Spring LDAP Reference

Spring LDAP is designed to simplify LDAP programming in Java. Some of the features provided by the library are:

Consider a method that should search some storage for all persons and return their names in a list. By using JDBC, we would create a connection and run a query by using a statement. We would then loop over the result set and retrieve the column we want, adding it to a list.

Working against an LDAP database with JNDI, we would create a context and perform a search by using a search filter. We would then loop over the resulting naming enumeration, retrieve the attribute we want, and add it to a list.

The traditional way of implementing this person-name search method in Java LDAP looks like the next example. Note the code marked bold - this is the code that actually performs tasks related to the business purpose of the method. The rest is plumbing.

By using the Spring LDAP AttributesMapper and LdapTemplate classes, we get the exact same functionality with the following code:

The amount of boilerplate code is significantly less than in the traditional example. The LdapTemplate search method makes sure a DirContext instance is created, performs the search, maps the attributes to a string by using the given AttributesMapper, collects the strings in an internal list, and, finally, returns the list. It also makes sure that the NamingEnumeration and DirContext are properly closed and takes care of any exceptions that might happen.

Naturally, this being a Spring Framework sub-project, we use Spring to configure our application, as follows:

For complete details of 2.2, see the changelog for 2.2.0.RC1. The highlights of Spring LDAP 2.2 are as follows:

For complete details of 2.1, see the changelog for 2.1.0.RC1 and for 2.1.0 The highlights of Spring LDAP 2.1 are as follows.

While quite significant modernizations have been made to the Spring LDAP API in version 2.0, great care has been taken to ensure backward compatibility as far as possible. Code that works with Spring LDAP 1.3.x should, with few exceptions, compile and run when you use the 2.0 libraries without any modifications.

The exception is a small number of classes that have been moved to new packages in order to make a couple of important refactorings possible. The moved classes are typically not part of the intended public API, and the migration procedure should be smooth. Whenever a Spring LDAP class cannot be found after upgrade, you should organize the imports in your IDE.

You should expect to encounter some deprecation warnings, though, and there are also a lot of other API improvements. The recommendation for getting as much as possible out of the 2.0 version is to move away from the deprecated classes and methods and migrate to the new, improved API utilities.

The following list briefly describes the most important changes in Spring LDAP 2.0:

At a minimum, to use Spring LDAP you need the following:

In addition to the required dependencies, the following optional dependencies are required for certain functionality:

The samples provide some useful examples of how to use Spring LDAP for common use cases.

If you have questions, ask them on Stack Overflow with the spring-ldap tag. The project web page is https://spring.io/spring-ldap/.

The initial effort when starting the Spring LDAP project was sponsored by Jayway. Current maintenance of the project is funded by Pivotal, which has since been acquired by VMware.

Thanks to Structure101 for providing an open source license that has come in handy for keeping the project structure in check.

The following example uses an AttributesMapper to build a List of all the common names of all the person objects.

The inline implementation of AttributesMapper gets the desired attribute value from the Attributes object and returns it. Internally, LdapTemplate iterates over all entries found, calls the given AttributesMapper for each entry, and collects the results in a list. The list is then returned by the search method.

Note that the AttributesMapper implementation could easily be modified to return a full Person object, as follows:

Entries in LDAP are uniquely identified by their distinguished name (DN). If you have the DN of an entry, you can retrieve the entry directly without searching for it. This is called a “lookup” in Java LDAP. The following example shows a lookup for a Person object:

The preceding example looks up the specified DN and passes the found attributes to the supplied AttributesMapper — in this case, resulting in a Person object.

LDAP searches involve a number of parameters, including the following:

Spring LDAP provides an LdapQueryBuilder with a fluent API for building LDAP Queries.

Suppose you want to perform a search starting at the base DN dc=261consulting,dc=com, limiting the returned attributes to cn and sn, with a filter of (&(objectclass=person)(sn=?)), where we want the ? to be replaced with the value of the lastName parameter. The following example shows how to do it by using the LdapQueryBuilder:

For more information on the LdapQueryBuilder, see Advanced LDAP Queries.

The standard Java implementation of Distinguished Name (LdapName) performs well when it comes to parsing Distinguished Names. However, in practical use, this implementation has a number of shortcomings:

To simplify working with Distinguished Names, Spring LDAP provides an LdapNameBuilder, as well as a number of utility methods in LdapUtils that help when working with LdapName.

