rusty.ross Posted March 3, 2016 Share Posted March 3, 2016 I am seeing an LDAP issue in JRS 5.5.LDAP (Active Directory) authentication is configured and working as expected.LDAP external roles mapping is configured and (mostly) working as expected. Here is the relevant config on that: <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg><ref local="ldapContextSource"/></constructor-arg> <property name="userSearch" ref="userSearch"/> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg> <constructor-arg index="1"><value>OU=Internal</value></constructor-arg> <property name="groupRoleAttribute" value="cn"/> <property name="groupSearchFilter" value="(&(objectClass=group)(member={0})(|(cn=ABC-*)(CN=XYZ-*)))"/> <property name="searchSubtree" value="true"/> <!-- Can setup additional external default roles here <property name="defaultRole" value="LDAP"/> --> <property name="defaultRole" value="ROLE_LDAPUSER"/> </bean> </constructor-arg> </bean> The problem is this: The ABC-* groups are in a different OU than the XYZ-* groups. So for the config shown above, only the ABC groups get mapped, since "Internal" is the OU the ABC groups live in. If I change this: <constructor-arg index="1"><value>OU=Internal</value></constructor-arg> to this: <constructor-arg index="1"><value>OU=Foo</value></constructor-arg> ...then only the XYZ groups get mapped, since "Foo" is the OU the XYZ groups live in. If I change this: <constructor-arg index="1"><value>OU=Internal</value></constructor-arg> to this: <constructor-arg index="1"><value></value></constructor-arg> ...thus, searching the entire base DN, then login fails for all users. (I have cofirmed by using ldapsearch in the CLI that all groups can be searched from the base DN for this environment.) Any clues on why logins all fail when I do this in Jasper? Any thoughts on how to acheive what I am trying to do? Would any further detail or clarification be helpful to answer these questions? Thanks. Link to comment Share on other sites More sharing options...
elizam Posted March 4, 2016 Share Posted March 4, 2016 I think you can have multiple instances of this bean, and just put them one after another. If it doesn't find a match in the first bean, it falls through to the next. It doesn't fail till all beans are tried. If one of the patterns has significantly more matches, obviously best to put it first. Link to comment Share on other sites More sharing options...
rusty.ross Posted March 8, 2016 Author Share Posted March 8, 2016 The reason I don't think that approach will work is that some users are members of both families of groups, and I need to be able to map those users to all the roles for which they are a group member. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now