Force reconnect with credentials on DefaultTlsDirContextAuthenticationStrategy

[derTobsch]

This could be a way to fix the problem of the issue #430. Another one would be to add the credentials before the TLS handshake or?

I am not completely sure if this is the right way, if it is I would provide a test. But the best would be that you think about it and let me know.

[rwinch]

Thanks for the PR! I think before we do anything we probably need an example to see how to reproduce it. Any chance you could put a sample together?

[derTobsch]

I hope I will get a example project by the end of the week.

[derTobsch]

I made a example project and it shows the bug I reported before. I will upload it very soon. I will provide a readme so you can recreate it easily.

[derTobsch]

The demo project is ready. Please have a look at https://github.com/derTobsch/tls-bug-demo

[derTobsch]

good morning @rwinch have you seen my sample project? :-) Because the label is still on waiting-for-feedback

[Pitority]

When is this going to be merged?

[derTobsch]

fyi: the ssl certificate in the ldap image does only live for 1 year :)

[rwinch]

Thank you for the detailed report and sample.

The reason that any password works is because the LDAP sample is setup to allow Anonymous Bind. If you wish to use Anonymous Bind (not recommended since anyone can bind), you can switch from BindAuthenticator (currently being used) to PasswordComparisonAuthenticator by providing a PasswordEncoder in AuthenticationManagerConfiguration:

@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
    auth.ldapAuthentication()
        .passwordEncoder(NoOpPasswordEncoder.getInstance())
        .userSearchBase("ou=People")
        .userSearchFilter("cn={0}")
        .groupSearchBase("ou=Groups")
        .groupSearchFilter("member={0}")
        .contextSource(contextSource());
}

Alternatively, you need to disable Anonymous Bind within the LDAP server. At that point, authentication will fail with invalid credentials.

[rwinch]

Thanks for the PR. This is now merged into master.

After additional evaluation it appears that some LDAP containers require additional interactions to ensure that bind authentication is performed. The reconnect ensures the bind is performed with the credentials and maintains the TLS connection.

I have merged this into master with an additional test. Thanks again for the PR!