Jump to content
We've recently updated our Privacy Statement, available here ×

LDAP (Active Directory) Issue With Users In Multiple Branches


Recommended Posts

I am seeing an LDAP issue in JRS 5.5.

LDAP (Active Directory) authentication is configured and working as expected.

However, users are in multiple branches, ie:



If configured as follows, then only exampleuser1 (and other users in ou=Users) can log in:
    <bean id="userSearch"
        <constructor-arg index="0">
        <constructor-arg index="1">
        <constructor-arg index="2">
            <ref local="ldapContextSource" />
        <property name="searchSubtree">
    <bean id="ldapContextSource" class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource">
        <constructor-arg value="ldaps://,dc=com"/>
        <!-- manager user name and password (may not be needed)  -->
        <property name="userDn" value="CN=manager1,OU=staff,dc=mycompany,dc=com"/>
        <property name="password" value="manager_password"/>
        <property name="referral" value="follow" />
If the search branch is changed to Staff, then only exampleuser2 (and other users in ou=Staff) can log in:
       <constructor-arg index="0">
If the search branch is left unspecified, then all users can log in, BUT login takes about 60 seconds:
      <constructor-arg index="0">
How can I either (1) specify multiple search branches, or (2) eliminate the long delay when leaving the search branch unspecified?
Link to comment
Share on other sites

  • Replies 2
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Try userDnPatterns in ldapAuthenticationProvider's BindAuthenticator.  This might help http://community.jaspersoft.com/documentation/jasperreports-server-authentication-cookbook/specifying-userdnpatterns-parameters

    <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">        <constructor-arg>            <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">                <constructor-arg><ref local="ldapContextSource"/></constructor-arg>      <property name="userDnPatterns">        <list>            <value>CN={0},OU=Users,DC=mycompany,DC=com</value>            <value>CN={0},OU=Staff,DC=mycompany,DC=com</value>        </list>      </property>            </bean>        </constructor-arg>         .......     </bean> [/code]

If that is not enough, configure several ldapAuthenticationProvider's pointing to different branches.

    <bean id="ldapAuthenticationManager" class="org.springframework.security.providers.ProviderManager">        <property name="providers">            <list>                <ref local="ldapAuthenticationProvider1"/>                <ref local="ldapAuthenticationProvider2"/>                       ....               <ref local="ldapAuthenticationProviderN"/>                <ref bean="${bean.daoAuthenticationProvider}"/>            </list>        </property>    </bean>[/code]

Each ldapAuthenticationProvider can point to the its own userSearch1...N

Link to comment
Share on other sites

userDnPatterns is not viable because the search needs (and multi-branching of user records) are actually a bit more complex than the example I posted here.

Howver, I did implement your 2nd suggestion prior to your posting it, and that seems to work fine.

I guess I still wonder why not specifying the branch at all (and simply searching the entire base path) takes such a long time.

If I perform an indentical search (of the entire base path) on the CLI using ldapsearch, the result is returned immediately.


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...