lightsailpro Posted May 8, 2014 Posted May 8, 2014 I am trying to figure out the LDAP authentication error in CE 5.5. I have the "log4j.logger.org.springframework.security.ldap=DEBUG" on. But it only gives the following error. Is there more deatiled trace flag for LDAP debug? It is hard too tell if what the error indicates, e.g. does it locate the user jsmith in AD at all?Searching for user 'jsmith', with user search [ searchFilter: '(sAMAccountName={0})', searchBase: 'OU=Development...... scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]2014-05-07 08:55:43,137 DEBUG SpringSecurityLdapTemplate,http-apr-80-exec-6:197 - Searching for entry in under DNWARN LoggerListener,http-apr-80-exec-6:60 - Authentication event AuthenticationFailureBadCredentialsEvent:
bolsover Posted May 10, 2014 Posted May 10, 2014 I too went through LDAP authentication hell - but did eventually get this working. The first thing is to discover the correct value for the userDN property - it most likely is NOT at all obvious..Use "dsquery user -samid YourUsername" at the domain server command line to get the correct value!!The ONLY file I edited was applicationContext-security.xml Here are the relevant parts: <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager"> <property name="providers"> <list> <ref local="ldapAuthenticationProvider"/> <ref bean="${bean.daoAuthenticationProvider}"/> <!-- <ref local="anonymousAuthenticationProvider"/> anonymousAuthenticationProvider only needed if filterInvocationInterceptor.alwaysReauthenticate is set to true <ref bean="anonymousAuthenticationProvider"/> --> <!-- ref local="jaasAuthenticationProvider"/ --> </list> </property> </bean> <bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <constructor-arg value="ldap://SERVER.DOMAIN:389/" /> <!-- userDn and password properties are not needed if LDAP server accepts anonymous lookup --> <property name="userDn"> <!-- results of dsquery user -samid usermane go here --> <value>CN=YourUser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=yourdc,DC=local</value> </property> <property name="password"> <value>mypassword</value> </property> </bean> <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg> <ref local="ldapContextSource"/> </constructor-arg> <property name="userSearch" ref="userSearch"/> </bean> </constructor-arg> </bean> <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> <constructor-arg index="0"> <value>OU=SBSUsers,OU=Users,OU=MyBusiness,DC=yourdc,DC=local</value> </constructor-arg> <constructor-arg index="1"> <value>(sAMAccountName={0})</value> </constructor-arg> <constructor-arg index="2"> <ref local="ldapContextSource" /> </constructor-arg> <property name="searchSubtree"> <value>true</value> </property> </bean>[/code]
lightsailpro Posted May 12, 2014 Author Posted May 12, 2014 I am using 5.5. In 5.5, have to use applicationContext-externalAuth-LDAP.xml (copy it over from the sample folder) instead. I was able to make it work in one AD environment. But it just does not work in another AD environment. With minimum debugging output, it is hard to see what's really going on behind the code.
bolsover Posted May 13, 2014 Posted May 13, 2014 I'm using 5.5 also - but I did not use applicationContext-externalAuth-LDAP.xml To help with my debugging, I did adjust the server logging levels as described here: http://support.microsoft.com/kb/314980
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now