This section describes how to add and remove data. Updating is covered in the next section.

In Java LDAP, data can be modified in two ways: either by using rebind or by using modifyAttributes.

Whenever an entry is found in the LDAP tree, its attributes and Distinguished Name (DN) are used by Spring LDAP to construct a DirContextAdapter. This lets us use a ContextMapper instead of an AttributesMapper to transform found values, as follows:

As shown in the preceding example, we can retrieve the attribute values directly by name without having to go through the Attributes and Attribute classes. This is particularly useful when working with multi-value attributes. Extracting values from multi-value attributes normally requires looping through a NamingEnumeration of attribute values returned from the Attributes implementation. DirContextAdapter does this for you in the getStringAttributes() or getObjectAttributes() methods. The following example uses the getStringAttributes method:

` While useful when extracting attribute values, DirContextAdapter is even more powerful for managing the details involved in adding and updating data.

When managing security groups in LDAP, it is common to have attribute values that represent distinguished names. Since distinguished name equality differs from String equality (for example, whitespace and case differences are ignored in distinguished name equality), calculating attribute modifications using string equality does not work as expected.

For instance, if a member attribute has a value of cn=John Doe,ou=People and we call ctx.addAttributeValue("member", "CN=John Doe, OU=People"), the attribute is now considered to have two values, even though the strings actually represent the same distinguished name.

As of Spring LDAP 2.0, supplying javax.naming.Name instances to the attribute modification methods makes DirContextAdapter use distinguished name equality when calculating attribute modifications. If we modify the earlier example to be ctx.addAttributeValue("member", LdapUtils.newLdapName("CN=John Doe, OU=People")), it does not render a modification, as the following example shows:

In the preceding example, we implement BaseLdapNameAware to get the base LDAP path as described in Obtaining a Reference to the Base LDAP Path. This is necessary because distinguished names as member attribute values must always be absolute from the directory root.

To illustrate the usefulness of Spring LDAP and DirContextAdapter, the following example shows a complete Person Repository implementation for LDAP:

Entity classes managed with the object mapping methods are required to be annotated with annotations from the org.springframework.ldap.odm.annotations package. The available annotations are:

The @Entry and @Id annotations are required to be declared on managed classes. @Entry is used to specify which object classes the entity maps to and (optionally) the directory root of the LDAP entries represented by the class. All object classes for which fields are mapped are required to be declared. Note that, when creating new entries of the managed class, only the declared object classes are used.

In order for a directory entry to be considered a match to the managed entity, all object classes declared by the directory entry must be declared by the @Entry annotation. For example, assume that you have entries in your LDAP tree that have the following object classes: inetOrgPerson,organizationalPerson,person,top. If you are interested only in changing the attributes defined in the person object class, you can annotate your @Entry with @Entry(objectClasses = { "person", "top" }). However, if you want to manage attributes defined in the inetOrgPerson objectclass, you need to use the following: @Entry(objectClasses = { "inetOrgPerson", "organizationalPerson", "person", "top" }).

The @Id annotation is used to map the distinguished name of the entry to a field. The field must be an instance of javax.naming.Name.

The @Attribute annotation is used to map object class fields to entity fields. @Attribute is required to declare the name of the object class property to which the field maps and may optionally declare the syntax OID of the LDAP attribute, to guarantee exact matching. @Attribute also provides the type declaration, which lets you indicate whether the attribute is regarded as binary-based or string-based by the LDAP JNDI provider.

The @DnAttribute annotation is used to map object class fields to and from components in the distinguished name of an entry. Fields annotated with @DnAttribute are automatically populated with the appropriate value from the distinguished name when an entry is read from the directory tree. Only fields of type String can be annotated with @DnAttribute. Other types are not supported. If the index attribute of all @DnAttribute annotations in a class is specified, the DN can also be automatically calculated when creating and updating entries. For update scenarios, this also automatically takes care of moving entries in the tree if attributes that are part of the distinguished name have changed.

The @Transient annotation indicates that the field should be ignored by the object directory mapping and not mapped to an underlying LDAP property. Note that if a @DnAttribute is not to be bound to an Attribute. That is, it is only part of the Distinguished Name and not represented by an object attribute. It must also be annotated with @Transient.

When all components have been properly configured and annotated, the object mapping methods of LdapTemplate can be used as follows:

Security groups in LDAP commonly contain a multi-value attribute, where each of the values is the distinguished name of a user in the system. The difficulties involved when handling these kinds of attributes are discussed in DirContextAdapter and Distinguished Names as Attribute Values.

ODM also has support for javax.naming.Name attribute values, making group modifications easy, as the following example shows:

When you modify group members by using setMembers, addMember, and removeMember and then calling ldapTemplate.update(), attribute modifications are calculated by using distinguished name equality, meaning that the text formatting of distinguished names is disregarded when figuring out whether they are equal.

The LdapQueryBuilder and its associated classes are intended to support all of the parameters that can be supplied to an LDAP search. The following parameters are supported:

An LdapQueryBuilder is created with a call to the query method of LdapQueryBuilder. It is intended as a fluent builder API, where the base parameters are defined first, followed by the filter specification calls. Once filter conditions have been started to be defined with a call to the where method of LdapQueryBuilder, later attempts to call (for example) base are rejected. The base search parameters are optional, but at least one filter specification call is required. The following query searches for all entries with an object class of Person:

The following query searches for all entries with an object class of person and a cn (common name) of John Doe:

The following query searches for all entries with an object class of person and starting at a dc (domain component) of dc=261consulting,dc=com:

The following query returns the cn (common name) attribute for all entries with an object class of person and starting at a dc (domain component) of dc=261consulting,dc=com:

The following query uses or to search for multiple spellings of a common name (cn):

The earlier examples demonstrate simple equals conditions in LDAP filters. The LDAP query builder has support for the following criteria types:

There may be occasions when you want to specify a hardcoded filter as input to an LdapQuery. LdapQueryBuilder has two methods for this purpose:

You cannot mix the hardcoded filter methods with the where approach described earlier. It is either one or the other. If you specify a filter by using filter(), you get an exception if you try to call where afterwards.

ContextSource is defined by using an <ldap:context-source> tag. The simplest possible context-source declaration requires you to specify a server URL, a username, and a password, as follows:

The preceding example creates an LdapContextSource with default values (see the table after this paragraph) and the URL and authentication credentials as specified. The configurable attributes on context-source are as follows (required attributes marked with *):

The LdapTemplate is defined by using a <ldap:ldap-template> element. The simplest possible ldap-template declaration is the element by itself:

The element by itself creates an LdapTemplate instance with the default ID, referencing the default ContextSource, which is expected to have an ID of contextSource (the default for the context-source element).

The following table describes the configurable attributes on ldap-template:

As described earlier, you can supply a base LDAP path to the ContextSource, specifying the root in the LDAP tree to which all operations are relative. This means that you are working only with relative distinguished names throughout your system, which is typically rather handy. There are, however, some cases in which you may need to have access to the base path in order to be able to construct full DNs, relative to the actual root of the LDAP tree. One example would be when working with LDAP groups (for example, the groupOfNames object class). In that case, each group member attribute value needs to be the full DN of the referenced member.

For that reason, Spring LDAP has a mechanism by which any Spring-controlled bean may be supplied with the base path on startup. For beans to be notified of the base path, two things need to be in place. First, the bean that wants the base path reference needs to implement the BaseLdapNameAware interface. Second, you need to define a BaseLdapPathBeanPostProcessor in the application context. The following example shows how to implement BaseLdapNameAware:

The following example shows how to define a BaseLdapPathBeanPostProcessor:

The default behavior of the BaseLdapPathBeanPostProcessor is to use the base path of the single defined BaseLdapPathSource (AbstractContextSource) in the ApplicationContext. If more than one BaseLdapPathSource is defined, you need to specify which one to use by setting the baseLdapPathSourceName property.

Basic QueryDSL support is included in Spring LDAP. This support includes the following:

Validation of pooled connections is the primary motivation for using a custom pooling library versus the JDK-provided LDAP pooling functionality. Validation allows pooled DirContext connections to be checked to ensure that they are still properly connected and configured when checking them out of the pool, checking them into the pool, or while they are idle in the pool.

If connection validation is configured, pooled connections are validated by using DefaultDirContextValidator. DefaultDirContextValidator does a DirContext.search(String, String, SearchControls), with an empty name, a filter of "objectclass=*", and SearchControls set to limit a single result with the only the objectclass attribute and a 500ms timeout. If the returned NamingEnumeration has results, the DirContext passes validation. If no results are returned or an exception is thrown, the DirContext fails validation. The default settings should work with no configuration changes on most LDAP servers and provide the fastest way to validate the DirContext. If you need customization, you can do so by using the validation configuration attributes, described in Pool Configuration.

