Spring Security LDAP configuration details will almost always be unique to each individual enterprise; however, the following will give you information about configuring OpenEdge domains in the directory service so that the OEClientPrincipalFilter bean can find and use them.

Each LDAP directory service has a schema that defines its objects and object attributes. Different implementations of a directory service may vary in the objects and object attributes it supports. Examples of different directory services are:

  • Apache Directory Service
  • Windows Active Directory
  • OpenLDAP

An OpenEdge domain will be just another LDAP group object that contains a list of the user accounts (Distinguished Names) who are members of that group, and who are entitled to the access associated with the group. The difference is that the LDAP group’s name will be based on the name pattern you defined in the previous sections.

For example, directory service administrators use the LDAP groupofUniqueNames objects as user account roles, where each group member’s user account is in a uniqueMember attribute. The directory service’s hierarchical object space might look like the following:

dc=acme
   ou=users
      cn=acmeuser1,ou=users,dc=acme,dc=com 
   ou=groups
      cn=OED:acme,ou=groups,dc=acme,dc=com
      uniqueMember=cn=acmeuser1,ou=users,dc=acme,dc=com

In this simple example, the user account acmeuser1 is in the domain acme. This occurs because a group is defined with the name OED:acme, and the user account for acmeuser1 is a member of that group. Therefore, when Spring Security authenticates acmeuser1, it will see that acmeuser1 is a member in the ROLE_OED:acme. The role supplies the domain name acme for creating a client-principal’s domain-name field.

For more information about LDAP, see LDAP user accounts