I struggled with this for quite a while and a kind soul on this site helped get me going in the right direction. I would like to post the steps in getting this working.
Requirement
We wanted to use Active Directory/LDAP to authenticate users, but only the ones in certain groups. We also wanted to use secure ldap. We have our own internal Certificate Authority and issued the certificate for our AD/LDAP server.
We aleady had other apps authenticating to AD/LDAP. FYI By default AD does not allow an anonymous bind so you need to make a read-only account for the initial bind.
Working Configuration
Here is the configuration that works for us, in applicationContext-security.xml (just the ldap section):
<!-- Make sure you uncomment the ldapAuthenticationProvider line -->
<ref local="ldapAuthenticationProvider" />
<ref bean="${bean.daoAuthenticationProvider}" />
<!-- add the following to log4j.properties for help with ldap debugging, -->
<!-- I would comment it back out after your config is working. -->
<!-- log4j.logger.org.springframework.security.ldap=DEBUG, stdout, fileout -->
<!-- For LDAP authentication -->
<bean id="ldapContextSource">
<constructor-arg value="ldaps://ad.xx.xxx.xxx.xx:636/dc=xx,dc=xxx,dc=xxx,dc=xxx">
<property name="userDn">
<value>cn=bind-account,cn=users,dc=xx,dc=xxx,dc=xxx,dc=xxx</value>
</property>
<property name="password">
<value>supersecretpass</value>
</property>
<!-- Added the next line - To follow referrals in Java, you have to explicity tell Java -->
<!-- that you want the LDAP server to return the referral to you. In Java, the default is -->
<!-- for the Java LDAP library to tell the LDAP server not to follow referrals. -->
<property name="referral" value="follow" />
</constructor-arg>
</bean>
<!-- For LDAP authentication -->
<bean id="userSearch">
<constructor-arg index="0"><value /></constructor-arg>
<!-- sAMAccountName is used by Windows AD so we use it here -->
<!-- The filter below only searches the jasperusers AD group and the groups nested under it -->
<!-- :1.2.840.113556.1.4.1941: is to search Windows 2008R2 Active Directory "Nested Groups" -->
<!-- If the following constructor-arg isn't all on one line it didn't work for me -->
<constructor-arg index="1">
<value>(&(sAMAccountName={0})(&((objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=cn=jasperusers,DC=xx,DC=xxx,DC=xxx,DC=xxx))))</value>
</constructor-arg>
<constructor-arg index="2">
<ref local="ldapContextSource" />
</constructor-arg>
<property name="searchSubtree">
<value>true</value>
</property>
</bean>
<!-- For LDAP authentication -->
<bean id="ldapAuthenticationProvider">
<constructor-arg>
<bean>
<constructor-arg>
<ref local="ldapContextSource" />
</constructor-arg>
<property name="userSearch">
<ref local="userSearch" />
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean>
<constructor-arg index="0">
<ref local="ldapContextSource" />
</constructor-arg>
<constructor-arg index="1">
<value></value>
</constructor-arg>
<property name="groupRoleAttribute">
<value>cn</value>
</property>
<property name="convertToUpperCase">
<value>true</value>
</property>
<!-- The next line adds ROLE_ to the group returned from AD/LDAP
and needs to be added to match the Jasper roles -->
<property name="rolePrefix">
<value>ROLE_</value>
</property>
<!-- The groupSearchFilter below will sync the groups a user belongs to from AD.
Automatically syncing user roles with the Jasper server -->
<!-- This example has the main AD Jasper group as jasperusers with all other
Jasper groups under that. -->
<!-- That allows us to only let the users in the jasperusers (and nested groups)
group log in. See the userSearch section above. -->
<!-- jasperusers -->
<!-- |->jasper_admin -->
<!-- |->user1 -->
<!-- |->jasper_group1 -->
<!-- |->user2 -->
<!-- |->user3 -->
<!-- |->jasper_group3 -->
<!-- |->user4 -->
<!-- ... and so on... -->
<property name="groupSearchFilter">
<value>(&(member={0})(objectclass=group)(cn=jasper_*))</value>
</property>
<property name="searchSubtree">
<value>true</value>
</property>
</bean>
</constructor-arg>
</bean>
<!-- This is the end of my modifications -->
Troubleshooting: Setting Up Secure LDAP
A problem I had is that when I enabled ldaps it didn't even try to hit my AD/LDAP server to authenticate. The logs just said that the cedentials were invalid. What I found is that when ldap and internal Jasper authentication were enabled it didn't put the ldap certificate error in the log. Only when I disabled internal Jasper authentication did the certificate error show up.
The problem was with java/tomcat seeing the certificates. We found that the certificates needed to be installed to:
/usr/lib/jvm/java-6-sun/jre/lib/security/cacerts
To see the certificate you need to import can use the command:
openssl s_client -showcerts -connect yourserver:636
and copy/paste the certificate shown there into your keystore.
keytool -import -keystore /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts -alias myserver -file myserver.crt
After making changes you have to restart tomcat, but it should now connect to ldap securely and only authenticate users in AD who are in a group under jasperusers.
Recommended Comments
There are no comments to display.