JasperServer LDAP/Active directory integration question

[AlexVasiliev]

One more AD integration question:

Here is my applicationContext-externalAuth-LDAP.xml file

---

<bean id="ldapAuthenticationProvider"      class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">        <constructor-arg>            <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">                <constructor-arg><ref local="ldapContextSource"/></constructor-arg>                <property name="userSearch" ref="userSearch"/>            </bean>        </constructor-arg>        <constructor-arg>            <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">                <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>                <constructor-arg index="1"><value>CN=Users</value></constructor-arg>                <property name="groupRoleAttribute"> <value>CN</value></property>                <property name="groupSearchFilter"> <value>(member={0}(CN=*)</value></property>                <property name="searchSubtree"> <value>true</value></property>                <property name="defaultRole"> <value>ROLE_USER</value></property>              <!-- Can setup additional external default roles here <property name="defaultRole" value="LDAP"/> -->            </bean>        </constructor-arg>    </bean>    <bean id="userSearch"          class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">        <constructor-arg index="0">            <value>cn=Users</value>        </constructor-arg>        <constructor-arg index="1">            <value>(sAMAccountName={0})</value>        </constructor-arg>        <constructor-arg index="2">            <ref local="ldapContextSource" />        </constructor-arg>        <property name="searchSubtree">            <value>true</value>        </property>    </bean>    <bean id="ldapContextSource"          class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource">      <constructor-argvalue="ldap://servername.domainname.com:389/cn=Users,dc=domainname,dc=com?sAMAccountName?sub?(objectClass=*)"/>        <!-- manager user name and password (may not be needed)  -->        <property name="userDn"   value="user.name"/>        <property name="password" value="xxxxxxx"  />    </bean>    <!-- ############ LDAP authentication ############ -->[/code]

Login of AD user always fails with the following error messages in log:

2013-09-05 15:47:44,164 DEBUG ProviderManager,           http-9090-7:183 - Authentication attempt using org.springframework.security.providers.ldap.LdapAuthenticationProvider2013-09-05 15:47:44,164 DEBUG ProviderManager,           http-9090-7:183 - Authentication attempt using org.springframework.security.providers.ldap.LdapAuthenticationProvider2013-09-05 15:47:44,170 DEBUG FilterBasedLdapUserSearch, http-9090-7:109 - Searching for user 'user.name', with user search [ searchFilter: '(sAMAccountName={0})', searchBase: 'cn=Users', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]2013-09-05 15:47:44,170 DEBUG FilterBasedLdapUserSearch, http-9090-7:109 - Searching for user 'user.name', with user search [ searchFilter: '(sAMAccountName={0})', searchBase: 'cn=Users', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]2013-09-05 15:47:44,191 DEBUG SpringSecurityLdapTemplate,http-9090-7:197 - Searching for entry in under DN 'cn=Users,dc=domainname,dc=com', base = 'cn=Users', filter = '(sAMAccountName={0})'2013-09-05 15:47:44,191 DEBUG SpringSecurityLdapTemplate,http-9090-7:197 - Searching for entry in under DN 'cn=Users,dc=domainname,dc=com', base = 'cn=Users', filter = '(sAMAccountName={0})'2013-09-05 15:47:44,199 DEBUG ProviderManager,           http-9090-7:183 - Authentication attempt using com.jaspersoft.jasperserver.api.security.internalAuth.InternalDaoAuthenticationProvider2013-09-05 15:47:44,199 DEBUG ProviderManager,           http-9090-7:183 - Authentication attempt using com.jaspersoft.jasperserver.api.security.internalAuth.InternalDaoAuthenticationProvider2013-09-05 15:47:44,212  WARN LoggerListener,            http-9090-7:60  - Authentication event AuthenticationFailureBadCredentialsEvent: user.name; details: org.springframework.security.ui.WebAuthenticationDetails@3bcc: RemoteIpAddress: xxx.xxx.xxx.xxx; SessionId: A09C6210D892B0BE9614CD9C7AC942FD; exception: Bad credentials2013-09-05 15:47:44,212  WARN LoggerListener,            http-9090-7:60  - Authentication event AuthenticationFailureBadCredentialsEvent: user.name; details: org.springframework.security.ui.WebAuthenticationDetails@3bcc: RemoteIpAddress: xxx.xxx.xxx.xxx; SessionId: A09C6210D892B0BE9614CD9C7AC942FD; exception: Bad credentials[/code]

Tried many possible variants following cookbook, but getting the same error message.

Same LDAP URL - ldap://servername.domainname.com:389/cn=Users,dc=domainname,dc=com works fine with other apps and their integration with our AD.

What could be wrong ?

[dlitvak]

Please, take care in your configuration: DefaultLdapAuthoritiesPopulator groupSearchFilter is invalid (member={0}(CN=*).  I recommend dropping DefaultLdapAuthoritiesPopulator property altogether until you can login.  DefaultLdapAuthoritiesPopulator is responsible for extracting user roles.  If you remove it, the authenticated users will be roleless.  But this is fine since JasperServer assigns a default ROLE_USER.  To write groupSearchFilter correctly, please refer to Spring LDAP reference documentation.

Also, what's the reason for all extra attributes in ldapContextSource url?  They don't hurt anything, but make it hard to review configs.

 

 

 

 

[d.moonen]

I hope you solved this by now.

To everyone with the same problem hoping to find an answer: make sure you add <property name="referral" value="follow"/> to the ldapContextSource.

My working ldapAuthenticationProvider and userSearch beans:

    <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">        <constructor-arg>            <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">                <constructor-arg><ref local="ldapContextSource"/></constructor-arg>                <property name="userSearch" ref="userSearch"/>            </bean>        </constructor-arg>        <constructor-arg>            <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">                <constructor-arg index="0">                    <ref local="ldapContextSource"/>                </constructor-arg>                <constructor-arg index="1">                    <value></value>                </constructor-arg>                <!-- Properties -->                <property name="groupRoleAttribute">                    <value>CN</value>                </property>                <property name="groupSearchFilter">                    <value>(&(objectClass=group)(member={0}))</value>                </property>                <property name="searchSubtree" value="true"/>                <property name="defaultRole" value="ROLE_LDAP"/>                <!-- Can setup additional external default roles here  <property name="defaultRole" value="LDAP"/> -->            </bean>        </constructor-arg>    </bean>    <bean id="userSearch"          class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">        <constructor-arg index="0">            <value></value>        </constructor-arg>        <constructor-arg index="1">            <value>(&(objectClass=user)(sAMAccountName={0}))</value>        </constructor-arg>        <constructor-arg index="2">            <ref local="ldapContextSource"/>        </constructor-arg>        <property name="searchSubtree">            <value>true</value>        </property>    </bean>[/code]