Hi all,

I'm currently implementing/configuring the LDAP authentication of a Java web application using Spring Security 3.0. I'm using Microsoft AD LDS as LDAP server and chose the Spring's BindAuthenticator. I found out that the authentication only works if the authenticated user is a member of the partition's Readers role. The BindAuthenticator tries to read the user's attributes after the authentication, which seems reasonable in scenarios where authorities are retrieved from the directory service.

Being new to LDAP and AD, is this an acceptable practise when the application is integrated in an existing AD structure? Can fine-tune an give the user dns only read permissions for their own attributes rather than adding them to the Reader group?

Thanks Thomas