jaspersoft_28 Posted September 3, 2013 Share Posted September 3, 2013 Apologies for yet another AD integration question :)I've got a fresh install of JasperReports Server 5.2 on Windows Server 2008 R2 and I'm trying to configure AD authentication but logins always fail.I've copied the sample applicationContext-externalAuth-LDAP.xml file into the WEB-INF folder and customised it:<bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg><ref local="ldapContextSource"/></constructor-arg> <property name="userSearch" ref="userSearch"/> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg> <constructor-arg index="1"><value></value></constructor-arg> <property name="groupRoleAttribute" value="cn"/> <property name="groupSearchFilter" value="((member={0})(objectClass=group))"/> <property name="searchSubtree" value="true"/> <!-- Can setup additional external default roles here <property name="defaultRole" value="LDAP"/> --> </bean> </constructor-arg></bean><bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> <constructor-arg index="0"> <value></value> </constructor-arg> <constructor-arg index="1"> <value>((sAMAccountName={0})(objectClass=user))</value> </constructor-arg> <constructor-arg index="2"> <ref local="ldapContextSource" /> </constructor-arg> <property name="searchSubtree"> <value>true</value> </property></bean><bean id="ldapContextSource" class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource"> <constructor-arg value="ldap://hostname:389/dc=domain,dc=local"/> <!-- manager user name and password (may not be needed) --> <property name="userDn" value="Administrator"/> <property name="password" value="password"/></bean>[/code]Actual Hostname, Domain name and Password have been removed in the above, our AD is set up a bit strangely in that users are spread across several OUs so I've left the branch DN properties empty and attempted to limit the search to entries with a certain objectClass (user or group).I've enabled debug level logging for org.springframework.security and com.jaspersoft.jasperserver.api.security but I'm not getting anything particularly informative in the logs:2013-09-03 10:12:32,882 DEBUG BaseAuthenticationProcessingFilter,http-bio-80-exec-6:252 - Request is to process authentication2013-09-03 10:12:32,884 DEBUG ProviderManager,http-bio-80-exec-6:183 - Authentication attempt using org.springframework.security.providers.ldap.LdapAuthenticationProvider2013-09-03 10:12:32,888 DEBUG FilterBasedLdapUserSearch,http-bio-80-exec-6:109 - Searching for user 'username', with user search [ searchFilter: '((sAMAccountName={0})(objectClass=user))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]2013-09-03 10:12:32,905 DEBUG SpringSecurityLdapTemplate,http-bio-80-exec-6:197 - Searching for entry in under DN 'dc=domain,dc=local', base = '', filter = '((sAMAccountName={0})(objectClass=user))'2013-09-03 10:12:32,933 DEBUG ProviderManager,http-bio-80-exec-6:183 - Authentication attempt using com.jaspersoft.jasperserver.api.security.internalAuth.InternalDaoAuthenticationProvider2013-09-03 10:12:32,940 WARN LoggerListener,http-bio-80-exec-6:60 - Authentication event AuthenticationFailureBadCredentialsEvent: username; details: org.springframework.security.ui.WebAuthenticationDetails@21a2c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: F8EA36A4CF952E3DE41E7211B4EB529D; exception: Bad credentials2013-09-03 10:12:32,941 DEBUG BaseAuthenticationProcessingFilter,http-bio-80-exec-6:406 - Updated SecurityContextHolder to contain null Authentication2013-09-03 10:12:32,941 DEBUG BaseAuthenticationProcessingFilter,http-bio-80-exec-6:412 - Authentication request failed: org.springframework.security.BadCredentialsException: Bad credentials2013-09-03 10:12:32,943 DEBUG HttpSessionContextIntegrationFilter,http-bio-80-exec-6:255 - SecurityContextHolder now cleared, as request processing completed[/code]Any suggestions gratefully received, I've played around with the settings in the externalAuth XML file but nothing seems to make a difference to the log or the login failures.Cheers, MattEdit:Apologies, code formatting not working particularly well, here's a screengrab of the XML: Link to comment Share on other sites More sharing options...
elizam Posted September 4, 2013 Share Posted September 4, 2013 Unfortunately configuring users and roles for LDAP/AD is quite complex, and you have to get it right in order to be able to find your users. To set this up, you need to look at your LDIF file and dig through your tree to determine the right settings to use. If you can upload your LDIF file, or some kind of sanitized version, people would be better able to help you.One thing to note - external authentication in JRS uses standard Spring Security 2.x for LDAP for the user and role configuration. If you are connecting correctly to your LDAP and the problem is in the user and role mapping, there are probably a number of forums where the community has more experience in configuring these kinds of things. For example, there is a forum about LDAP and Spring:http://forum.springsource.org/forumdisplay.php?40-LDAPThe only caveat is JRS uses Spring 2.x while 3.x is the latest. I looked closely at the doc for the two versions, and I think there are a couple of new features in 3.s, but no real change to pre-existing functionality.If you find a resolution, or a good location to ask questions, it would be helpful if you post that information for the rest of us. Link to comment Share on other sites More sharing options...
