Hello,
I was wondering if it were possible to enable a fallback mechanism for login failures in LDAP.
For example:
I login as “peter” . I get checked against LDAP , if not valid then I check the hashes in the database.
Is it feasable ?
Should I implement a LoginFailureEvent Component ( any suggestions on how to do that would be appreciated) ?
Thank you
Hi,
First of all, it is not secure way. You will always send passwords to LDAP even if the actual password is stored in the system.
In case you want to simply allow administrator to use system without LDAP login you have to specify their login in cuba.web.standardAuthenticationUsers application properties:
cuba.web.standardAuthenticationUsers = admin,systemadmin
Also, you could implement your own option for user, something like Authentication Type attribute that will be checked before sending passwords to LDAP or to backend.
If you really want to implement fallback, you have to override the standard LDAP login provider in Web Client.
public class CustomLdapLoginProvider extends LdapLoginProvider {
@Inject
private Logger log;
@Nullable
@Override
public AuthenticationDetails login(Credentials credentials) throws LoginException {
try {
return super.login(credentials);
} catch (LoginException e) {
log.warn("Unable to login with LDAP {}, fall back to standard auth",
((LoginPasswordCredentials) credentials).getLogin());
// allow LoginPasswordLoginProvider perform login
return null;
}
}
}
And register it in web-spring.xml:
<bean id="cuba_LdapLoginProvider"
class="com.company.ldapfallback.web.CustomLdapLoginProvider"/>
Hi Yuriy,
I never stop enjoying how nice and customizabile and coeherent this whole ecosystem you put together.
Thank you