This page describes how to integrate AppFuse with a Windows Active Directory server (tested with Windows 2003 server).

To enable LDAP authentication some beans need to be defined in security.xml.

<bean id="initialDirContextFactory"
	class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
	<constructor-arg value="ldap://ldapserver.company.com:389/DC=Company,DC=com" />
	<property name="managerDn" value="CN=username,CN=Users,DC=Company,DC=com" />
	<property name="managerPassword" value="password" />
	<property name="extraEnvVars"> 
		<map>
			<entry key="java.naming.referral" value="follow" />
		</map>
	</property>
</bean>
 
<bean id="userSearch"
	class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
	<constructor-arg index="0" value="OU=Employees" />
	<constructor-arg index="1" value="(&amp;(objectClass=user)(sAMAccountName={0}))" />
	<constructor-arg index="2" ref="initialDirContextFactory" />
	<property name="searchSubtree" value="true" />
</bean>
 
<bean id="ldapAuthenticationProvider"
	class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
	<constructor-arg>
		<bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
			<constructor-arg ref="initialDirContextFactory" />
			<property name="userSearch" ref="userSearch" />
		</bean>
	</constructor-arg>
	<constructor-arg>
		<bean 
		class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
			<constructor-arg index="0" ref="initialDirContextFactory" />
			<constructor-arg index="1" value="OU=UserBranchInLdap" />
			<property name="convertToUpperCase" value="true" />
			<property name="searchSubtree" value="true" />
			<property name="groupSearchFilter" 
				value="(&amp;(objectClass=group)(member={0}))" />
			<property name="groupRoleAttribute" value="CN" />
		</bean>
	</constructor-arg>
</bean>

Some parameters have to be changed to match your LDAP structure. Especially the OUs where your users reside are likely to be modified. To get an overview over your LDAP directory, there's a nice little tool called Softerra LDAP browser.

This one's really easy, you just have to add the ldapAuthenticationProvider to the authenticationManager:

<bean id="authenticationManager"
	class="org.acegisecurity.providers.ProviderManager">
	<property name="providers">
		<list>
			<ref local="daoAuthenticationProvider" />
			<ref local="ldapAuthenticationProvider" />
			<ref local="anonymousAuthenticationProvider" />
			<ref local="rememberMeAuthenticationProvider" />
		</list>
	</property>
</bean>

Looking at this example you see another nice Acegi feature: It's easy to use multiple authentication providers at the same time. In this case, a DB based authentication manager works side by side with the LDAP authentication manager, so users can be defined in both sources. Acegi will just ask one provider after another until it finds the user or finally fails.