Hugely unreliable LDAP Active Directory Integration

[johnhenry]

Im having a few issues trying to get Active Directory integration working reliably in JasperServer 4 with our 2003 Windows domain using LDAP.

I have managed to authenticate and log in before with the applicationContext-security.xml file I have attached. Though it seems that it is very intermittent.

So far, out of around 100 login attempts, only a half a dozen or so have actually succeeded. (setting not changed between login attempts). The rest just return the error as shown in the attached log file.

There are times when simple restarting the jasper services allows me to log in temporarily with AD authentication, but its very flakey. Does anyone have any ideas as to what might be causing such unreliable authentication?

[f_chas01]

Check following things.

1) Check if you really can use

- <property name="userDn">

  <value>Administrator</value>

 

FAs far as I know you have to use a Full DN Name as a value. Here is the example:

<property name="userDn"><value>CN=Servicer Serv,CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org</value></property>

 

32) Check the userSearch bean. I am quite sure that the reason for bad credentials error is caused by not being able to find the user.

 

Try to change

 

<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">

- <constructor-arg index="0">

  <value>OU=xxxxxxxx,OU=xxxxx,OU=xxxxxxxxxx</value> 

 

 

 t  to

 

<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">

- <constructor-arg index="0">

  <value></value>

 

It will alow to search in the entire tree.

 

3) if it does not help try to turn on the logs for following packages. It will give you a bit more information.

log4j.logger.com.jaspersoft.jasperserver.multipleTenancy.MTUserAuthorityServiceImpl=DEBUG, stdout, fileout
log4j.logger.org.springframework.security.ldap=DEBUG, stdout, fileout
log4j.logger.org.springframework.security.providers.dao=DEBUG, stdout, fileout
log4j.logger.org.springframework.security.userdetails.ldap=DEBUG, stdout, fileout
log4j.logger.org.springframework.security.ui.webapp=DEBUG, stdout, fileout
log4j.logger.org.springframework.security.event.authentication=DEBUG, stdout, fileout

 

Let me know, if it does not work for you.

 

 

 

Post Edited by f_chas01 at 05/09/2011 11:08

[johnhenry]

Surely if it finds the users full name (displayed immediately after the 'Getting authorities for user' log entries) then it has found the user in the active directory. Doesn't that mean that the initial credentials and user search are ok?

Alas, the first and second suggestions you made didn't make any difference...

Im about to turn on the extra logging and see if I can spot anything. I will post up a copy also.

[johnhenry]

All logging modules have been turned on as suggested and the output created upon a login attempt (which ultimately failed of course) has been attached.

(I haven't edited the log this time as I dont think they contain anything that could be a security risk as all.)

Thank you by the way for your help. 

Post Edited by johnhenry at 05/09/2011 12:30

[f_chas01]

It seems to fail while searching for the groups the user is assigned to (in the AD)

Try to check following things.

1) Change the default ldapContextSource for searching for groups.

 

<bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">

- ...

- <constructor-arg index="1">

  <value /> </constructor-arg>

Here is an example:

<constructor-arg index="1"><value>cn=Users</value></constructor-arg>

In the Spring Security API it is said that you have to provide this parameter. In other case the search function will not work.

2) Check and recheck whether you can access your entire AD with the account you use to bind with AD. It might be that it is restricted in some way. (try LDAP Browser as a Tool)

 

When the roles are found you will see the following message:

2011-05-09 11:46:26,718 DEBUG DefaultLdapAuthoritiesPopulator,http-8484-3:202 - Searching for roles for user ....
2011-05-09 11:46:26,718 DEBUG SpringSecurityLdapTemplate,http-8484-3:148 - Using filter: ...
2011-05-09 11:46:26,734 DEBUG DefaultLdapAuthoritiesPopulator,http-8484-3:210 - Roles from search: [LAWUSER, LOCALUSER]

 

Post Edited by f_chas01 at 05/09/2011 12:53

[johnhenry]

Brilliant!!!! Adding cn=Users under the DefaultLdapAuthoritiesPopulator bean appears to have solved the problem.

I have added the working file to help anyone else if they are having any problems connecting Jasper Server 4 to a Microsoft Active Directory.

[f_chas01]

I am glad it worked for you.

[johnhenry]

Thanks for your help, its greatly appreciated! 

[eckris1]

Hi ,

Thanks for your refernce regarding AD -Jasper integration.

I am newbbie to this Jasper application.

Took reference of your " applicationContext-security.xml" file  and trying to integrate jasper to AD.

While I am trying to login with jasper I am getting the following error

 

2011-07-07 16:07:11,211  WARN LoggerListener,http-8080-2:60 - Authentication event AuthenticationFailureBadCredentialsEvent: username; details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 10.11.3.173; SessionId: 6C78B91BA951E322B3DC1D67623CE833; exception: Bad credentials.

 

What could it be?

I have no clue why im getting all these errors, I tried to read as much threads but still i'm completely lost in this case.

Appreciate some help from more experienced users.

 

 

 

 

[gedmf]

Hi eckris,

Did you manage to resolve your authentication problem?  I seem to be stuck with a similar problem and was wondering what steps you took in addition to those in the earlier posts.

Regards

GedMF