doing a bit more LDAP work.

git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@6475 71c3de6d-444a-0410-be80-ed276b4c234a Originally-Committed-As: ad569ef435a46570c0a15331563bc9a1721eeb19
2025-09-07 05:14:24 +02:00 · 2008-01-04 07:13:30 +00:00 · 2008-01-04 07:13:30 +00:00 · dc94954abb
commit dc94954abb
parent 18f05768f4
2 changed files with 54 additions and 2 deletions
--- a/core/src/main/java/hudson/security/LDAPSecurityRealm.java
+++ b/core/src/main/java/hudson/security/LDAPSecurityRealm.java
@ -5,7 +5,10 @@ import org.acegisecurity.MockAuthenticationManager;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.DataBoundConstructor;
 import hudson.model.Descriptor;
+import hudson.model.Hudson;
+import hudson.util.spring.BeanBuilder;
 import net.sf.json.JSONObject;
+import groovy.lang.Binding;

 /**
 * {@link SecurityRealm} implementation that uses LDAP for authentication.
@ -13,6 +16,10 @@ import net.sf.json.JSONObject;
 * @author Kohsuke Kawaguchi
 */
 public class LDAPSecurityRealm extends SecurityRealm {
+    /**
+     * LDAP to connect to, and root DN.
+     * String like "ldap://monkeymachine:389/dc=acegisecurity,dc=org"
+     */
    public final String providerUrl;

    @DataBoundConstructor
@ -21,8 +28,12 @@ public class LDAPSecurityRealm extends SecurityRealm {
    }

    public AuthenticationManager createAuthenticationManager() {
-        // TODO
-        return new MockAuthenticationManager(true);
+        Binding binding = new Binding();
+        binding.setVariable("it", this);
+
+        BeanBuilder builder = new BeanBuilder();
+        builder.parse(Hudson.getInstance().servletContext.getResourceAsStream("/WEB-INF/security/LDAPBindSecurityRealm.groovy"),binding);
+        return findBean(AuthenticationManager.class,builder.createApplicationContext());
    }

    public DescriptorImpl getDescriptor() {
--- a/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy
+++ b/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy
@ -0,0 +1,41 @@
+import org.acegisecurity.providers.ProviderManager
+import org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider
+import org.acegisecurity.providers.ldap.LdapAuthenticationProvider
+import org.acegisecurity.providers.ldap.authenticator.BindAuthenticator
+import org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator
+import org.acegisecurity.ldap.DefaultInitialDirContextFactory
+
+/*
+    Configure LDAP as the authentication realm.
+
+    Authentication is performed by doing LDAP bind.
+*/
+
+initialDirContextFactory(DefaultInitialDirContextFactory,it.providerUrl) {
+
+  // if anonymous bind is not allowed --- but what is the use of anonymous bind?
+  // managerDn = "..."
+  // managerPassword="..."
+}
+
+bindAuthenticator(BindAuthenticator,initialDirContextFactory) {
+  userDnPatterns = [
+    "uid={0},ou=people"
+  ]
+}
+authoritiesPopulator(DefaultLdapAuthoritiesPopulator,initialDirContextFactory,"ou=groups") {
+  // groupRoleAttribute = "ou";
+}
+
+authenticationManager(ProviderManager) {
+    providers = [
+        // talk to LDAP
+        bean(LdapAuthenticationProvider,bindAuthenticator,authoritiesPopulator),
+        // this doesn't mean we allow anonymous access.
+        // we just authenticate anonymous users as such,
+        // so that later authorization can reject them if so configured
+        bean(AnonymousAuthenticationProvider) {
+            key = "anonymous"
+        }
+    ]
+}