Allow LDAP search without anonymous read

There is currently no way to configure a DN to BIND when the ldap client is not acting on behalf of a particular user.  This requires that the ldap server be configured to allow anonymous users to dump at least the group list, including membership.

As far as I can tell, the springboot convention would configure this with `ldap.username` and `ldap.password`. I think this would be set with [`managerDn()`](https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.ContextSourceBuilder.html#managerDn-java.lang.String-).  Despite the name, there is not I think this could be any user with read permission for the necessary parts of the ldap database.  (so it need not be an admin account)  One perhaps relevant [example](https://github.com/jbirkhimer/OSSearchv2/blob/e03d22db5b4632a760adbf3cff36923b1a120764/ossearch-crawler/src/main/java/edu/si/ossearch/security/WebSecurityConfig.java#L100-L103).

fyi. By looking at the openldap server log, I can see that the sequence of operations is:

- BIND with the user provided through http basic auth
- UNBIND
- SEARCH do a groups search

What I would like to see happen if `ldap.username` is set

- BIND with a DN derived from the username provided through http basic auth
- UNBIND
- BIND with the "manager" DN
- SEARCH do a groups search


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Allow LDAP search without anonymous read #86

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Allow LDAP search without anonymous read #86

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions