Possible to use variables in @LdapIdentityStoreDefinition

[Bernd Schmidt]

Hello,

is it possible to use variables like ${ALIAS=ldap-password} in @LdapIdentityStoreDefinition?

The documentation doesn't mention it, but it would be great to use password alias or microprofile-config to supply the passwords.

Best regards,

Bernd Schmidt

[Eduard Drenth]

Here you can find a complete docker/docker-compose setup including ldap authentication/autorization: https://bitbucket.org/fryske-akademy/hisgis_oat_invoermodule/src/master/install/docker/

In the build directory you find a parameterized ldap init file

In the stack directory you will find a compose file that initializes the ldap host to connect to.

Hope this helps, Eduard

Op donderdag 2 mei 2019 09:58:08 UTC+2 schreef Bernd Schmidt:

[Bernd Schmidt]

Thank you for your example.

This is like we are doing the configuration at the moment, but we want to replace the current authentification with JSR-375. So I need to configure the ldap password within the annotation @LdapIdentityStoreDefinition

Best regards,

Bernd Schmidt

[eduard...@gmail.com]

Ah, I'm sorry, didn't understand that directly

It doesn't look like in @LdapIdentityStoreDefinition the bindDnPassword
field can only be hard coded. I would prefer to have that configured
outside the application, so I will probably not use
@LdapIdentityStoreDefinition myself.

Bye

> --
> You received this message because you are subscribed to the Google
> Groups "Payara Forum" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to payara-forum...@googlegroups.com.
> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/payara-forum/7b15b6f7-a234-451c-a3fe-02f743257e8f%40googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.

[Rudy De Busscher]

Hi,

All String properties of the @LdapIdentityStoreDefinition also support EL expression, as per specification https://javaee.github.io/security-spec/spec/jsr375-spec.html#_expression_language_support

However, it is not possible at this moment to retrieve the  ${ALIAS=ldap-password} programmatically (so that it could be returned as value of an EL expression). But the ldap password can certainly be referenced from 'external' like a MicroProfile Config file for example (using the intermediate step of using an EL expression to an applicationScoped CDI bean )

If you like such a functionality, programmatically access an aliased password, please request it through our GitHub - https://github.com/payara/Payara/issues

Regards

Rudy

[Rudy De Busscher]

Hi,

I was a bit too fast with my response.  It is possible to retrieve the value of the aliased password since the MicroProfile Config implemenation of Payara supports the alias store (see https://docs.payara.fish/documentation/microprofile/config.html where alias store has priority 105)

So the following construct retrieves your ldap password

@Inject

@ConfigProperty(name="ldap-password")

private String ldapPassword.

Which then can be exposed through EL.

Regards

Rudy

[eduard...@gmail.com]

Nice!

> send an email to payara-forum...@googlegroups.com.

> To view this discussion on the web, visit

> https://groups.google.com/d/msgid/payara-forum/32aaa4cd-72ed-4201-b0e9-2a28724c2d03%40googlegroups.com

[Bernd Schmidt]

That's great! Using the microprofile config also adds some other benefits.

Thanks for help!

Regards

Bernd