Windows Server 2008R2 Active Directory/LDAP, LDAPS, and authenticating for certain groups

[jwilliam]

I struggled with this for quite a while and a kind soul on this site helped get me going in the right direction.  I would like to post the steps in getting this working.

We wanted to use Active Directory/LDAP to authenticate users, but only the ones in certain groups.  We also wanted to use secure ldap.  We have our own internal Certificate Authority and issued the certificate for our AD/LDAP server.

We aleady had other apps authenticating to AD/LDAP.  FYI By default AD does not allow an anonymous bind so you need to make a read-only account for the initial bind.

Here is the configureation that works for us, in applicationContext-security.xml (just the ldap section):

<!--  Make sure you uncomment the ldapAuthenticationProvider line  -->         <ref local="ldapAuthenticationProvider"/>         <ref bean="${bean.daoAuthenticationProvider}"/><!--add the following to log4j.properties for help with ldap debugging, Iwould comment it back out after your config is working--><!--  log4j.logger.org.springframework.security.ldap=DEBUG, stdout, fileout  --><!-- For LDAP authentication -->   <bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">     <constructor-arg value="ldaps://ad.xx.xxx.xxx.xx:636/dc=xx,dc=xxx,dc=xxx,dc=xxx"/>   <propertyname="userDn"><value>cn=bind-account,cn=users,dc=xx,dc=xxx,dc=xxx,dc=xxx</value></property>     <property name="password"><value>supersecretpass</value></property><!-- Added the next line - To follow referrals in Java, you have to explicity tell     Java that you want the LDAP server to return the referral to you. In Java, the default is     for the Java LDAP library to tell the LDAP server not to follow referrals. -->     <property name="referral" value="follow"/>    </bean><!-- For LDAP authentication -->   <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">     <constructor-arg index="0"><value></value></constructor-arg><!-- sAMAccountName is used by Windows AD so we use it here --><!-- The filter below only searches the jasperusers AD group and the groups nested under it --><!-- :1.2.840.113556.1.4.1941:  is to search Windows 2008R2 Active Directory "Nested Groups" --><!-- If the following constructor-arg isn't all on one line it didn't work for me -->   <constructor-argindex="1"><value>(&(sAMAccountName={0})(&((objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=cn=jasperusers,DC=xx,DC=xxx,DC=xxx,DC=xxx))))</value></constructor-arg>     <constructor-arg index="2"><ref local="ldapContextSource" /></constructor-arg>     <property name="searchSubtree"><value>true</value></property>   </bean><!-- For LDAP authentication -->   <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">     <constructor-arg>       <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">          <constructor-arg><ref local="ldapContextSource"/></constructor-arg>          <property name="userSearch"><ref local="userSearch"/></property>       </bean>     </constructor-arg>     <constructor-arg>       <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">          <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>          <constructor-arg index="1"><value></value></constructor-arg>          <property name="groupRoleAttribute"><value>cn</value></property>          <property name="convertToUpperCase"><value>true</value></property><!-- The next line adds ROLE_ to the group returned from AD/LDAP and needs to be added to match the Jasper roles -->          <property name="rolePrefix"><value>ROLE_</value></property><!--The groupSearchFilter below will sync the groups a user belongs to fromAD. Automatically syncing user roles with the Jasper server  --><!-- This example has the main AD Jasper group as jasperusers with all other Jasper groups under that. --><!--That allows us to only let the users in the jasperusers (and nestedgroups) group log in.  See the userSearch section above. --><!-- jasperusers --><!--  |->jasper_admin     --><!--      |->user1        --><!--  |->jasper_group1    --><!--      |->user2        --><!--      |->user3        --><!--  |->jasper_group3    --><!--      |->user4        --><!--  ... and so on...    -->        <propertyname="groupSearchFilter"><value>(&(member={0})(objectclass=group)(cn=jasper_*))</value></property>          <property name="searchSubtree"><value>true</value></property>       </bean>     </constructor-arg>   </bean><!-- This is the end of my modifications -->[/code]

A problem I had is that when I enabled ldaps it didn't even try to hit my AD/LDAP server to authenticate.  The logs just said that the credentials were invalid.  What I found is that when ldap and internal Jasper authentication were enabled it didn't put the ldap certificate error in the log.  Only when I disabled internal Jasper authentication did the certificate error show up.

The problem was with java/tomcat seeing the certificates.  We found that the certificates needed to be installed to:

/usr/lib/jvm/java-6-sun/jre/lib/security/cacerts

To see the certificate you need to import can use the command:

openssl s_client -showcerts -connect yourserver:636

and copy/paste the certificate shown there into your keystore.

keytool -import -keystore /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts -alias myserver -file myserver.crt

After making changes you have to restart tomcat, but it should now connect to ldap securely and only authenticate users in AD who are in a group under jasperusers.

I hope this helps....

[mgeise]

Thanks for following up with the documentation on how you got this to work!  I hope you don't mind, but I took your content and added it as a wiki page:  http://community.jaspersoft.com/wiki/secure-active-directorldap-authentication-groups

I added it with you as the contributor so that you get reputation points, etc. for the contribution.

Thanks again for following up with the information...this is what makes a community work!

[omarntfs]

Thank you