jaspersoft_28 Posted September 11, 2013 Author Share Posted September 11, 2013 Thanks for taking the time to answer, I've discovered that I needed an ampersand in front of the two conditions in my filters - LDAP filters need the operator before the conditions if you have more than one condition in the filter - still not authenticating successfully though and I'm still not getting any failure info in the logs. Link to comment Share on other sites More sharing options...
jaspersoft_28 Posted September 11, 2013 Author Share Posted September 11, 2013 So I discovered that my filters were bad - ((objectClass=user)(sAMAccountName={0})) should have been (&(objectClass=user)(sAMAccountName={0})), the boolean operator comes before the conditions. If you want an OR condition the equivalent is (|(condition1)(condition2)).I'm getting what seems to be a successful user lookup in the logs, authentication still failing though.Log:Request is to process authenticationAuthentication attempt using org.springframework.security.providers.ldap.LdapAuthenticationProviderSearching for user 'username', with user search [ searchFilter: '(&(objectClass=user)(sAMAccountName={0}))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]2013-09-11 15:25:16,384 DEBUG SpringSecurityLdapTemplate,http-bio-80-exec-9:197 - Searching for entry in under DN 'dc=datagraphic,dc=local', base = '', filter = '(&(objectClass=user)(sAMAccountName={0}))'Found DN: cn=User Name,ou=VPN Users with Group PolicyIgnoring PartialResultExceptionAttemptimg to bind as cn=User Name,ou=VPN Users with Group Policy,dc=domain,dc=localCreating context with principal: 'cn=User Name,ou=VPN Users with Group Policy,dc=domain,dc=local'Getting authorities for user cn=User Name,ou=VPN Users with Group Policy,dc=domain,dc=localSearching for roles for user 'username', DN = 'cn=User Name,ou=VPN Users with Group Policy,dc=domain,dc=local', with filter (&(objectClass=group)(member={0})) in search base ''Using filter: (&(objectClass=group)(member=cn=User Name,ou=VPN Users with Group Policy,dc=domain,dc=local)) All good so far, then it just changes to trying the InternalDaoAuthenticationProvider which obviously fails: Authentication attempt using com.jaspersoft.jasperserver.api.security.internalAuth.InternalDaoAuthenticationProviderAuthentication event AuthenticationFailureBadCredentialsEvent: username; details: org.springframework.security.ui.WebAuthenticationDetails@380f4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A295A7A8D37C214BA1D2F8397CB21190; exception: Bad credentialsUpdated SecurityContextHolder to contain null AuthenticationAuthentication request failed: org.springframework.security.BadCredentialsException: Bad credentialsSecurityContextHolder now cleared, as request processing completed Any ideas what classes I need to enable logging for in order to see more info about the LDAP failure I presume is happening before it trys the InternalDao provider? Cheers, Matt Link to comment Share on other sites More sharing options...
elizam Posted September 11, 2013 Share Posted September 11, 2013 here are some logger classes to try: org.springframework.security org.springframework.security.ldap (subset of above related to ldap) (You may have these two already) com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth (JRS logging around ext auth) com.jaspersoft.jasperserver.api.security.externalAuth (JRS logging single tenancy subset) The JRS logging may not be too helpful however, because it often just gets the messages from LDAP or Spring, which can be pretty generic. Link to comment Share on other sites More sharing options...
dlitvak Posted September 12, 2013 Share Posted September 12, 2013 Matt,It looks like groupSearchFilter propery in DefaultLdapAuthoritiesPopulator is also missing &. If adding that does not resolve authentication issue,I recommend dropping DefaultLdapAuthoritiesPopulator property altogether until you can login. DefaultLdapAuthoritiesPopulator is responsible for extracting user roles. If you remove it, the authenticated users will be roleless. But this is fine since JasperServer assigns a default ROLE_USER. Link to comment Share on other sites More sharing options...
dlitvak Posted September 12, 2013 Share Posted September 12, 2013 One more thing. For your case, I would reccommend using userDnPatterns BindAuthenticator property instead of userSearch. Please refer to Spring Security LDAP reference guide. Link to comment Share on other sites More sharing options...
d.moonen Posted November 5, 2013 Share Posted November 5, 2013 To anyone having the same problem hoping to find an answer: Go read all the comments on http://community.jaspersoft.com/wiki/secure-active-directoryldapldaps-authentication-groups.Setting the referral property in ldapContextSource to follow was the 20% that took me 80% of the time. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now