LDAP authentication without managerDN and manager password

Question

I am writing an application in Java Spring framework to perform Active Directory LDAP authentication. I am succeeding in connecting to my organization LDAP.

Here is

Answer 1

Yes it is possible: you can let the user who is actualy logging in connecting to the LDAP himself to test his credential and fetch its userdata.

AuthenticationManager configuration:

@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
    ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider = new ActiveDirectoryLdapAuthenticationProvider(domain, url, rootDn);
    activeDirectoryLdapAuthenticationProvider.setSearchFilter(searchFilter);
    auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider);
}

Spring security does two things:

• Let the user log in with his username and password
• Find the user to fetch user info, groups, etc. For this step, you must specify a searchFilter that can find a user based on it's username, like "userPrincipalName={0}" where {0} is the provided username.

Answer 2

Define an administrative user who has the necessary permissions, and use that. You certainly shouldn't use the managerDN for anything in your application.