Integrating Grails application with LDAP for user authentication

Although there are many other sources where we can find information about the Grails and its plugins. I have gone through few difficulties while implementing the Grails LDAP plugin for user authentication.

So I would like to put all things in one place to cover the required aspects of "Integrating Grails application with your corporate Active Directory.

As LDAP plugin requires the spring security core plugin, we will begin with installing the security core plugin..

Step 1: Installing the spring security core plugin

Execute the command: grails install-plugin spring-security-core

Once the plugin is installed, we need to run the below script to create the necessary domain classes, controller objects.

While executing the command, we need to provide the domain class name for SecurityUser and SecurityRole

grails s2-quickstart com.adepu.security.SecuredUser com.adepu.security.SecuredRole


It creates the 3 domain classes and two controllers, addes the following line to Config.groovy configuration file

// Added by the Spring Security Core plugin:
grails.plugins.springsecurity.userLookup.userDomainClassName = 'com.adepu.security.SecuredUser'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'com.adepu.security.SecuredUserSecuredRole'
grails.plugins.springsecurity.authority.className = 'com.adepu.security.SecuredRole'

For more information refer to http://www.grails.org/plugin/spring-security-core

Step 2: Installing the spring security LDAP plugin

Execute the command:  grails install-plugin spring-security-ldap

Once the command executed successfully, you need to add following configuration in Config.groovy.

grails.plugins.springsecurity.ldap.context.server = 'ldap://ds.main.adepu.com:389'
grails.plugins.springsecurity.ldap.context.managerDn = 'CN=_ADQuery,OU=Groups,DC=main,DC=adepu,DC=com'
grails.plugins.springsecurity.ldap.context.managerPassword = 'secret'
grails.plugins.springsecurity.ldap.authorities.groupSearchBase ='OU=Users_WM,DC=main,DC=adepu,DC=com'
grails.plugins.springsecurity.ldap.authorities.retrieveDatabaseRoles = false
grails.plugins.springsecurity.ldap.authorities.ignorePartialResultException= true
grails.plugins.springsecurity.ldap.search.base = 'OU=Users_WM,DC=main,DC=adepu,DC=com'
grails.plugins.springsecurity.ldap.search.filter = '(sAMAccountName={0})'
//grails.plugins.springsecurity.ldap.context.anonymousReadOnly = true
//grails.plugins.springsecurity.password.algorithm = 'SHA-256'

Some of them optional, you may need to use them based on your environment. For example, some AD implementation may allow anonymous read without specific credential.

For more information http://www.grails.org/plugin/spring-security-ldap


Troubleshooting and Debugging:
In case it is not working as expected, add the following logging configuration to see exactly what is going beyond the scenes. If there is any exception/error raised during user retrival from LDAP it may not throw an exception. By default it tries to read from the local database. This scenario leads you to believe that your LDAP configuration is not getting invoked at all (Atleast I felt so....)

debug 'org.codehaus.groovy.grails.plugins.springsecurity',

      'grails.plugins.springsecurity',
      'org.springframework.security'