environment properties is what we use for the rest of the application.

I can now see why with BindAuthentication it does not make sense to use pooling with individually authenticated connections.

So, does it mean that PoolingContextSource can only be used when using PasswordComparisonAuthenticator?

Also, am seeing an issue with PasswordComparisonAuthenticator - looks like it can be only used only for a single ucl.

Have two ucls that i set when creating PasswordComparisonAuthenticator - i can see that the string is tokenized and two ucls are set using super.setucls lets call it primaryServer and failoverServer. Running a test with the two server ucls does not authenticate my user. If i remove the primaryserver from the list of ucls the user is authenticated in the failoverserver. I am a little confused on why PassComparisonAuthenticator does not support multiple ucls. Am I missing something here?


Originally Posted by kellyc
So, does it mean that PoolingContextSource can only be used when using PasswordComparisonAuthenticator?

I have never used it, but I would imagine so, since it says it expects all connections to use the same environment.

Also, am seeing an issue with PasswordComparisonAuthenticator - looks like it can be only used only for a single ucl.

Have two ucls that i set when creating PasswordComparisonAuthenticator - i can see that the string is tokenized and two ucls are set using super.setucls lets call it primaryServer and failoverServer. Running a test with the two server ucls does not authenticate my user. If i remove the primaryserver from the list of ucls the user is authenticated in the failoverserver. I am a little confused on why PassComparisonAuthenticator does not support multiple ucls. Am I missing something here?

I don't really know why this would be the case. You'll need to work work out why the authentication is failing. What does the log say? What does the LDAP server log say as to why the comparison fails?

Logs show the following:

17:33:01,437 INFO  main [.ldap.DefaultSpringSecurityContextSource]  ucl 'ldap--localhost:10389', root DN is ''
17:33:01,437 INFO  main [.ldap.DefaultSpringSecurityContextSource]  ucl 'ldap--lt;failOverServerIpgt;:389', root DN is ''

Authentication fails with

junit.framework.AssertionFailedError: not expecting naming exception!org..ldap.NameNotFoundExc  eption: [LDAP: error code 32 - NO_SUCH_OBJECT: failed for     SearchRequest

with a single ucl
17:33:04,437 INFO  main [.ldap.DefaultSpringSecurityContextSource]  ucl 'ldap--lt;failOverServerIpgt;:389', root DN is ''

authentication succeeds

Has anyone used multiple uclS successfully with org..security.providers.ldap.authen  ticator.PasswordComparisonAuthenticator?