The following attributes are available on the <ldap:pooling /> element for configuration of the DirContext pool:

The following attributes are available on the <ldap:pooling2 /> element for configuring the DirContext pool:

Configuring pooling requires adding an <ldap:pooling> element nested in the <ldap:context-source> element, as follows:

In a real-world situation, you would probably configure the pool options and enable connection validation. The preceding example demonstrates the general idea.

This section describes issues that sometimes arise when people use Spring LDAP. At present, it covers the following issues:

LdapTemplate contains several overloaded versions of the most common operations in DirContext. However, we have not provided an alternative for each and every method signature, mostly because there are so many of them. We have, however, provided a means to call whichever DirContext method you want and still get the benefits that LdapTemplate provides.

Suppose you want to call the following DirContext method:

There is no corresponding overloaded method in LdapTemplate. The way to solve this is to use a custom SearchExecutor implementation, as follows:

In your custom executor, you have access to a DirContext object, which you can use to call the method you want. You can then provide a handler that is responsible for mapping attributes and collecting the results. You can, for example, use one of the available implementations of CollectingNameClassPairCallbackHandler, which collects the mapped results in an internal list. In order to actually perform the search, you need to call the search method in LdapTemplate that takes an executor and a handler as arguments. Finally, you need to return whatever your handler has collected. The following example shows how to do all of that:

If you prefer the ContextMapper to the AttributesMapper, the following example shows what it would look like:

In the same manner as for custom search methods, you can actually call any method in DirContext by using a ContextExecutor, as follows:

When implementing a custom ContextExecutor, you can choose between using the executeReadOnly() or the executeReadWrite() method. Suppose you want to call the following method:

The method is available in DirContext, but there is no matching method in LdapTemplate. It is a lookup method, so it should be read-only. We can implement it as follows:

In the same manner, you can perform a read-write operation by using the executeReadWrite() method.

In some situations, you might like to perform operations on the DirContext before and after the search operation. The interface that is used for this is called DirContextProcessor. The following listing shows the DirContextProcessor interface:

The LdapTemplate class has a search method that takes a DirContextProcessor, as follows:

Before the search operation, the preProcess method is called on the given DirContextProcessor instance. After the search has run and the resulting NamingEnumeration has been processed, the postProcess method is called. This lets you perform operations on the DirContext to be used in the search and to check the DirContext when the search has been performed. This can be very useful (for example, when handling request and response controls).

You can also use the following convenience methods when you do not need a custom SearchExecutor:

The LDAPv3 protocol uses “Controls” to send and receive additional data to affect the behavior of predefined operations. To simplify the implementation of a request control DirContextProcessor, Spring LDAP provides the AbstractRequestControlDirContextProcessor base class. This class handles the retrieval of the current request controls from the LdapContext, calls a template method for creating a request control, and adds it to the LdapContext. All you have to do in the subclass is to implement the template method called createRequestControl and the postProcess method for performing whatever you need to do after the search. The following listing shows the relevant signatures:

A typical DirContextProcessor is similar to the following example:

Some searches may return large numbers of results. When there is no easy way to filter out a smaller amount, it is convenient to have the server return only a certain number of results each time it is called. This is known as “paged search results”. Each “page” of the result could then be displayed, with links to the next and previous page. Without this functionality, the client must either manually limit the search result into pages or retrieve the whole result and then chop it into pages of suitable size. The former would be rather complicated, and the latter would consume unnecessary amounts of memory.

Some LDAP servers support PagedResultsControl, which requests that the results of a search operation are returned by the LDAP server in pages of a specified size. The user controls the rate at which the pages are returned, by controlling the rate at which the searches are called. However, you must keep track of a cookie between the calls. The server uses this cookie to keep track of where it left off the previous time it was called with a paged results request.

Spring LDAP provides support for paged results by using the concept for pre- and post-processing of an LdapContext, as discussed in the previous sections. It does so by using the PagedResultsDirContextProcessor class. The PagedResultsDirContextProcessor class creates a PagedResultsControl with the requested page size and adds it to the LdapContext. After the search, it gets the PagedResultsResponseControl and retrieves the paged results cookie, which is needed to keep the context between consecutive paged results requests.

