JasperReports Server 5.2 Active Directory Integration

[jaspersoft_28]

Apologies for yet another AD integration question :)

I've got a fresh install of JasperReports Server 5.2 on Windows Server 2008 R2 and I'm trying to configure AD authentication but logins always fail.

I've copied the sample applicationContext-externalAuth-LDAP.xml file into the WEB-INF folder and customised it:

<bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider"> <constructor-arg>  <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">   <constructor-arg><ref local="ldapContextSource"/></constructor-arg>   <property name="userSearch" ref="userSearch"/>  </bean> </constructor-arg> <constructor-arg>  <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">   <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>   <constructor-arg index="1"><value></value></constructor-arg>   <property name="groupRoleAttribute" value="cn"/>   <property name="groupSearchFilter" value="((member={0})(objectClass=group))"/>   <property name="searchSubtree" value="true"/>   <!-- Can setup additional external default roles here  <property name="defaultRole" value="LDAP"/> -->  </bean> </constructor-arg></bean><bean id="userSearch"   class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> <constructor-arg index="0">  <value></value> </constructor-arg> <constructor-arg index="1">  <value>((sAMAccountName={0})(objectClass=user))</value> </constructor-arg> <constructor-arg index="2">  <ref local="ldapContextSource" /> </constructor-arg> <property name="searchSubtree">  <value>true</value> </property></bean><bean id="ldapContextSource" class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource"> <constructor-arg value="ldap://hostname:389/dc=domain,dc=local"/> <!-- manager user name and password (may not be needed)  --> <property name="userDn" value="Administrator"/> <property name="password" value="password"/></bean>[/code]

Actual Hostname, Domain name and Password have been removed in the above, our AD is set up a bit strangely in that users are spread across several OUs so I've left the branch DN properties empty and attempted to limit the search to entries with a certain objectClass (user or group).

I've enabled debug level logging for org.springframework.security and com.jaspersoft.jasperserver.api.security but I'm not getting anything particularly informative in the logs:

2013-09-03 10:12:32,882 DEBUG BaseAuthenticationProcessingFilter,http-bio-80-exec-6:252 - Request is to process authentication2013-09-03 10:12:32,884 DEBUG ProviderManager,http-bio-80-exec-6:183 - Authentication attempt using org.springframework.security.providers.ldap.LdapAuthenticationProvider2013-09-03 10:12:32,888 DEBUG FilterBasedLdapUserSearch,http-bio-80-exec-6:109 - Searching for user 'username', with user search [ searchFilter: '((sAMAccountName={0})(objectClass=user))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]2013-09-03 10:12:32,905 DEBUG SpringSecurityLdapTemplate,http-bio-80-exec-6:197 - Searching for entry in under DN 'dc=domain,dc=local', base = '', filter = '((sAMAccountName={0})(objectClass=user))'2013-09-03 10:12:32,933 DEBUG ProviderManager,http-bio-80-exec-6:183 - Authentication attempt using com.jaspersoft.jasperserver.api.security.internalAuth.InternalDaoAuthenticationProvider2013-09-03 10:12:32,940  WARN LoggerListener,http-bio-80-exec-6:60 - Authentication event AuthenticationFailureBadCredentialsEvent: username; details: org.springframework.security.ui.WebAuthenticationDetails@21a2c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: F8EA36A4CF952E3DE41E7211B4EB529D; exception: Bad credentials2013-09-03 10:12:32,941 DEBUG BaseAuthenticationProcessingFilter,http-bio-80-exec-6:406 - Updated SecurityContextHolder to contain null Authentication2013-09-03 10:12:32,941 DEBUG BaseAuthenticationProcessingFilter,http-bio-80-exec-6:412 - Authentication request failed: org.springframework.security.BadCredentialsException: Bad credentials2013-09-03 10:12:32,943 DEBUG HttpSessionContextIntegrationFilter,http-bio-80-exec-6:255 - SecurityContextHolder now cleared, as request processing completed[/code]

Any suggestions gratefully received, I've played around with the settings in the externalAuth XML file but nothing seems to make a difference to the log or the login failures.

Cheers, Matt

Edit:

Apologies, code formatting not working particularly well, here's a screengrab of the XML:

[elizam]

Unfortunately configuring users and roles for LDAP/AD is quite complex, and you have to get it right in order to be able to find your users.  To set this up, you need to look at your LDIF file and dig through your tree to determine the right settings to use.  If you can upload your LDIF file, or some kind of sanitized version, people would be better able to help you.

One thing to note - external authentication in JRS uses standard Spring Security 2.x for LDAP for the user and role configuration. If you are connecting correctly to your LDAP and the problem is in the user and role mapping, there are probably a number of forums where the community has more experience in configuring these kinds of things. For example, there is a forum about LDAP and Spring:

http://forum.springsource.org/forumdisplay.php?40-LDAP

The only caveat is JRS uses Spring 2.x while 3.x is the latest.  I looked closely at the doc for the two versions, and I think there are a couple of new features in 3.s, but no real change to pre-existing functionality.

If you find a resolution, or a good location to ask questions, it would be helpful if you post that information for the rest of us.

 

[jaspersoft_28]

Thanks for taking the time to answer, I've discovered that I needed an ampersand in front of the two conditions in my filters - LDAP filters need the operator before the conditions if you have more than one condition in the filter - still not authenticating successfully though and I'm still not getting any failure info in the logs.

[jaspersoft_28]

So I discovered that my filters were bad - ((objectClass=user)(sAMAccountName={0})) should have been (&(objectClass=user)(sAMAccountName={0})), the boolean operator comes before the conditions.  If you want an OR condition the equivalent is (|(condition1)(condition2)).

I'm getting what seems to be a successful user lookup in the logs, authentication still failing though.

Log:

Request is to process authentication

Authentication attempt using org.springframework.security.providers.ldap.LdapAuthenticationProvider

Searching for user 'username', with user search [ searchFilter: '(&(objectClass=user)(sAMAccountName={0}))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]

2013-09-11 15:25:16,384 DEBUG SpringSecurityLdapTemplate,http-bio-80-exec-9:197 - Searching for entry in under DN 'dc=datagraphic,dc=local', base = '', filter = '(&(objectClass=user)(sAMAccountName={0}))'

Found DN: cn=User Name,ou=VPN Users with Group Policy

Ignoring PartialResultException

Attemptimg to bind as cn=User Name,ou=VPN Users with Group Policy,dc=domain,dc=local

Creating context with principal: 'cn=User Name,ou=VPN Users with Group Policy,dc=domain,dc=local'

Getting authorities for user cn=User Name,ou=VPN Users with Group Policy,dc=domain,dc=local

Searching for roles for user 'username', DN = 'cn=User Name,ou=VPN Users with Group Policy,dc=domain,dc=local', with filter (&(objectClass=group)(member={0})) in search base ''

Using filter: (&(objectClass=group)(member=cn=User Name,ou=VPN Users with Group Policy,dc=domain,dc=local))

 

All good so far, then it just changes to trying the InternalDaoAuthenticationProvider which obviously fails:

 

Authentication attempt using com.jaspersoft.jasperserver.api.security.internalAuth.InternalDaoAuthenticationProvider

Authentication event AuthenticationFailureBadCredentialsEvent: username; details: org.springframework.security.ui.WebAuthenticationDetails@380f4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A295A7A8D37C214BA1D2F8397CB21190; exception: Bad credentials

Updated SecurityContextHolder to contain null Authentication

Authentication request failed: org.springframework.security.BadCredentialsException: Bad credentials

SecurityContextHolder now cleared, as request processing completed

 

Any ideas what classes I need to enable logging for in order to see more info about the LDAP failure I presume is happening before it trys the InternalDao provider?

 

Cheers, Matt

 

[elizam]

here are some logger classes to try:

 

org.springframework.security

org.springframework.security.ldap (subset of above related to ldap)

(You may have these two already)

 

com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth (JRS logging around ext auth)

com.jaspersoft.jasperserver.api.security.externalAuth (JRS logging single tenancy subset)

 

The JRS logging may not be too helpful however, because it often just gets the messages from LDAP or Spring, which can be pretty generic.

 

[dlitvak]

Matt,

It looks like groupSearchFilter propery in DefaultLdapAuthoritiesPopulator is also missing &.  If adding that does not resolve authentication issue,I recommend dropping DefaultLdapAuthoritiesPopulator property altogether until you can login.  DefaultLdapAuthoritiesPopulator is responsible for extracting user roles.  If you remove it, the authenticated users will be roleless.  But this is fine since JasperServer assigns a default ROLE_USER.

 

 

[dlitvak]

One more thing.  For your case, I would reccommend using userDnPatterns BindAuthenticator property instead of userSearch.  Please refer to Spring Security LDAP reference guide.

[d.moonen]

To anyone having the same problem hoping to find an answer: Go read all the comments on http://community.jaspersoft.com/wiki/secure-active-directoryldapldaps-authentication-groups.

Setting the referral property in ldapContextSource to follow was the 20% that took me 80% of the time.