help for ad authentication

[GrayChan]

I have read the topic of JasperServer Authentication (http://jasperforge.org/sf/wiki/do/viewPage/projects.jasperserver/wiki/AuthenticationConfiguration

, and according to this configed my jasperserver .

After configuration , I start jasperserver without errors. But what is the next step , I can not login using AD accout , and can not import users via AD. The manual does not refer it.

Anyone can help me ?

Post edited by: GrayChan, at: 2008/02/26 06:32

[SeanDay]

Hi,

 

I have this working using AD and bringing groups into Jasper whenever a user logs in. I have set it up so Jasper only imports groups with JASPER in the description (I did not want to load all groups from our AD).

 

There are three main sections you have to configure:

 

1) The credentials for the user Jasper uses to search/read AD. Change server.your.domain.com for your LDAP server and all reference to your.domain.com to your domain.. username username_password to a user who can connect/search AD (this user should have minimal access to AD)

 

Code:

<bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
<constructor-arg value="ldap://server.your.domain.com:389/dc=your,dc=domain,dc=com"/>
<property name="managerDn"><value>username@your.domain.com</value></property>
<property name="managerPassword"><value>username_password</value></property>
<property name="extraEnvVars">
<map>
<entry key="java.naming.referral">
<value>follow</value>
</entry>
</map>
</property>
</bean>

 

2) Where in AD to search and what to search for, change ou=top_ou_to_search for the top ou that holds your accounts (I don't know if it will work for the root of the domain so try a container first) this does not need to be the FQN ou=users:

 

Code:

[code] <bean id="userSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch"> <constructor-arg index="0"> <value>ou=top_ou_to_search</value> </constructor-arg> <constructor-arg index="1"> <value>(sAMAccountName={0})</value> </constructor-arg> <constructor-arg index="2"> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="searchSubtree"> <value>true</value> </property> </bean>

 

3) If you want to bring in groups use the following, this includes the restriction to those with a description of JASPER so you will have to remove that part..

 

Code:

[code] <bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> <property name="userSearch"> <ref local="userSearch" /> </property> </bean> </constructor-arg> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg> <ref local="initialDirContextFactory" /> </constructor-arg> <constructor-arg> <value>ou=Group_ou</value> </constructor-arg> <property name="convertToUpperCase"> <value>true</value> </property> <property name="rolePrefix"> <value></value> </property> <property name="searchSubtree"> <value>true</value> </property> <property name="groupSearchFilter"> <value>(&(description=*JASPER*)(member={0}))</value> </property> <property name="groupRoleAttribute"> <value>cn</value> </property> </bean> </constructor-arg> </bean>

 

Hope this helps.

 

Sean

[GrayChan]

Hi, Sean Day

Thanks very much for the help .

I have configged the applicationContext-security.xml file , but failed also.

Now I want to confirm the following issues:

1) I am not very clear for the 3rd section's function . Does it mean , I can ignore this whitout use group ?

2) After config , jasperserver start normally . So how can I know jasperserver's status , whether connect to AD server successfully , retrieve accounts successfully or not.

If have any error , where the log stored , is "C:Program Filesjasperserver-2.1apache-tomcatwebappsjasperserverWEB-INFlogs".

3) Which format of user name is fine , username@domain , domainusername or only username.

[SeanDay]

Hi,

 

 

In answer to your questions:

 

 

1) I think it is possible to configure Jasper not to bring the LDAP groups across but using the settings below you do require the 3rd section. If you don't want it to bring the groups is just change the description=*JASPER* to a description that will never find any groups in your AD schema.

 

 

2) Yes, C:program filesjasperserver-2.1apache-tomcatwebappsjasperserverWEB-INFlogs is the correct place to check you should have a log file called jasperserver.log

 

 

3) I would use username@domain.

 

 

If it still does not work a couple of things worth mentioning are:

 

 

1) The web.xml file loads any file that matches applicationContext*.xml so if you made a backup of the apapplicationContext-security.xml file it will be loaded if it matches the *.xml pattern above and cause a lot of confusion. (change the extention to .bak).

 

 

2) Make sure you have un-commented the LDAPAuthenticationProvider in the authenticationManager section.

 

 

If it still does not work upload the LDAP section of you .xml file (remove the managerDN password) and I will take a look.

