This is a simple dropwizard-auth module using Basic-Auth + LDAP for authentication. This is the module internal tools at Yammer used to authenticate users.
Note: This module has only been subjected to the traffic of our engineering team. We have not used this to authenticate high-traffic or tuned the JNDI connection pool as such.
<dependency>
<groupId>com.yammer.dropwizard</groupId>
<artifactId>dropwizard-auth-ldap</artifactId>
<version>1.0.0</version>
</dependency>
0.0.x releases will contain bug/security updates. 0.1.x and beyond will support 0.7+ dropwizard
LdapConfiguration configuration = new LdapConfiguration();
LdapAuthenticator authenticator = new LdapAuthenticator(configuration);
authenticator.authenticate(new BasicCredentials("user", "password"));
I assume you are already familiar with dropwizard's authentication module. You can find more information about dropwizard authentication at http://www.dropwizard.io/manual/auth.html
Here is an example how to add LdapAuthenticator
using a CachingAuthenticator
to your service:
@Override
public void run(Configuration configuration, Environment environment) throws Exception {
LdapConfiguration ldapConfiguration = configuration.getLdapConfiguration();
Authenticator<BasicCredentials, BasicCredentials> ldapAuthenticator = new CachingAuthenticator<>(
environment.metrics(),
new ResourceAuthenticator(new LdapAuthenticator(ldapConfiguration)),
ldapConfiguration.getCachePolicy());
environment.jersey().register(AuthFactory.binder(new BasicAuthFactory<>(ldapAuthenticator, "realm", BasicCredentials.class));
environment.healthChecks().register("ldap",
new LdapHealthCheck<>(new ResourceAuthenticator(new LdapCanAuthenticate(ldapConfiguration))));
}
Make sure to register your resources. Example:
environment.jersey().register(new YourResource());
uri: ldaps://myldap.com:636
cachePolicy: maximumSize=10000, expireAfterWrite=10m
userFilter: ou=people,dc=yourcompany,dc=com
groupFilter: ou=groups,dc=yourcompany,dc=com
userNameAttribute: cn
groupNameAttribute: cn
groupMembershipAttribute: memberUid
groupClassName: posixGroup
restrictToGroups:
- user
- admin
- bots
connectTimeout: 500ms
readTimeout: 500ms
negotiateTls: true
Note: You can set groupClassName
to groupOfNames
and the groupMembershipAttribute
to member
to search for group membership using the full userDN.
Check the Changelog for detailed updates.
For bugs, questions, and discussions please use the Github Issues