LDAP Authentication with Dropwizard

Authentication for your application may be crucial to its operation. Dropwizard provides a pretty clear description of different capabilities, but I thought I’d give a simple step-by-step implementation path.

1. Dependencies

The good folks at yammer have provided this open source authenticator for Dropwizard specifically for LDAP. Add this to your pom:

<dependency>
    <groupId>io.dropwizard</groupId>
    <artifactId>dropwizard-auth</artifactId>
    <version>${dropwizard.version}</version>
</dependency>
<dependency>
    <groupId>com.yammer.dropwizard</groupId>
    <artifactId>dropwizard-auth-ldap</artifactId>
    <version>0.1.2</version>
</dependency>

Please note, I’m using Dropwizard version 0.7.1.

2. Dropwizard Configuration

You’ll need to update your yaml and Configuration POJO for the LdapConfiguration object:

# LDAP settings
ldapConfiguration:
uri: ldaps://{HOST}:636
cachePolicy: maximumSize=10000, expireAfterWrite=60m
userFilter: ou=Users,dc=yourcompany,dc=com
groupFilter: ou=Groups,dc=yourcompany,dc=com
userNameAttribute: uid
groupNameAttribute: cn
groupMembershipAttribute: memberUid
groupClassName: posixGroup
restrictToGroups:
- user
- admin
- bots
connectTimeout: 500ms
readTimeout: 500ms

Some notes on these attributes:
– Set the {host} to your LDAP server
– verify the userNameAttribute in your LDAP server. The GitHub docs use cn, but I found the query needed to be uid.
– groupMembershipAttribute tells the authenticator what property to look at for group membership. The value you need can also be found looking at the setup for your LDAP server. memberUid is a good default here.
– You can optionally restrict to LDAP groups, or exclude this to not limit

3. LDAP Certificate

You will need to add the LDAP certificate to your Java keystore. You need to do this locally, and on any machines that will run your DW application.

If you don’t have the certificate already, you can download it through Chrome by going to another application and clicking the lock icon in the address bar. From there, you can click the Connection Properties > Certificate Information, and you’ll find links for downloading the .crt file.

With the certificate in hand, go to command line and follow these steps, replacing the {placeholders}:

$ cd $JAVA_HOME
$ cd jre/lib/security/
$ sudo keytool -import -trustcacerts -alias {mydomain} -file {mydomain.crt} -keystore cacerts

The default password is changeit

If you get this exception, then the certificate you’re using isn’t correct, or not imported into the correct Java keystore:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

4. Dropwizard Application

Now to add the authentication to your run() method in your Application.

/********************
* Authentication
********************/
LdapConfiguration ldapConfiguration = config.getLdapConfiguration();
LdapAuthenticator ldapAuthenticator = new LdapAuthenticator(ldapConfiguration);
Authenticator<BasicCredentials, BasicCredentials> ldapAuthenticator = new CachingAuthenticator<>(
    environment.metrics(),
    new ResourceAuthenticator(ldapAuthenticator),
    ldapConfiguration.getCachePolicy());
environment.jersey().register(
new BasicAuthProvider<>(ldapAuthenticator, "realm"));

With the authenticator registered, any resource with a parameter annotated with @Auth will require LDAP authentication. Also with this setup, you will need to apply this annotation to a BasicCredentials variable, for example:

@POST
@Path("authenticated")
public void resourceMethod(@Auth BasicCredentials user) {