Attributes to return on LDAP bind can only be configured with ObjectPostProcessor with Java configuration

[sebtacke]

Summary

Although the default search configuration for the user search on LDAP bind is supposed to return all attributes of the user the operational attributes are not included in the search result (may be LDAP server implementation specific. OpenDJ does not include them).
As the attributes returned by the user search are not exposed in the LdapAuthenticationProviderConfigurer, they can only be configured by creating a new user search object and setting in the BindLdapAuthenticator using an ObjectPostProcessor.

Actual Behavior

ObjectPostProcessor is required to set returned attributes in user search for LDAP authentication.

Expected Behavior

LdapAuthenticationProviderConfigurer provides a method to set the returned attributes for the user search.

Configuration

With default returned attribute:

    @Autowired
    protected void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception {
        auth
                .ldapAuthentication()
                .userSearchBase(AuthenticationConfig.LDAP_USR_BASE)
                .userSearchFilter("(|(mail={0})(cn={0}))")
                .groupSearchBase("dc=groups,dc=ID")
                .groupSearchFilter("member={0}")
                .userDetailsContextMapper(new LdapIdentityProvider(contextSource))
                .contextSource(contextSource);
    }

With customized returned attributes:

    @Autowired
    protected void configureGlobal(final AuthenticationManagerBuilder auth)
            throws Exception {
        auth
                .ldapAuthentication()
                .groupSearchBase("dc=groups,dc=ID")
                .groupSearchFilter("member={0}")
                .userDetailsContextMapper(new LdapIdentityProvider(contextSource))
                .contextSource(contextSource)
                .withObjectPostProcessor(new ObjectPostProcessor<BindAuthenticator>() {

                    @Override
                    public BindAuthenticator postProcess(BindAuthenticator object) {
                        object.setUserAttributes(User.attributes()); // This line is probably unnecessary.
                        final FilterBasedLdapUserSearch ldapUserSearch =
                                new FilterBasedLdapUserSearch(AuthenticationConfig.LDAP_USR_BASE,
                                        "(|(mail={0})(cn={0}))", contextSource);
                        ldapUserSearch.setReturningAttributes(User.attributes());
                        object.setUserSearch(ldapUserSearch);
                        return object;
                    }
                });
    }

Version

org.springframework.security:spring-security-config:4.1.4.RELEASE
org.springframework.security:spring-security-core:4.1.4.RELEASE
org.springframework.security:spring-security-ldap:4.1.4.RELEASE

Sample

[muety]

I came across this issue as well and would really appreciate having an easy, more convenient way to configure the set of attributes to fetch.

[eleftherias]

We recommend users move away from using the WebSecurityConfigurerAdapter and the AuthenticationManagerBuilder.
Instead users can expose the appropriate beans for their configuration.

I believe this configuration style is well suited for the issue mentioned above.

The FilterBasedLdapUserSearch can be set on the BindAuthenticator bean without needing an ObjectPostProcessor.

Below is an example:

@Bean
BindAuthenticator authenticator(BaseLdapPathContextSource contextSource) {
	BindAuthenticator authenticator = new BindAuthenticator(contextSource);
	final FilterBasedLdapUserSearch ldapUserSearch =
			new FilterBasedLdapUserSearch("ou=people", "uid={0}", contextSource);
	ldapUserSearch.setReturningAttributes(attrs);
	authenticator.setUserSearch(ldapUserSearch);
	authenticator.setUserDnPatterns(new String[] { "uid={0},ou=people" });
	return authenticator;
}

@Bean
LdapAuthenticationProvider authenticationProvider(LdapAuthenticator authenticator) {
	LdapAuthenticationProvider provider = new LdapAuthenticationProvider(authenticator);
	provider.setUserDetailsContextMapper(new PersonContextMapper());
	return provider;
}

For that reason I'm going to close this issue, but feel free to comment below if this doesn't solve your problem.