Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

LDAP Authenticator Build Status Maven Central

This is a simple dropwizard-auth module using Basic-Auth + LDAP for authentication. This is the module internal tools at Yammer used to authenticate users.

Note: This module has only been subjected to the traffic of our engineering team. We have not used this to authenticate high-traffic or tuned the JNDI connection pool as such.



Legacy Dropwizard Support

0.0.x releases will contain bug/security updates. 0.1.x and beyond will support 0.7+ dropwizard

How To Use

LdapConfiguration configuration = new LdapConfiguration();
LdapAuthenticator authenticator = new LdapAuthenticator(configuration);
authenticator.authenticate(new BasicCredentials("user", "password"));

Add it to your Service

I assume you are already familiar with dropwizard's authentication module. You can find more information about dropwizard authentication at

Here is an example how to add LdapAuthenticator using a CachingAuthenticator to your service:

public void run(ExampleAppConfiguration configuration, Environment environment) throws Exception {
      final LdapConfiguration ldapConfiguration = configuration.getLdapConfiguration();
      Authenticator<BasicCredentials, User> ldapAuthenticator = new CachingAuthenticator<>(
              new ResourceAuthenticator(new LdapAuthenticator(ldapConfiguration)),
      environment.jersey().register(new AuthDynamicFeature(
              new BasicCredentialAuthFilter.Builder<User>()
      environment.jersey().register(new AuthValueFactoryProvider.Binder<>(User.class));
      environment.healthChecks().register("ldap", new LdapHealthCheck<>(
              new ResourceAuthenticator(new LdapCanAuthenticate(ldapConfiguration))));}

Additional Notes

Make sure to register your resources. Example:

environment.jersey().register(new YourResource());


uri: ldaps://
cachePolicy: maximumSize=10000, expireAfterWrite=10m
userFilter: ou=people,dc=yourcompany,dc=com
groupFilter: ou=groups,dc=yourcompany,dc=com
userNameAttribute: cn
groupNameAttribute: cn
groupMembershipAttribute: memberUid
groupClassName: posixGroup
    - user
    - admin
    - bots
connectTimeout: 500ms
readTimeout: 500ms
negotiateTls: strict
  • Group filtering is done by default using only the username provided. The full DN of the user's account will be used if groupClassName and groupMembershipAttribute are set to either groupOfNames and member or groupOfUniqueNames and uniqueMember.
  • negotiateTls can be NONE, ATTEMPT, or STRICT. Where ATTEMPT tries to negotiate TLS if possible and STRICT fails the entire operation if TLS does not succeed in being established. Note that you may see exceptions related to the initial TLS negotiation attempt in your logs if negotation fails.


Check the Changelog for detailed updates.

Bugs and Feedback

For bugs, questions, and discussions please use the Github Issues

You can’t perform that action at this time.