EmbeddedLdapContextConfiguration LdapContextSource bean creation not populating base property

[mdiskin]

Drift in behavior between LdapAutoConfiguration and EmbeddedLdapAutoConfiguration.

LdapAutoConfiguration populates the base from properties in LdapContextSource and the EmbeddedLdapAutoConfiguration doesn't which changes how queries, etc.. switching between the two.

I don't mind submitting a PR but wanted confirmation of actual problem or expected behavior.

Tested on 2.4.0-M2

Thanks
Mark

[snicoll]

@mdiskin sorry, I am not sure I follow. The LdapContextSource is built from properties and so is the embedded auto-configuration as far as I can see.

[mdiskin]

In the Non-Embedded Autocomplete the there is a property (single string). In the Embedded there is the ability to pass into unboundid an array of dn's but the corresponding LdapContextSource bean create doesn't set this base.

propertyMapper.from(properties.getBase()).to(source::setBase);

So if you are using the embedded for unit/integration testing and then Non-Embedded you have to add additional logic that fully qualifies each LdapTempate search e.g. add "dc=spring,dc=org".

I was playing with options in a forked version and the unboundid support for multiple DNs doesn't seem well supported given it only takes a single base so I wasn't sure whether to remove that array/functionality for the embed-only option. One thought would be for embedded to add another property 'base' (in addition to the dn array) ideally we could derive that from the other but that would not be very easy to determine.

[snicoll]

We discussed this one and I can see the problem now. It's largely due to the fact the configuration between the embedded and the non embedded case are duplicated. Rather than creating a completely new LdapContextSource we should customise the one created by the regular auto-configuration (via a LdapContextSourceCustomizer perhaps?).

The fact that there is an .embedded subnamespace with competing configuration keys make it a bit more complex to decide what should be taken into account so perhaps we should refine the structure of those. We've flagged this for resolution in 2.2.x but we may move that if the changes are too involved.

[mdiskin]

That would be awsome but sounds involved refactoring and not something for my first project commit. Let me know if I can help out maybe with testing/snapshot validation.

Additionally with this approach can you also look at the autoconfigure support for BaseLdapPathBeanPostProcessor
and BaseLdapPathAware? I tried that to get around the above issue but again not something the embedded ldap supports out of the box.

Also, would be good to upgrade the unboundid versions to the 5.x at some point.

[philwebb]

We want to rework EmbeddedLdapContextConfiguration, possibly removing it entirely. Although we do consider this a bug, such a fix would be a little risky for 2.3.x so we're going to look at it in 2.6.x.

[mdiskin]

Makes sense. I can help test snapshot or milestone releases. Also, UnboundID 6.0.0 has since been released and may be good to include in 2.6.x changes

[mdiskin]

Was hoping to get confirmation that will be in the 2.6 initial release (I'm working against the snapshot), but if not I'll start work on a stopgap measure as it's blocking some efforts internally.

[wilkinsona]

An upgrade of UnboundID is unlikely at this time as Spring Security is still using 4.x. If you'd like to see an upgrade to 6.x, please open a Spring Security issue and we can take things from there.

[mdiskin]

@wilkinsona I'll open that upgrade request (more of a nice to have) but the bugfix to align up the embedded and external ldap is the real blocker for me

[micheljung]

UPDATE: This doesn't work, because base needs to be set before afterPropertiesSet() is called

Workaround in Kotlin (FQCNs for clarification):

  @Autowired
  fun populateLdapContextSourceBaseProperty(
    ldapContextSource: org.springframework.ldap.core.support.LdapContextSource,
    ldapProperties: org.springframework.boot.autoconfigure.ldap.LdapProperties,
    inMemoryDirectoryServer: Optional<com.unboundid.ldap.listener.InMemoryDirectoryServer>,
  ) {
    if (!inMemoryDirectoryServer.isPresent) {
      return
    }

    if (ldapContextSource.baseLdapName != org.springframework.ldap.support.LdapUtils.emptyLdapName()) {
      logger.warn("Not setting 'base' property of LdapContextSource as it's already set: ${ldapContextSource.baseLdapName}")
      return
    }

    logger.debug("Setting 'base' property of LdapContextSource to '${ldapContextSource.baseLdapName}'" +
        " as a workaround for https://github.com/spring-projects/spring-boot/issues/23030")
    ldapContextSource.setBase(ldapProperties.base)
  }

[micheljung]

This one works (Kotlin):

package com.example

import org.springframework.boot.autoconfigure.AutoConfigureBefore
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean
import org.springframework.boot.autoconfigure.ldap.LdapProperties
import org.springframework.boot.autoconfigure.ldap.embedded.EmbeddedLdapAutoConfiguration
import org.springframework.boot.autoconfigure.ldap.embedded.EmbeddedLdapProperties
import org.springframework.boot.context.properties.EnableConfigurationProperties
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.context.annotation.DependsOn
import org.springframework.core.env.Environment
import org.springframework.ldap.core.ContextSource
import org.springframework.ldap.core.support.LdapContextSource

@Configuration(proxyBeanMethods = false)
@AutoConfigureBefore(EmbeddedLdapAutoConfiguration::class)
@EnableConfigurationProperties(LdapProperties::class, EmbeddedLdapProperties::class)
class EmbeddedLdapAutoConfiguration {

  // Workaround for https://github.com/spring-projects/spring-boot/issues/23030
  @Configuration(proxyBeanMethods = false)
  @ConditionalOnClass(ContextSource::class)
  internal class EmbeddedLdapContextConfiguration {
    @Bean
    @DependsOn("directoryServer")
    @ConditionalOnMissingBean
    fun ldapContextSource(
      environment: Environment,
      properties: LdapProperties,
      embeddedProperties: EmbeddedLdapProperties,
    ): LdapContextSource {
      val source = LdapContextSource()
      if (!embeddedProperties.credential.username.isNullOrEmpty() && !embeddedProperties.credential.password.isNullOrEmpty()) {
        source.userDn = embeddedProperties.credential.username
        source.password = embeddedProperties.credential.password
      }
      source.urls = properties.determineUrls(environment)
      source.setBase(properties.base)
      return source
    }
  }
}

spring.factories:

org.springframework.boot.autoconfigure.EnableAutoConfiguration=com.example.EmbeddedLdapAutoConfiguration

[mbhave]

We decided to fix this by populating the base for the embedded context. In the future, we might want to revisit this to consider the customizer option.