jwilliam Posted November 1, 2012 Share Posted November 1, 2012 I struggled with this for quite a while and a kind soul on this site helped get me going in the right direction. I would like to post the steps in getting this working.We wanted to use Active Directory/LDAP to authenticate users, but only the ones in certain groups. We also wanted to use secure ldap. We have our own internal Certificate Authority and issued the certificate for our AD/LDAP server.We aleady had other apps authenticating to AD/LDAP. FYI By default AD does not allow an anonymous bind so you need to make a read-only account for the initial bind.Here is the configureation that works for us, in applicationContext-security.xml (just the ldap section):<!-- Make sure you uncomment the ldapAuthenticationProvider line --> <ref local="ldapAuthenticationProvider"/> <ref bean="${bean.daoAuthenticationProvider}"/><!--add the following to log4j.properties for help with ldap debugging, Iwould comment it back out after your config is working--><!-- log4j.logger.org.springframework.security.ldap=DEBUG, stdout, fileout --><!-- For LDAP authentication --> <bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <constructor-arg value="ldaps://ad.xx.xxx.xxx.xx:636/dc=xx,dc=xxx,dc=xxx,dc=xxx"/> <propertyname="userDn"><value>cn=bind-account,cn=users,dc=xx,dc=xxx,dc=xxx,dc=xxx</value></property> <property name="password"><value>supersecretpass</value></property><!-- Added the next line - To follow referrals in Java, you have to explicity tell Java that you want the LDAP server to return the referral to you. In Java, the default is for the Java LDAP library to tell the LDAP server not to follow referrals. --> <property name="referral" value="follow"/> </bean><!-- For LDAP authentication --> <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> <constructor-arg index="0"><value></value></constructor-arg><!-- sAMAccountName is used by Windows AD so we use it here --><!-- The filter below only searches the jasperusers AD group and the groups nested under it --><!-- :1.2.840.113556.1.4.1941: is to search Windows 2008R2 Active Directory "Nested Groups" --><!-- If the following constructor-arg isn't all on one line it didn't work for me --> <constructor-argindex="1"><value>(&(sAMAccountName={0})(&((objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=cn=jasperusers,DC=xx,DC=xxx,DC=xxx,DC=xxx))))</value></constructor-arg> <constructor-arg index="2"><ref local="ldapContextSource" /></constructor-arg> <property name="searchSubtree"><value>true</value></property> </bean><!-- For LDAP authentication --> <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg><ref local="ldapContextSource"/></constructor-arg> <property name="userSearch"><ref local="userSearch"/></property> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg> <constructor-arg index="1"><value></value></constructor-arg> <property name="groupRoleAttribute"><value>cn</value></property> <property name="convertToUpperCase"><value>true</value></property><!-- The next line adds ROLE_ to the group returned from AD/LDAP and needs to be added to match the Jasper roles --> <property name="rolePrefix"><value>ROLE_</value></property><!--The groupSearchFilter below will sync the groups a user belongs to fromAD. Automatically syncing user roles with the Jasper server --><!-- This example has the main AD Jasper group as jasperusers with all other Jasper groups under that. --><!--That allows us to only let the users in the jasperusers (and nestedgroups) group log in. See the userSearch section above. --><!-- jasperusers --><!-- |->jasper_admin --><!-- |->user1 --><!-- |->jasper_group1 --><!-- |->user2 --><!-- |->user3 --><!-- |->jasper_group3 --><!-- |->user4 --><!-- ... and so on... --> <propertyname="groupSearchFilter"><value>(&(member={0})(objectclass=group)(cn=jasper_*))</value></property> <property name="searchSubtree"><value>true</value></property> </bean> </constructor-arg> </bean><!-- This is the end of my modifications -->[/code]A problem I had is that when I enabled ldaps it didn't even try to hit my AD/LDAP server to authenticate. The logs just said that the credentials were invalid. What I found is that when ldap and internal Jasper authentication were enabled it didn't put the ldap certificate error in the log. Only when I disabled internal Jasper authentication did the certificate error show up.The problem was with java/tomcat seeing the certificates. We found that the certificates needed to be installed to:/usr/lib/jvm/java-6-sun/jre/lib/security/cacertsTo see the certificate you need to import can use the command:openssl s_client -showcerts -connect yourserver:636and copy/paste the certificate shown there into your keystore.keytool -import -keystore /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts -alias myserver -file myserver.crtAfter making changes you have to restart tomcat, but it should now connect to ldap securely and only authenticate users in AD who are in a group under jasperusers.I hope this helps.... Link to comment Share on other sites More sharing options...
mgeise Posted November 1, 2012 Share Posted November 1, 2012 Thanks for following up with the documentation on how you got this to work! I hope you don't mind, but I took your content and added it as a wiki page: http://community.jaspersoft.com/wiki/secure-active-directorldap-authentication-groupsI added it with you as the contributor so that you get reputation points, etc. for the contribution.Thanks again for following up with the information...this is what makes a community work! Link to comment Share on other sites More sharing options...
omarntfs Posted January 8, 2013 Share Posted January 8, 2013 Thank you Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now