The following example shows how the to use the paged search results functionality:

Configuring Spring LDAP transactions should look very familiar if you are used to configuring Spring transactions. You can annotate your transacted classes with @Transactional, create a TransactionManager instance, and include a <tx:annotation-driven> element in your bean configuration. The following example shows how to do so:

In a real-world situation, you would probably apply the transactions on the service-object level rather than the repository level. The preceding example demonstrates the general idea.

A common use case when working against LDAP is that some of the data is stored in the LDAP tree but other data is stored in a relational database. In this case, transaction support becomes even more important, since the update of the different resources should be synchronized.

While actual XA transactions is not supported, support is provided to conceptually wrap JDBC and LDAP access within the same transaction by supplying a data-source-ref attribute to the <ldap:transaction-manager> element. This creates a ContextSourceAndDataSourceTransactionManager, which then manages the two transactions virtually as if they were one. When performing a commit, the LDAP part of the operation is always performed first, letting both transactions be rolled back should the LDAP commit fail. The JDBC part of the transaction is managed exactly as in DataSourceTransactionManager, except that nested transactions are not supported. The following example shows an ldap:transaction-manager element with a data-source-ref attribute:

You can accomplish the same thing for Hibernate integration by supplying a session-factory-ref attribute to the <ldap:transaction-manager> element, as follows:

Spring LDAP manages compensating transactions by making a record of the state in the LDAP tree before each modifying operation (bind, unbind, rebind, modifyAttributes, and rename). This lets the system perform compensating operations should the transaction need to be rolled back.

In many cases, the compensating operation is pretty straightforward. For example, the compensating rollback operation for a bind operation is to unbind the entry. Other operations, however, require a different, more complicated approach because of some particular characteristics of LDAP databases. Specifically, it is not always possible to get the values of all Attributes of an entry, making the aforementioned strategy insufficient for (for example) an unbind operation.

This is why each modifying operation performed within a Spring LDAP managed transaction is internally split up into four distinct operations: a recording operation, a preparation operation, a commit operation, and a rollback operation. The following table describes each LDAP operation:

A more detailed description of the internal workings of the Spring LDAP transaction support is available in the Javadoc.

While the core functionality of the ContextSource is to provide DirContext instances for use by LdapTemplate, you can also use it for authenticating users against an LDAP server. The getContext(principal, credentials) method of ContextSource does exactly that. It constructs a DirContext instance according to the ContextSource configuration and authenticates the context by using the supplied principal and credentials. A custom authenticate method could look like the following example:

The userDn supplied to the authenticate method needs to be the full DN of the user to authenticate (regardless of the base setting on the ContextSource). You typically need to perform an LDAP search based on (for example) the user name to get this DN. The following example shows how to do so:

There are some drawbacks to this approach. You are forced to concern yourself with the DN of the user, you can search only for the user’s uid, and the search always starts at the root of the tree (the empty path). A more flexible method would let you specify the search base, the search filter, and the credentials. Spring LDAP includes an authenticate method in LdapTemplate that provides this functionality: boolean authenticate(LdapQuery query, String password);.

When you use this method, authentication becomes as simple as follows:

Some authentication schemes and LDAP servers require some operation to be performed on the created DirContext instance for the actual authentication to occur. You should test and make sure how your server setup and authentication schemes behave. Failure to do so might result in users being admitted into your system regardless of the supplied DN and credentials. The following example shows a naïve implementation of an authenticate method where a hard-coded lookup operation is performed on the authenticated context:

It would be better if the operation could be provided as an implementation of a callback interface, rather than limiting the operation to always be a lookup. Spring LDAP includes the AuthenticatedLdapEntryContextMapper callback interface and a corresponding authenticate method: <T> T authenticate(LdapQuery query, String password, AuthenticatedLdapEntryContextMapper<T> mapper);

This method lets any operation be performed on the authenticated context, as follows:

In addition to the authenticate methods described in the preceding sections, you can use a number of deprecated methods for authentication. While these work fine, we recommend using the LdapQuery methods instead.

While the approach described in the preceding sections may be sufficient for simple authentication scenarios, requirements in this area commonly expand rapidly. A multitude of aspects apply, including authentication, authorization, web integration, user context management, and others. If you suspect that the requirements might expand beyond just simple authentication, you should definitely consider using Spring Security for your security purposes instead. It is a full-featured, mature security framework that addresses the aforementioned aspects as well as several others.

Two classes in the org.springframework.ldap.core package provide the means to represent an LDIF in code:

LdapAttribute objects represent options as a Set<String>. The DN support added to the LdapAttributes object employs the javax.naming.ldap.LdapName class.

The Parser interface provides the foundation for operation and employs three supporting policy definitions:

The default implementations of these interfaces are as follows:

Together, these four classes parse a resource line by line and translate the data into LdapAttributes objects.

The SeparatorPolicy determines how individual lines read from the source file should be interpreted, as the LDIF specification lets attributes span multiple lines. The default policy assesses lines in the context of the order in which they were read to determine the nature of the line in consideration. control attributes and changetype records are ignored.

The DefaultAttributeValidationPolicy uses REGEX expressions to ensure that each attribute conforms to a valid attribute format (according to RFC 2849) once parsed. If an attribute fails validation, an InvalidAttributeFormatException is logged, and the record is skipped (the parser returns null).

A mechanism for validating parsed objects against a schema is available through the Specification interface in the org.springframework.ldap.schema package. The DefaultSchemaSpecification does not do any validation and is available for instances where records are known to be valid and need not be checked. This option saves the performance penalty that validation imposes. The BasicSchemaSpecification applies basic checks, such as ensuring DN and object class declarations have been provided. Currently, validation against an actual schema requires implementation of the Specification interface.

While the LdifParser can be employed by any application that requires parsing of LDIF files, Spring offers a batch processing framework that offers many file-processing utilities for parsing delimited files such as CSV. The org.springframework.ldap.ldif.batch package offers the classes needed to use the LdifParser as a valid configuration option in the Spring Batch framework. There are five classes in this package. Together, they offer three basic use cases:

The first use case is accomplished with LdifReader. This class extends Spring Batch’s AbstractItemCountingItemStreamItemReader and implements its ResourceAwareItemReaderItemStream. It fits naturally into the framework, and you can use it to read LdapAttributes objects from a file.

You can use MappingLdifReader to map LDIF objects directly to any POJO. This class requires you to provide an implementation of the RecordMapper interface. This implementation should implement the logic for mapping objects to POJOs.

You can implement RecordCallbackHandler and provide the implementation to either reader. You can use this handler to operate on skipped records. See the Spring Batch API documentation for more information.

The last member of this package, the LdifAggregator, can be used to write LDIF records to a file. This class invokes the toString() method of the LdapAttributes object.

When there are a very large number of attribute values (>1500) for a specific attribute, Active Directory typically refuses to return all these values at once. Instead, the attribute values are returned according to the Incremental Retrieval of Multi-valued Properties method. Doing so requires the calling part to inspect the returned attribute for specific markers and, if necessary, make additional lookup requests until all values are found.

Spring LDAP’s org.springframework.ldap.core.support.DefaultIncrementalAttributesMapper helps when working with this kind of attributes, as follows:

The preceding example parses any returned attribute range markers and makes repeated requests as necessary until all values for all requested attributes have been retrieved.

spring-ldap-test supplies an embedded LDAP server that is based on ApacheDS or UnboundID.

To get started, you need to include the spring-ldap-test dependency.

The following listing shows how to include the spring-ldap-test for Maven:

The following listing shows how to include the spring-ldap-test for Gradle:

To use ApacheDS, you need to include a number of ApacheDS dependencies.

The following example shows how to include the ApacheDS dependencies for Maven:

The following example shows how to include the ApacheDS dependencies for Gradle:

The following bean definition creates an embedded LDAP server:

spring-ldap-test provides a mechanism to populate the LDAP server by using org.springframework.ldap.test.LdifPopulator. To use it, create a bean similar to the following:

Another way to work against an embedded LDAP server is by using org.springframework.ldap.test.TestContextSourceFactoryBean, as follows:

Also, org.springframework.ldap.test.LdapTestUtils provides methods to programmatically work with an embedded LDAP server.

To use UnboundID, you need to include an UnboundID dependency.

The following example shows how to include the UnboundID dependency for Maven:

The following example shows how to include the UnboundID dependency for Gradle:

The following bean definition creates an embedded LDAP server:

spring-ldap-test provides a way to populate the LDAP server by using org.springframework.ldap.test.unboundid.LdifPopulator. To use it, create a bean similar to the following:

Another way to work against an embedded LDAP server is by using org.springframework.ldap.test.unboundid.TestContextSourceFactoryBean. To use it, create a bean similar to the following:

Also, org.springframework.ldap.test.unboundid.LdapTestUtils provide methods to programmatically work with an embedded LDAP server.