Jump to content

Recommended Posts

Posted

I am trying to figure out the LDAP authentication error in CE 5.5. I have the "log4j.logger.org.springframework.security.ldap=DEBUG" on. But it only gives the following error. Is there more deatiled trace flag for LDAP debug? It is hard too tell if what the error indicates, e.g. does it locate the user jsmith in AD at all?

Searching for user 'jsmith', with user search [ searchFilter: '(sAMAccountName={0})', searchBase: 'OU=Development...... scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]

2014-05-07 08:55:43,137 DEBUG SpringSecurityLdapTemplate,http-apr-80-exec-6:197 - Searching for entry in under DN

WARN LoggerListener,http-apr-80-exec-6:60 - Authentication event AuthenticationFailureBadCredentialsEvent:

  • Replies 3
  • Created
  • Last Reply

Top Posters In This Topic

Posted

I too went through LDAP authentication hell - but did eventually get this working. The first thing is to discover the correct value for the userDN property - it most likely is NOT at all obvious..

Use "dsquery user -samid YourUsername" at the domain server command line to get the correct value!!

The ONLY file I edited was applicationContext-security.xml Here are the relevant parts: 

 

    <bean id="authenticationManager"          class="org.springframework.security.providers.ProviderManager">        <property name="providers">            <list>                <ref local="ldapAuthenticationProvider"/>                <ref bean="${bean.daoAuthenticationProvider}"/>           <!-- <ref local="anonymousAuthenticationProvider"/>                anonymousAuthenticationProvider only needed if                filterInvocationInterceptor.alwaysReauthenticate is set to true                <ref bean="anonymousAuthenticationProvider"/> -->                <!-- ref local="jaasAuthenticationProvider"/ -->            </list>        </property>    </bean>    <bean id="ldapContextSource"          class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">        <constructor-arg value="ldap://SERVER.DOMAIN:389/" />        <!-- userDn and password properties are not needed if LDAP server accepts anonymous lookup   -->        <property name="userDn">            <!-- results of dsquery user -samid usermane go here -->                       <value>CN=YourUser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=yourdc,DC=local</value>        </property>        <property name="password">            <value>mypassword</value>        </property>    </bean>    <bean id="ldapAuthenticationProvider"          class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">        <constructor-arg>            <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">                <constructor-arg>                    <ref local="ldapContextSource"/>                </constructor-arg>                <property name="userSearch" ref="userSearch"/>            </bean>        </constructor-arg>    </bean>    <bean id="userSearch"          class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">        <constructor-arg index="0">            <value>OU=SBSUsers,OU=Users,OU=MyBusiness,DC=yourdc,DC=local</value>        </constructor-arg>        <constructor-arg index="1">            <value>(sAMAccountName={0})</value>        </constructor-arg>        <constructor-arg index="2">            <ref local="ldapContextSource" />        </constructor-arg>        <property name="searchSubtree">            <value>true</value>        </property>    </bean>[/code]

 

Posted
I am using 5.5. In 5.5, have to use applicationContext-externalAuth-LDAP.xml (copy it over from the sample folder) instead. I was able to make it work in one AD environment. But it just does not work in another AD environment. With minimum debugging output, it is hard to see what's really going on behind the code.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...