We have migrated existing data from a legacy application to a new cuba application. In the old we have existing users that are migrated to sec$User objects.
These users are mapped to users from an active directory. For each sec$User the guid for the active directory user is stored.
In cuba there seems to be the restriction, that the username in cuba and ldap must be the same. Is there a possibility to implement a mapping the users?
Changing the existing username so that the names in cuba and ldap are the same is not possible at the moment.
I think extending DefaultConnection could work:
class MyDefaultConnection extends DefaultConnection {
@Override
public void loginAfterExternalAuthentication(String login, Locale locale) throws LoginException {
String username = findCubaUsernameByLdapLogin(login)
super.loginAfterExternalAuthentication(username, locale)
}
protected String findCubaUsernameByLdapLogin(String login) {
// do some magic
}
}
Is this a feasible approach?
Can you think of a smarter solution?
Since CUBA 6.3 you can tune cuba.web.ldap.userLoginField application property - the name of an LDAP user attribute that is used for matching the login name.
If this option is insufficient then you can extend LdapAuthProvider and override method buildPersonFilter(String login) where you will be able to load User object from the database using DataManager and create custom Spring LDAP filter. Your custom implementation of AuthProvider should be specified in cuba.web.externalAuthenticationProviderClass application property.
thanks for your reply.
Our requirement is that the user login in with his ldap username (= windows login). Your solution requires to user the login name from cuba and the password from ldap.
Extending DefaultConnection basically works. But it seems not to work for the rest api. Is there general callback for ui and rest?
There is only one single point of Authentication called LoginService, but it is not recommended to define custom auth logic there, since it can be used by non-user logic, e.g. schedulers, integrations, etc.
Currently, we do not support AuthProviders for REST, but you can override bean with id userAuthenticationProvider in your REST-API Spring Context.
To override userAuthenticationProvider follow these steps:
Create file web-rest-dispatcher-spring.xml in your web module in the root package.
So authentication using ldap or idp (sso) will not work with the rest api?
You are writing that “Currently, we do not support AuthProviders for REST”. Does it mean you have plans to implement it?
Is it already on schedules for a future release?
Would it help to create an idea topic in the forum?
I hesitate to extend CubaUserAuthenticationProvider now since it would be to duplicate much of the code from LoginWindow and DefaultConnection.
In the short term we can handle using local users for REST. But in the medium term a solution for REST that supports LDAP and SSO would be important to us.
See the following issue in our bug tracker: