JasperServer Authentication with LDAP / ActiveDirectory

f_chas01 · May 3, 2011

I am trying to get my JasperServer authentication work with the ActiveDirectory. I encountered a problem which I can not solve for a long time. It would be great if someone could take a look on it.

There is an error message in the jasperserver.log:

"2011-05-03 15:17:41,104 WARN LoggerListener,http-8484-6:60 - Authentication event AuthenticationFailureBadCredentialsEvent: Administrator; details: com.jaspersoft.jasperserver.multipleTenancy.MTWebAuthenticationDetails@2eb76: RemoteIpAddress: 127.0.0.1; SessionId: A5CD18C104C8CCD410A414B718CFEBC8; exception: Bad credentials"

Here is detailed Information on my System configuration:

I am using 2 machines in the same local network. 1) WindowsServer 2008 with an ActiveDirectory on it. 2) JasperServer configured to authenticate via ldap.

The configuration of ActiveDirectory can be seen here:

http://img218.imageshack.us/img218/7347/adconfiguration.png

I am able to acces ActiveDirectory on the JasperServer machine using LDAPAdministrator. Providing the following credentials I can browse the AD tree:

http://img585.imageshack.us/img585/7297/ldapadmin.png

The connection configuration is here:

applicationContext-security.xml

...

<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref local="ldapAuthenticationProvider"/>
                <ref bean="${bean.daoAuthenticationProvider}"/>
                <ref bean="anonymousAuthenticationProvider"/>
            </list>
        </property>
    </bean>

...

<bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
     <constructor-arg value="ldap://192.168.5.101:389/dc=corp,dc=ama-eve,dc=dyndns,dc=org"/>
     <property name="userDn"><value>CN=Administrator,CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org</value></property>
     <property name="password"><value>mypassword</value></property>
</bean>

...

I tried following:

- Changing the userDN value - same error

- Trying to use user accounts which are not existing in AD - same error

- Trying to disable ldap authentication by commenting <ref local="ldapAuthenticationProvider"/> - same error

- I do restart the JasperServer each time after making changes

The fact that there is always the same error which is the same for the case when no ldap authentication is configured wonders me.

Post Edited by f_chas01 at 05/03/2011 14:53

Post Edited by f_chas01 at 05/03/2011 14:55

f_chas01 · May 4, 2011

Here are the steps I made. As I sad the configuration of my System is:

-Active Directory on Windows Server 2008 with the domain corp.ama-eve.dyndns.org
-I am able to bind to Active Directory on the machine where my WebApp is. For binding I use LDAP Administrator. The LDAP URL used in LDAP Administrator is ldap://192.168.5.101:389/DC=corp,DC=ama-eve,DC=dyndns,DC=org??one?(objectClass=*)
-Anonym browsing of AD is forbidden. For browsing ldap folders I can use different principals like: CN=Administrator,CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org (Administrator@corp.ama-eve.dyndns.org) or CN=service_acc,CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org (service_acc@corp.ama-eve.dyndns.org)

I have added the ldap provider in applicationContext-security.xml:
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
        <property name="providers">
            <list><ref local="ldapAuthenticationProvider"/>
                <ref bean="${bean.daoAuthenticationProvider}"/>
                <ref bean="anonymousAuthenticationProvider"/></list>
        </property>
    </bean>

I have entered the correct ldap url (Spring Security can connect to the ldap since it reacts on entering wrong ldap url):
   <bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
     <constructor-arg value="ldap://192.168.5.101:389/DC=corp,DC=ama-eve,DC=dyndns,DC=org"/>
        <property name="userDn"><value>CN=service_acc,CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org</value></property>
     <property name="password"><value>MyPassword</value></property>
   </bean>

I use userSearch for finding users:
   <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
     <constructor-arg>
       <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
          <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
          <property name="userSearch" ref="userSearch"/>
       </bean>
     </constructor-arg>

   <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
     <constructor-arg index="0"><value>CN=Users</value></constructor-arg>
     <constructor-arg index="1"><value>(sAMAccountName={0})</value></constructor-arg>
     <constructor-arg index="2"><ref local="ldapContextSource"/></constructor-arg>
     <property name="searchSubtree"><value>true</value></property>
   </bean>

Symptoms:
- When I try to connect using credentials from ldap I get this:
2011-05-04 16:07:30,160 WARN LoggerListener,http-8484-5:60 - Authentication event AuthenticationFailureBadCredentialsEvent: Administrator; details: com.jaspersoft.jasperserver.multipleTenancy.MTWebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: D5043C32241F76C089F3D182546C5239; exception: Bad credentials

- I've tried to change userDn for ldap bind to Administrator@corp.ama-eve.dyndns.org - nothing happens.

- Any changes to UserDN and Password in ldapContextSource have no effect. (logging in log4j.properties is set to log4j.logger.org.springframework.security.providers.ldap=ALL, stdout, fileout)

- Adding userDnPatterns to BindAuthenticator:
<bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
     <constructor-arg>
       <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
          <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
          <property name="userDnPatterns">
            <list>
              <value>sAMAccountName={0}, CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org</value>
              <value>sAMAccountName={0}, OU=Sales,DC=corp,DC=ama-eve,DC=dyndns,DC=org</value>
              <value>sAMAccountName={0}, OU=accounts,DC=corp,DC=ama-eve,DC=dyndns,DC=org</value>
           </list>
          </property>
          <property name="userSearch" ref="userSearch"/>
       </bean>
     </constructor-arg>
...
generate following log output:
2011-05-04 16:07:29,988 DEBUG BindAuthenticator,http-8484-5:117

- Failed to bind as sAMAccountName=Administrator, CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]
2011-05-04 16:07:30,020 DEBUG BindAuthenticator,http-8484-5:117 - Failed to bind as sAMAccountName=Administrator, OU=Sales,DC=corp,DC=ama-eve,DC=dyndns,DC=org: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]
2011-05-04 16:07:30,051 DEBUG BindAuthenticator,http-8484-5:117 - Failed to bind as sAMAccountName=Administrator, OU=accounts,DC=corp,DC=ama-eve,DC=dyndns,DC=org: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]

- I have tried to change
<value>sAMAccountName={0}, CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org</value> to
<value>sAMAccountName={0}, CN=Users</value>
no effect.

-I have tried to change first constr argument in FilterBasedLdapUserSearch from
<constructor-arg index="0"><value>CN=Users</value></constructor-arg>
to
<constructor-arg index="0"><value></value></constructor-arg>
no effect.

- Changes in FilterBasedLdapUserSearch does not provide additional log output so I can't trace it.

Post Edited by f_chas01 at 05/04/2011 14:29

Post Edited by f_chas01 at 05/04/2011 14:39

steelwall · August 22, 2012

I have the same type of problem. Did you find any solution for this?

lisacbeaton · November 1, 2012

I'm also having the same problem. Any luck?

jsantiago · July 4, 2014

Hi!. Same problem here..any news?

Sign In

JasperServer Authentication with LDAP / ActiveDirectory

Recommended Posts

f_chas01

Link to comment

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

f_chas01

Link to comment

Share on other sites

steelwall

Link to comment

Share on other sites

lisacbeaton

Link to comment

Share on other sites

jsantiago

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Activity

Products

Explore