I am working on implementing spring security into my project. I need to use the username which Spring Security extracts from the certificate CN as the uid on the LDAP server. I am not sure of the proper way to approach this problem. I am unsure how to pass the CN value from the x509 into the LDAP authenticator. Anyone done this before or have any ideas?
Note: I do not need to pass the entire certificate to the LDAP server as they aren't stored there, only the username from the CN.
Edit: Here is some of the configuration in my spring security xml file:
<http>
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<anonymous />
<x509 subject-principal-regex="CN=(.*?)," /> <!-- user-service-ref needed? -->
</http>
<ldap-server id="ldapServer" url="ldap://localhost:389/dc=example,dc=com" manager-dn="cn=manager,dc=example,dc=com" manager-password="myPassword" />
<authentication-manager>
<ldap-authentication-provider
user-dn-pattern="uid={0},ou=people"
user-search-filter="(uid={0})"
user-search-base="ou=people,dc=example,dc=com"
group-search-filter="(member={0})"
group-search-base="ou=groups"
group-role-attribute="cn" />
</authentication-manager>
You should use an ldap-user-service. Here's an example configuration from the Spring Security test suite. Spring Security should then automatically substitute the username it extracts from the certificate CN in place of the {0} marker in the LDAP search filter.
The ldap-authentication-provider element is intended for authenticating users with a username and password, which isn't what you want with X.509, where the validation of the certificate by the container is regarded as performing the authentication.
Spring Security's X.509 authentication filter needs a UserDetailsService to load information for the user, so you need one in your configuration. As explained in the manual you don't need to use the user-service-ref attribute if there is only one, so just adding an ldap-user-service declaration should be sufficient.