LDAP Login fallback

I was wondering if it were possible to enable a fallback mechanism for login failures in LDAP.
For example:
I login as “peter” . I get checked against LDAP , if not valid then I check the hashes in the database.
Is it feasable ?
Should I implement a LoginFailureEvent Component ( any suggestions on how to do that would be appreciated) ?
Thank you


First of all, it is not secure way. You will always send passwords to LDAP even if the actual password is stored in the system.

In case you want to simply allow administrator to use system without LDAP login you have to specify their login in cuba.web.standardAuthenticationUsers application properties:

cuba.web.standardAuthenticationUsers = admin,systemadmin

Also, you could implement your own option for user, something like Authentication Type attribute that will be checked before sending passwords to LDAP or to backend.

If you really want to implement fallback, you have to override the standard LDAP login provider in Web Client.

public class CustomLdapLoginProvider extends LdapLoginProvider {
    private Logger log;

    public AuthenticationDetails login(Credentials credentials) throws LoginException {
        try {
            return super.login(credentials);
        } catch (LoginException e) {
            log.warn("Unable to login with LDAP {}, fall back to standard auth",
                    ((LoginPasswordCredentials) credentials).getLogin());
            // allow LoginPasswordLoginProvider perform login
            return null;

And register it in web-spring.xml:

<bean id="cuba_LdapLoginProvider"

Hi Yuriy,
I never stop enjoying how nice and customizabile and coeherent this whole ecosystem you put together.
Thank you