If you're using Microsoft Active Directory (MSAD), the tips on this page may help you. MSAD can be accessed via LDAP so the instructions in Changing to the LDAP Security DAO are applicable and should be consulted first.
MSAD allows you to uniquely specify users in two ways, in addition to the standard DN. If you're not having luck with the standard DN, give one of the two below a try. Each of the examples below is shown in the context of the
userDn property of the Spring Security
Note: The examples in this Binding section show the
contextSourcebean. Be aware that you may need to use the same notation (i.e. Kerberos or Windows domain) in your user DN patterns (in the
Windows domain notation
If more than one Active Directory instance is serving directory information, it may be necessary to enable referral following. This is done by modifying the
contextSource bean. Basically you create a map (via the
<map> element) and set that as the
extraEnvVars property value. The map below has a single entry. The key part of the entry below matches the
REFERRAL constant defined in the Context class. The value part in the entry is one of the following:
throw. (These values are also defined in the javadoc for the REFERRAL constant.
User DN Patterns vs. User Searches
LdapAuthenticator implementations provided by Spring Security (e.g.
BindAuthenticator), you must either specify a
userDnPatterns, or a
userSearch, or both. If you're using the Kerberos or Windows domain notation, you should use
userDnPatterns exclusively in your
Note: The reason that
userDnPatternsis suggested when using Kerberos or Windows domain notation is that the
LdapUserSearchimplementations do not give the control over the DN that
LdapUserSearchimplementations try to derive the DN in the standard format, which may or may not work in Active Directory.)
User DN Patterns
sAMAccountName attribute should be used as the username in user searches. The
searchSubtree property (which influences the SearchControls) should most likely be true. Otherwise, it searches the specified base plus one level down.
Group names in the security configuration
Depending on your Active Directory configuration, you also need to change the group names of authorized users in