Query LDAP groups in Spring via LDAPTemplate - Authorization needed and how?

Question

I'm in the process of developing a Spring Boot application that can be connected to an LDAP server for authentication and some (limited) query purposes.

By now, authentication and my needed query works with the Spring embedded LDAP server, BindAuthenticator and org.springframework.ldap.core.LdapTemplate. I need to get all groups, which I successfully accomplish with this code:

    *List<String> groups =  ldapTemplate.search(
        query().where("objectclass").is("groupOfNames"),
        (AttributesMapper<String>) attributes -> attributes.get("cn").get().toString()
    );*

Finally, my question:

I don't have access to my client's LDAP server yet. If I connect to a "real life" LDAP server, I probably can't just query it without credentials, right? Otherwise, anyone could just query the LDAP server if they know the url and port. How do I pass these credentials when using LdapTemplate or Spring in general or even - in general? I can't seem to find anything regarding this topic.

Thank you!

Answer 1

Authentication is performed at the LDAP bind step. The common bind mechanisms are simple bind and SASL bind. Latter is used if you want to employ Kerberos and the like.

This, of course, all depends on the capability of the LDAP server you are connecting to and the LDAP protocol and SASL mechanisms it supports. You can get this information by issuing a search operation against the server's DIT base (or RootDSE, in the Active Directory speak) which does not require authentication from the client. For example, if using openldap-clients on Linux,

$ ldapsearch -x -H ldap://domain -b "" -s base

Here:

• -x stands for anonymous bind
• -H ldap or AD domain
• -b specifies DIT root as search base (starting point for ldap search)
• -s specifies search scope as "base" (limit search to root entry)

It will return a single entry with lots of attributes but the relevant ones are:

• supportedSASLMechanisms: SASL mechanisms the server supports for LDAP bind
• supportedLDAPVersion: LDAP protocol version supported by the server. Most common implementations support LDAPv3 nowadays. LDAPv2 is the older protocol.

Sources:

1. DIT and the LDAP Root DSE
2. LDAP Bind Operation

I don't have familiarity with Spring so this is general ldap advice. Spring ldap should have more concrete information on its ldap bind APIs and how to employ various authentication mechanisms.