 

 

Regards,

 

 

Sean

[GrayChan]

I tried today , but got same error.

16:02:39,796 WARN LoggerListener,http-8080-Processor24:55 - Authentication event AuthenticationFailureBadCredentialsEvent: test@hasph; details: org.acegisecurity.ui.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 27AB21F9A4983D84FA7663ED94A5E123; exception: Bad credentials

 

Follow is my xml code :

 

Code:

     <!--

   For LDAP authentication
   -->
   <bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
     <constructor-arg value="ldap://hapsh-if.hapsh.com:389/dc=hapsh,dc=com"/>
     
     <!--
     You may not need the next properties-->
     <property name="managerDn"><value>CN=test,DC=hapsh,DC=com</value></property>
     <property name="managerPassword"><value>********</value></property>
     <property name="extraEnvVars">
	<map>
	<entry key="java.naming.referral">
	<value>follow</value>
	</entry>
	</map>
</property>

   </bean>

   
   <!-- 
   For LDAP authentication
   This bean is not used by default
   -->   
   <bean id="userSearch"
            class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
     <constructor-arg index="0">
       <value>ou=HAPSH</value>
     </constructor-arg>
     <constructor-arg index="1">
       <value>(sAMAccountName={0})</value>
     </constructor-arg>
     <constructor-arg index="2">
       <ref local="initialDirContextFactory" />
     </constructor-arg>            
     <property name="searchSubtree">
       <value>true</value>
     </property>            
   </bean>            
   

   
   <!--
   For LDAP authentication
     -->
   <!-- ******************* -->
<bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
<property name="userSearch">
<ref local="userSearch" />
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg>
<ref local="initialDirContextFactory" />
</constructor-arg>
<constructor-arg>
<value>ou=HAPSH</value>
</constructor-arg>
<property name="convertToUpperCase">
<value>true</value>
</property>
<property name="rolePrefix">
<value></value>
</property>
<property name="searchSubtree">
<value>true</value>
</property>
<property name="groupSearchFilter">
<value>(&(description=*HAPSH*)(member={0}))</value>
</property>
<property name="groupRoleAttribute">
<value>cn</value>
</property>
</bean>
</constructor-arg>
</bean> 

 

thanks a lot.

[SeanDay]

Hi,

 

 

The error message you are getting is an Invalid Credentials message, this means either your password is incorrect or the FQN you are using for the test account is not correct.

 

 

Can you confirm you have an account in Active Directory in the container CN=test,DC=hapsh,DC=com this appears to be the root of your AD tree are you sure it should not be cn=test,ou=hapsh,dc=hapsh,dc=com? This is the countainer you reference in the second and third sections of your xml.

 

 

Also, you appear to be getting an error message about connecting as test@hapsh which does not match the configured managerDN information in the xml shown. I think your first section should be using something like below:

 

 

 

Code:

   <bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
     <constructor-arg value="ldap://hapsh-if.hapsh.com:389/dc=hapsh,dc=com"/>
     
     <!--
     You may not need the next properties-->
     <property name="managerDn"><value>test@hapsh.com</value></property>
     <property name="managerPassword"><value>********</value></property>
     <property name="extraEnvVars">
    <map>
    <entry key="java.naming.referral">
    <value>follow</value>
    </entry>
    </map>
</property>

   </bean>

 

Hope this helps. If not I would suggest downloading LDAPBrowser from:

http://www-unix.mcs.anl.gov/~gawor/ldapcommon/bin/Browser282b2.zip

 

 

and using it to verify your credentials work as you expect them to.

 

Regards,

 

Sean

[GrayChan]

sorry for my lack of Jasperserver and acegi.

I am not successful yet .

I think I will promote ldap and acegi tech firstly.

 

Thanks for help very much .

[Karryn]

I went through quite a bit to get JasperServer authenticating against AD almost a year ago. Unfortunately, I don't remember the details and don't have the time to go through them, but here's my post on the problem at the spring forum and how I solved it:

 

http://forum.springframework.org/showthread.php?t=41167

 

 

Good luck...

[GrayChan]

Last week , I test the plone . Plone have a plugin can integreted by AD. But I failed again , because the DN contains Chinese characters , plone can not understand .

Maybe same reasons .