huwtrimet.org Posted August 26, 2008 Share Posted August 26, 2008 Finally, it took me and another network engineer on and off for 2 weeks and WireShark monitoring to figure out how to configure the LDAP with SAMAccoountName authentication. Now I wonder, maybe the pay for incident service is worth the money if you can save me the time figuring out the configuration.The trick for LDAP authentication to work with SAMAccountName is to use UserSearch bean ONLY. You can not use BindAuthenticate with SAMAccountName.Also, there is a timing issue with the UserSearch, if you had the DAO authentication on while LDAP on, your DAO may reject the LDAP when LDAP user search is slow.Here is the code to make it work inside applicationContext-security.xml.<bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> <constructor-arg value="ldap://server:port/dc=blah,dc=blah" /> <property name="managerDn"><value>CN=blah,OU=blah,DC=blah,DC=blah</value></property> <property name="managerPassword"><value>blah</value></property> <!-- must have for user search from root --> <property name="extraEnvVars"> <map> <entry> <key><value>java.naming.referral</value></key> <value>follow</value> </entry> </map> </property> </bean> <bean id="userSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch"> <constructor-arg> <value>OU=blah</value> </constructor-arg> <constructor-arg> <value>(sAMAccountName={0})</value> </constructor-arg> <constructor-arg> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="searchSubtree"> <value>true</value> </property> <!-- must have for user search to work --> <property name="derefLinkFlag"> <value>true</value> </property> </bean> <!-- For LDAP authentication --> <bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> <property name="userSearch"> <ref local="userSearch" /> </property> </bean> </constructor-arg> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg index="0"><ref local="initialDirContextFactory"/></constructor-arg> <constructor-arg index="1"><value></value></constructor-arg> <property name="groupRoleAttribute"><value>OU=blah</value></property> <!-- <property name="groupSearchFilter"><value>(&(uniqueMember={0})(objectclass=groupofuniquenames))</value></property> --> </bean> </constructor-arg> </bean> Link to comment Share on other sites More sharing options...
gabrielinux Posted September 24, 2008 Share Posted September 24, 2008 Very cool. There is also more information here for those who are looking for AD integration:http://blog-gabriel.mongefranco.com/2008/06/active-directory-ad-authentication-for.html Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now