LDAP via anonymous read only access

[Blake Fitch]

Hi!

I am setting up the XNAT LDAP plugin and I'm trying to configure for anonymous access to a local LDAP server. I am trying to validate with ValidateLdap.goovy. The provider.properties (with a few commented out previous tries) and the current output are pasted below.

If I understand the situation correctly, I need to use anonymous binding to the local LDAP server. I believe the Spring library can do this based on: https://docs.spring.io/spring-ldap/docs/current/reference/

"Some LDAP server setups allow anonymous read-only access. If you want to use anonymous contexts for read-only operations,

set the anonymous-read-only attribute to true."

Is it possible to configure XNAT LDAP access to work this way?

As usual, any help is most appreciated!

Best,

Blake

$ cat ldap-xxxx-yyy-provider.properties
name=KYB LDAP
provider.id=kyb_ldap
auth.method=ldap
visible=true
auto.enabled=true
auto.verified=true
address=ldaps://ldap.localnet/
#userdn=cn=readonly,dc=xxxx,dc=yyy,dc=zz
#password=password
#userdn=dc=xxxx,dc=yyy,dc=zz
#userdn=
#password=
search.base=ou=users,dc=xxxx,dc=yyy,dc=zz
search.filter=(uid={0})

$ groovy 'jar:file:xnat-ldap-auth-plugin-1.0.0.jar!/ValidateLdap.groovy' ldap-xxx x-yyy-provider.properties
Loading properties from ldap-xxxx-yyy-provider.properties

Address:       ldaps://ldap.localnet/
User DN:        cn=admin,dc=xnat,dc=org
Password:      password
Search base:   ou=users,dc=xxxx,dc=yyy,dc=zz
Search filter: (uid={0})
Username:      asmith
password:      password

May 20, 2020 11:35:00 AM org.springframework.security.ldap.DefaultSpringSecurityContextSource <init>
INFO:  URL 'ldaps://ldap.localnet/', root DN is ''
Validating the binding user account 'cn=admin' with search base 'dc=xnat,dc=org'
Creating user search object with search base 'dc=xnat,dc=org' and filter '(cn=admin)
Some kind of authentication exception occurred for user 'cn=admin':
org.springframework.security.authentication.InternalAuthenticationServiceException: simple bind failed: ldap.localnet:636; nested exception is javax.naming.CommunicationException: simple bind failed: ldap.localnet:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]