How to setup secure LDAP connection

[micobarac]

server:
  port: 443
  ssl:
    key-store: /opt/keystore.p12 #  key-store: classpath:config/tls/keystore.p12
    key-store-password: password
    key-store-type: PKCS12
    key-alias: openprovider
    # The ciphers suite enforce the security by deactivating some old and deprecated SSL cipher, this list was tested a$
    ciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA25$
    enabled-protocols: TLSv1.2

application:
  ldap:
    enabled: true
    url: ldap://xxx.xxx.xxx.xxx:636
    base: dc=acme,dc=co
    dn: cn=admin,ou=ServiceAccounts,ou=Accounts
    password: qwert1234
    user:
      search-base: ou=Users,ou=Accounts
      search-filter: (&(objectClass=person)(sAMAccountName={0}))
    group:
      search-base: ou=Groups,ou=Organization
      search-filter: (&(objectClass=group)(member={0}))
      role-attribute: cn

package com.acme.co.config.ldap;

import com.acme.co.security.LdapAuthenticationProvider;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.ldap.core.support.BaseLdapPathContextSource;
import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
import org.springframework.security.ldap.authentication.BindAuthenticator;
import org.springframework.security.ldap.authentication.LdapAuthenticator;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
import org.springframework.security.ldap.search.LdapUserSearch;
import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
import org.springframework.security.ldap.userdetails.UserDetailsContextMapper;

@Configuration
@ConditionalOnProperty(value = "application.ldap.enabled", havingValue = "true")
@Import(LdapUserDetailsContextMapper.class)
public class LdapConfiguration {

    @Value("${application.ldap.url}")
    private String url;

    @Value("${application.ldap.base}")
    private String base;

    @Value("${application.ldap.dn}")
    private String dn;

    @Value("${application.ldap.password}")
    private String password;

    @Value("${application.ldap.user.search-base}")
    private String userSearchBase;

    @Value("${application.ldap.user.search-filter}")
    private String userSearchFilter;

    @Value("${application.ldap.group.search-base}")
    private String groupSearchBase;

    @Value("${application.ldap.group.search-filter}")
    private String groupSearchFilter;

    @Value("${application.ldap.group.role-attribute}")
    private String groupRoleAttribute;

    @Bean
    LdapAuthenticationProvider authenticationProvider(LdapAuthenticator authenticator, LdapAuthoritiesPopulator authoritiesPopulator, UserDetailsContextMapper contextMapper) {
        LdapAuthenticationProvider provider = new LdapAuthenticationProvider(authenticator, authoritiesPopulator);
        provider.setUserDetailsContextMapper(contextMapper);
        return provider;
    }

    @Bean
    public LdapAuthenticator authenticator(BaseLdapPathContextSource contextSource, LdapUserSearch userSearch) {
        BindAuthenticator authenticator = new BindAuthenticator(contextSource);
        authenticator.setUserSearch(userSearch);
        authenticator.afterPropertiesSet();
        return authenticator;
    }

    @Bean
    public LdapAuthoritiesPopulator authoritiesPopulator(BaseLdapPathContextSource contextSource) {
        DefaultLdapAuthoritiesPopulator authoritiesPopulator = new DefaultLdapAuthoritiesPopulator(contextSource, groupSearchBase);
        authoritiesPopulator.setGroupSearchFilter(groupSearchFilter);
        authoritiesPopulator.setGroupRoleAttribute(groupRoleAttribute);
        return authoritiesPopulator;
    }

    @Bean
    public BaseLdapPathContextSource contextSource() {
        DefaultSpringSecurityContextSource contextSource = new DefaultSpringSecurityContextSource(url);
        contextSource.setBase(base);
        contextSource.setUserDn(String.format("%s,%s", dn, base));
        contextSource.setPassword(password);
        contextSource.afterPropertiesSet();
        return contextSource;
    }

    @Bean
    public LdapUserSearch userSearch(BaseLdapPathContextSource contextSource) {
        return new FilterBasedLdapUserSearch(userSearchBase, userSearchFilter, contextSource);
    }
}

package com.acme.co.config.ldap;

import com.acme.co.security.UserDetailsService;
import org.springframework.ldap.core.DirContextAdapter;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.ldap.userdetails.UserDetailsContextMapper;

import java.util.Collection;

public class LdapUserDetailsContextMapper implements UserDetailsContextMapper {

    private final UserDetailsService userDetailsService;

    public LdapUserDetailsContextMapper(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    @Override
    public UserDetails mapUserFromContext(DirContextOperations dirContextOperations, String username, Collection<? extends GrantedAuthority> collection) {
        return userDetailsService.loadUserByUsername(username);
    }

    @Override
    public void mapUserToContext(UserDetails userDetails, DirContextAdapter dirContextAdapter) {}
}

1. How and where do I import LDAP certificate for establishing LDAPS connection?
2. Do I have to change java code to support LDAPS connection?

Thanks.

[mshima]

You have a better change to get an answer at stackoverflow. LDAP is not officially supported at jhipster and this subject is very rare here. Last LDAP related issue is from 2021.