LDAP bind with just incoming username/pw

[tooptoop4]

Feature description

I don't want to have a service account binding (ie managerDN) but want to use incoming user creds to bind. but they will only supply username/email not DN.
note:server does not allow anon bind

I read "Active Directory will let you also bind using userPrincipalName instead of DN, so it might be helpful to attempt to bind as username@domain.com instead of username. Either users can be instructed to log in this way or the application can add @domain.com part upon binding attempt if feasible."

[sdelamo]

@tooptoop4 I am not sure I understand what you want to achieve. can you ellaborate more. Do you have a sample app which shows what you want to be possible?

[tooptoop4]

@sdelamo
I want the bind to LDAP to happen with each username/password being entered in the UI. I don't want a common managerDN that is used for all different users binding to LDAP, as I want to avoid issues when the common managerDN's password is wrong.
For ActiveDirectory specifically the full DN name is NOT required, just username + domain ie someuser@some.company.com and password can be used to bind https://github.com/jeevatkm/generic-repo/blob/master/ActiveDirectoryJava/src/com/myjeeva/ad/ActiveDirectory.java#L69-L70

https://trino.io/docs/current/security/ldap.html#active-directory has more docs

rough idea to make micronaut support this:

micronaut-security/security-ldap/src/main/java/io/micronaut/security/ldap/context/DefaultContextBuilder.java

Line 60 in c5635a1

props.put(Context.SECURITY_PRINCIPAL, user);

seems to be where the bind happens but is called twice (

micronaut-security/security-ldap/src/main/java/io/micronaut/security/ldap/LdapAuthenticationProvider.java

Lines 100 to 120 in c5635a1

	managerContext = contextBuilder.build(configuration.getManagerSettings());
	debug(LOG, "Manager context initialized successfully");
	} catch (NamingException e) {
	debug(LOG, "Failed to create manager context. Returning unknown authentication failure. Encountered {}", e.getMessage());
	emitter.error(AuthenticationResponse.exception(AuthenticationFailureReason.UNKNOWN));
	return;
	}
	debug(LOG, "Attempting to authenticate with user [{}]", username);
	try {
	Optional<LdapSearchResult> optionalResult = ldapSearchService.searchFirst(managerContext, configuration.getSearch().getSettings(new Object[]{username}));
	if (optionalResult.isPresent()) {
	LdapSearchResult result = optionalResult.get();
	debug(LOG, "User found in context [{}]. Attempting to bind.", result.getDn());
	DirContext userContext = null;
	try {
	String dn = result.getDn();
	userContext = contextBuilder.build(configuration.getSettings(result.getDn(), password));

) firstly by generic bind then by the user. Need a new config for the domain name (ie some.company.com), if not empty then edit the username

micronaut-security/security-ldap/src/main/java/io/micronaut/security/ldap/LdapAuthenticationProvider.java

Line 91 in c5635a1

String username = authenticationRequest.getIdentity().toString();

to be username+'@'+<domain_name_config> and only do single bind

[tooptoop4]

@sdelamo feedback ^

[sdelamo]

can you replace LdapAuthenticationProvider in your project and adjust it to your needs?

[tooptoop4]

do u like the idea @tchiotludo ? this login feature is for akhq

[tchiotludo]

it's totally possible for akhq (with a PR), but it can be useful for the micronaut community as well. @sdelamo do you think this make sense for this project directly?

[sdelamo]

@tchiotludo Please send a PR I am not 100% sure I follow what you want to change.

[tooptoop4]

its single bind instead of two binds

[jonatasvieira]

Has anyone solved this? Is there another (less intrusive) alternative?