Thursday, November 21, 2013

Authentication using Active Directory in Java with Spring LDAP

Most of my team's applications authenticate off of our application specific user data stored in a good old relational database. However we have a single, internal operations application that uses the company wide Active Directory (AD) server for user authentication. When I first developed the application there were thoughts of many more applications performing authentication against AD and LDAP directory access via Java has always been a little awkward so we decided to deploy an Atlassian Crowd instance. Crowd works well and exposes a simple REST interface for user authentication but it was one extra server and application to maintain and monitor. Given that we only had one application using it and we are hitting one AD instance on the backend, it became a bit of unnecessary overhead.

I've never been much of an AD or even LDAP expert, but I decided to look into authenticating off of AD directly from my Java application. The best LDAP library I found is Spring LDAP and we already use Spring for all of dependency injection so it was a natural fit. I expected to spend a day or two wading through distinguished names (DNs), properties, AD hierarchies, etc. but to my surprise I was able to get it up and running in a few lines of code as shown here:

To get all the various configuration values I needed, I simply looked at my Jenkins LDAP setup as well as the original Crowd configuration. Between the two and through a little poking around using JXplorer, I was able to find all the information I needed.

The active directory at my company requires an authenticated user in order to browse the directory so I specify this information as the user DN and password. I can then issue authentication requests against any user in AD. Spring LDAP hides a lot of the gory details of crawling the directory, finding the user, and performing the authentication check. You'll obviously have to tweak the base DN for your own configuration and in a heavily used application, you'll probably also want to look into Spring LDAP's pooling support.

In the long run I'd like to get Crowd more fully configured and supported so I can point a bunch of my internal tools to it (like Git, SVN, Jenkins, etc) but for now I can shut it down and let my one application hit AD directly.


  1. ldapTemplate.authenticate("OU=CorpUsers", filter.encode(), "user-entered-password");

    if user-entered-password is a sha-256 hash, how to use it with ldapTemplate.authenticate?

  2. ldap online training| ldap training| call us+919000444287 ...
    LDAP Online Training, LDAP training, LDAP course contents, LDAP , call us: +919000444287, - LDAP - Overview - A brief History of LDAP - LDAP Overview - LDAP vs. Database - LDAP Usage Summary - LDAP Data (Object) Model - Object Tree Structure - Attributes - Object Classes - Describing the Tree and Adding Data - Navigating the Tree (DNs and RDNs) - LDAP Replication and Referrals - Referrals - Replication - LDAP Schemas, Object Classes and Attributes - LDAP Stuff Overview - Schemas - Object Classes - Attributes - Matching Rules - LDAP Operational Attributes and Objects -

  3. LDAP Online Training, ONLINE TRAINING – IT SUPPORT – CORPORATE TRAINING The 21st Century Software Solutions of India offers one of the Largest conglomerations of Software Training, IT Support, Corporate Training institute in India - +919000444287 - +917386622889 - Visakhapatnam,Hyderabad LDAP Online Training, LDAP Training, LDAP, LDAP Online Training| LDAP Training| LDAP| "Courses at 21st Century Software Solutions
    Talend Online Training -Hyperion Online Training - IBM Unica Online Training - Siteminder Online Training - SharePoint Online Training - Informatica Online Training - SalesForce Online Training - Many more… | Call Us +917386622889 - +919000444287 -