(Quick Reference)

3 Configuration - Reference Documentation

Authors: Burt Beckwith

Version: 2.0.1

3 Configuration

Any property overrides must be specified in grails-app/conf/Config.groovy using the grails.plugin.springsecurity suffix, for example
grails.plugin.springsecurity.ldap.search.searchSubtree = true

There are several configuration options for the LDAP plugin. In practice the defaults are fine and only a few will need to be overridden.

NameDefaultMeaning
ldap.search.searchSubtreetrueIf true then searches the entire subtree as identified by context, if false (the default) then only searches the level identified by the context.
ldap.search.base''Context name to search in, relative to the base of the configured ContextSource, e.g. 'dc=example,dc=com', 'ou=users,dc=example,dc=com'
ldap.search.filter'(uid={0})'The filter expression used in the user search
ldap.search.derefLinkfalseEnables/disables link dereferencing during the search
ldap.search.timeLimit0 (unlimited)The time to wait before the search fails
ldap.search. attributesToReturnnull (all)The attributes to return as part of the search
ldap.authenticator.useBindtrueif true uses a BindAuthenticator to bind as the authenticating user, if false uses a PasswordComparison Authenticator to lookup the user login name and compare passwords
ldap.authenticator. attributesToReturnnull (all)names of attribute ids to return; use null to return all and an empty list to return none
ldap.authenticator. dnPatternsnull (none)optional pattern(s) used to create DN search patterns, e.g. ["cn={0},ou=people"]
ldap.authenticator. passwordAttributeName'userPassword'the name of the password attribute to use when useBind = false
ldap.mapper. convertToUpperCasetruewhether to uppercase retrieved role names (will also be prefixed with "ROLE_")
ldap.mapper. passwordAttributeName'userPassword'password attribute name to use when building the UserDetails
ldap.mapper. userDetailsClassnull (create an LdapUserDetailsImpl)use 'person' to create a Person, 'inetOrgPerson' to create an InetOrgPerson, or null to create an LdapUserDetailsImpl
ldap.mapper.roleAttributesnulloptional names of role attributes
ldap.auth. hideUserNotFound Exceptionstrueif true throw a new BadCredentialsException, otherwise throw the original UsernameNotFoundException
ldap.auth.useAuthPasswordtrueIf true use the supplied password as the credentials in the authenticationtoken, otherwise obtain the password from the UserDetails object (it may not be possible to read the password from the directory)
ldap.context.managerDn'cn=admin,dc=example, dc=com'DN to authenticate with
ldap.context. managerPassword'secret'username to authenticate with
ldap.context.server'ldap://localhost:389'address of the LDAP server
ldap.context. contextFactoryClassNamecom.sun.jndi. ldap. LdapCtxFactoryclass name of the InitialContextFactory to use
ldap.context. dirObjectFactoryClassNameDefaultDirObjectFactoryclass name of the DirObjectFactory to use
ldap.context. baseEnvironmentPropertiesnoneextra context properties
ldap.context. cacheEnvironmentPropertiestruewhether environment properties should be cached between requsts
ldap.context. anonymousReadOnlyfalsewhether an anonymous environment should be used for read-only operations
ldap.context.referralnull ('ignore')the method to handle referrals. Can be 'ignore' or 'follow' to enable referrals to be automatically followed
ldap.authorities. retrieveGroupRolestruewhether to infer roles based on group membership
ldap.authorities. retrieveDatabaseRolesfalsewhether to retrieve additional roles from the database using the User/Role many-to-many
ldap.authorities. groupRoleAttribute'cn'The ID of the attribute which contains the role name for a group
ldap.authorities. groupSearchFilter'uniquemember={0}'The pattern to be used for the user search. {0} is the user's DN
ldap.authorities. searchSubtreetrueIf true a subtree scope search will be performed, otherwise a single-level search is used
ldap.authorities. groupSearchBase'ou=groups, dc=example, dc=com'The base DN from which the search for group membership should be performed
ldap.authorities. ignorePartialResult ExceptionfalseWhether PartialResultExceptions should be ignored in searches, typically used with Active Directory since AD servers often have a problem with referrals.
ldap.authorities.defaultRolenoneAn optional default role to be assigned to all users
ldap.authorities.prefix'ROLE_'The prefix prepended to group names in order to make them Spring Security Roles. Changing this is NOT recommended as it can have unforseen consequences within the security filters.
ldap.authorities.clean.prefixnoneAn optional string prefix to strip from the beginning of LDAP group names. For example, 'EnHS-' will change EnHS-Staff-All to ROLE_Staff-All
ldap.authorities.clean.suffixnoneAn optional string suffix to strip from the end of LDAP group names. For example, 'Group' will change Faculty Group to ROLE_Faculty
ldap.authorities.clean.dashesfalseSet this to true to replace all dashes with underscores in LDAP group names. For example, Staff-All will become ROLE_Staff_All
ldap.authorities.clean.uppercasefalseSet this to true to uppercase all LDAP group names. For example, My_Ldap_Group will become ROLE_MY_LDAP_GROUP

Persistent Logins

To use cookies for persistent logins, configure these properties:

Just like with non-LDAP persistent tokens, you need to run the s2-create-persistent-token script to create a persistent login domain class and enable the feature.

NameDefaultMeaning
ldap.useRememberMefalseWhether to use persistent logins
ldap.rememberMe.detailsManager. attributesToRetrievenull (all)The attributes to return as part of the search
ldap.rememberMe.detailsManager. groupMemberAttributeName'uniquemember'The attribute which contains members of a group
ldap.rememberMe.detailsManager. groupRoleAttributeName'cn'The attribute which corresponds to the role name of a group
ldap.rememberMe.detailsManager. groupSearchBase'ou=groups,dc=example,dc=com'The DN under which groups are stored
ldap.rememberMe.detailsManager. passwordAttributeName'userPassword'Password attribute name
ldap.rememberMe.usernameMapper. userDnBasenone, must be set, e.g. 'dc=example,dc=com', 'ou=users,dc=example,dc=com'The base name of the DN
ldap.rememberMe.usernameMapper. usernameAttributenone, must be set, e.g. 'cn'the attribute to append for the username component