Mapping cuba and ldap users

Hello,

I am trying to use ldap in my application.

We have migrated existing data from a legacy application to a new cuba application. In the old we have existing users that are migrated to sec$User objects.
These users are mapped to users from an active directory. For each sec$User the guid for the active directory user is stored.

In cuba there seems to be the restriction, that the username in cuba and ldap must be the same. Is there a possibility to implement a mapping the users?
Changing the existing username so that the names in cuba and ldap are the same is not possible at the moment.

I think extending DefaultConnection could work:


class MyDefaultConnection extends DefaultConnection {

    @Override
    public void loginAfterExternalAuthentication(String login, Locale locale) throws LoginException {
		String username = findCubaUsernameByLdapLogin(login)
		super.loginAfterExternalAuthentication(username, locale)
	}
	
	protected String findCubaUsernameByLdapLogin(String login) {
		// do some magic
	}
}

Is this a feasible approach?
Can you think of a smarter solution?

Thanks in advance!

Yours,
Joerg

Hi,

Since CUBA 6.3 you can tune cuba.web.ldap.userLoginField application property - the name of an LDAP user attribute that is used for matching the login name.

If this option is insufficient then you can extend LdapAuthProvider and override method buildPersonFilter(String login) where you will be able to load User object from the database using DataManager and create custom Spring LDAP filter. Your custom implementation of AuthProvider should be specified in cuba.web.externalAuthenticationProviderClass application property.

See also: https://doc.cuba-platform.com/manual-6.3/ldap.html

Hi Yuriy,

thanks for your reply.
Our requirement is that the user login in with his ldap username (= windows login). Your solution requires to user the login name from cuba and the password from ldap.

Extending DefaultConnection basically works. But it seems not to work for the rest api. Is there general callback for ui and rest?

Yours,
Joerg

There is only one single point of Authentication called LoginService, but it is not recommended to define custom auth logic there, since it can be used by non-user logic, e.g. schedulers, integrations, etc.

Currently, we do not support AuthProviders for REST, but you can override bean with id userAuthenticationProvider in your REST-API Spring Context.

To override userAuthenticationProvider follow these steps:

  1. Create file web-rest-dispatcher-spring.xml in your web module in the root package.

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-4.2.xsd">
    <bean id="userAuthenticationProvider" class="com.company.demo.rest.CustomUserAuthenticationProvider"/>
</beans>
  1. Register this file in web-app.properties:

cuba.restSpringContextConfig = +com/company/demo/web-rest-dispatcher-spring.xml
  1. Implement your CustomUserAuthenticationProvider:

package com.company.demo.rest;

import com.haulmont.restapi.auth.CubaUserAuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

public class CustomUserAuthenticationProvider extends CubaUserAuthenticationProvider {
    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        return super.authenticate(authentication);
    }
}

There you will be able to perform custom authentication logic for REST-API.

Thanks for the quick reply.

So authentication using ldap or idp (sso) will not work with the rest api?

You are writing that “Currently, we do not support AuthProviders for REST”. Does it mean you have plans to implement it?
Is it already on schedules for a future release?
Would it help to create an idea topic in the forum?

I hesitate to extend CubaUserAuthenticationProvider now since it would be to duplicate much of the code from LoginWindow and DefaultConnection.

In the short term we can handle using local users for REST. But in the medium term a solution for REST that supports LDAP and SSO would be important to us.

Yours,
Joerg

I think it is really useful feature. I’ve created an issue, initially it is targeted to Release 6.5.

https://youtrack.cuba-platform.com/issue/PL-8477

Thanks a lot!

:ticket: See the following issue in our bug tracker:

https://youtrack.cuba-platform.com/issue/PL-8477