So I would like to put all things in one place to cover the required aspects of "Integrating Grails application with your corporate Active Directory.
As LDAP plugin requires the spring security core plugin, we will begin with installing the security core plugin..
Step 1: Installing the spring security core plugin
Execute the command: grails install-plugin spring-security-core
Once the plugin is installed, we need to run the below script to create the necessary domain classes, controller objects.
While executing the command, we need to provide the domain class name for SecurityUser and SecurityRole
grails s2-quickstart com.adepu.security.SecuredUser com.adepu.security.SecuredRole
It creates the 3 domain classes and two controllers, addes the following line to Config.groovy configuration file
// Added by the Spring Security Core plugin:
grails.plugins.springsecurity.userLookup.userDomainClassName = 'com.adepu.security.SecuredUser'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'com.adepu.security.SecuredUserSecuredRole'
grails.plugins.springsecurity.authority.className = 'com.adepu.security.SecuredRole'
grails.plugins.springsecurity.userLookup.userDomainClassName = 'com.adepu.security.SecuredUser'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'com.adepu.security.SecuredUserSecuredRole'
grails.plugins.springsecurity.authority.className = 'com.adepu.security.SecuredRole'
For more information refer to http://www.grails.org/plugin/spring-security-core
Step 2: Installing the spring security LDAP plugin
Execute the command: grails install-plugin spring-security-ldap
Once the command executed successfully, you need to add following configuration in Config.groovy.
grails.plugins.springsecurity.ldap.context.server = 'ldap://ds.main.adepu.com:389'
grails.plugins.springsecurity.ldap.context.managerDn = 'CN=_ADQuery,OU=Groups,DC=main,DC=adepu,DC=com'
grails.plugins.springsecurity.ldap.context.managerPassword = 'secret'
grails.plugins.springsecurity.ldap.authorities.groupSearchBase ='OU=Users_WM,DC=main,DC=adepu,DC=com'
grails.plugins.springsecurity.ldap.authorities.retrieveDatabaseRoles = false
grails.plugins.springsecurity.ldap.authorities.ignorePartialResultException= true
grails.plugins.springsecurity.ldap.search.base = 'OU=Users_WM,DC=main,DC=adepu,DC=com'
grails.plugins.springsecurity.ldap.search.filter = '(sAMAccountName={0})'
//grails.plugins.springsecurity.ldap.context.anonymousReadOnly = true
//grails.plugins.springsecurity.password.algorithm = 'SHA-256'
grails.plugins.springsecurity.ldap.context.managerDn = 'CN=_ADQuery,OU=Groups,DC=main,DC=adepu,DC=com'
grails.plugins.springsecurity.ldap.context.managerPassword = 'secret'
grails.plugins.springsecurity.ldap.authorities.groupSearchBase ='OU=Users_WM,DC=main,DC=adepu,DC=com'
grails.plugins.springsecurity.ldap.authorities.retrieveDatabaseRoles = false
grails.plugins.springsecurity.ldap.authorities.ignorePartialResultException= true
grails.plugins.springsecurity.ldap.search.base = 'OU=Users_WM,DC=main,DC=adepu,DC=com'
grails.plugins.springsecurity.ldap.search.filter = '(sAMAccountName={0})'
//grails.plugins.springsecurity.ldap.context.anonymousReadOnly = true
//grails.plugins.springsecurity.password.algorithm = 'SHA-256'
Some of them optional, you may need to use them based on your environment. For example, some AD implementation may allow anonymous read without specific credential.
For more information http://www.grails.org/plugin/spring-security-ldap
Troubleshooting and Debugging:
In case it is not working as expected, add the following logging configuration to see exactly what is going beyond the scenes. If there is any exception/error raised during user retrival from LDAP it may not throw an exception. By default it tries to read from the local database. This scenario leads you to believe that your LDAP configuration is not getting invoked at all (Atleast I felt so....)
debug 'org.codehaus.groovy.grails.plugins.springsecurity',
'grails.plugins.springsecurity',
'org.springframework.security'
'org.springframework.security'