Fred Gilbart(Migrated from SEC-1014) said:
Following changes are needed for an easy NTLM and LDAP (Active Directory) integration :
Either accept empty password (then LdapAuthenticationProvider can be used as is), or change scope to protected for the private LdapAuthenticator authenticator; : in that case we can easily override the authenticate() method to avoid password length check, without the need to use another LdapAuthenticator in the overriding class.
Another change is needed for NTLM : AbstractLdapAuthenticator with no password check.
PasswordComparisonAuthenticator is final and can’t be overrided, despite the only usefull change is to comment last lines in authenticate() to remove password check.
Because of the class name, it’s not easy to change this…
So may a new class extending LdapAuthenticationProvider exists ( with no password check) ?
With those 2 changes, we can use NTLM to get username, use it to query LDAP and retrieve user informations (email, name, etc..) then use such informations in a custom UserDetails implementation (via a convenient UserDetailsContextMapper) without any implementation.
Hope this can help.
Luke Taylor said:
The issue with LdapAuthenticationProvider has been resolved as part of SEC-1117.
As far as I can see the additional functionality you’re talking about (ignoring the password supplied) is already available via NtlmAwareLdapAuthenticator. let me know if I’m missing something.
This issue duplicates #1367