dlitvak

Please, take care in your configuration: DefaultLdapAuthoritiesPopulator groupSearchFilter is invalid (member={0}(CN=*). I recommend dropping DefaultLdapAuthoritiesPopulator property altogether until you can login. DefaultLdapAuthoritiesPopulator is responsible for extracting user roles. If you remove it, the authenticated users will be roleless. But this is fine since JasperServer assigns a default ROLE_USER. To write groupSearchFilter correctly, please refer to Spring LDAP reference documentation. Also, what's the reason for all extra attributes in ldapContextSource url? They don't hurt anything, but make it hard to review configs.

Sorry for you troubles. This issue recently came up internally too. We have fixed it in 5.2, which could come out by August. I do not know if the hotfix of 5.1 is available to anyone in the community. D

He is probably on community edition here :)

Looking at July-August. We are wrapping it up here.

Rob, 5.1 is still backward compatible with 5.0. To make it work as 5.0, you'd have to re-introduce JIAuthenticationSynchronizer into the /** filter chain in applicationContext-security-web.xml. Compare 2 filter chains (5.0 versus 5.1) and reinsert JIAuthenticationSynchronizer in 5.1; should be after requestParam filter. JIAuthenticationSynchronizer is responsible for user synchronization with jasper server Db. Your errors are probably caused by no user initialized in JasperServer. Please do what I suggest and report back if it helps you. That would really help us to support others migrating to 5.1 Some more explanation for changes: In 5.1, we have tried to separate external auth into a separate file for ease of upgrade. Having the config in the comments in the main config file does not promote good testing either.

Sorry for your trouble. It's probably best to post a separate issue if you want attention faster :) or contact support. However, since I am accidentally here... Sounds like you might have a prof. edition, no? Yes, in 5.1, code has gone through some refactoring. We accidentally dropped this replace. Ooops. We are going to put it back in 5.2. For you, you have this option 1, unless you are using LDAP: You can follow the old authentication cookbook and configure this the old way, which is going to utilize the old code. 1 thing you would absolutely need to do though is to re-add JIAuthenticationSynchronizer in /** filter chain after delegatingRequestParameterAuthenticationFilter (in filterChainProxy bean in applicationContext-security-web.xml). Now, I have not tested this personally ..., but it should work. If you are on LDAP, we are in trouble, as we dropped com.jaspersoft.jasperserver.multipleTenancy.ldap.LdapExternalUserProcessor by accident. We have since re-added it to 5.2 Hence, Option 2 is to map your external roles with spaces to JRS internal ones in the new 5.1 config. To do that, setup key-value pairs in organizationRoleMap property of mtExternalUserSetupProcessor bean. ROLE ADMIN EXTERNAL ORGANIZATION ROLE_ADMIN_EXTERNAL_ORGANIZATION|* Note |*, it will assign organization id to the role, which usually is not the case. Good luck

My mistake, please use instead. I changed the original post as well.

Bingo, I just realized that this is by design. When you look in the logs after you turn up log level for com.jaspersoft.jasperserver.api.security.externalAuth.processors, you should see a warning "External role XXX YYY has forbidden characters according to permittedExternalRoleNameRegex: [A-Za-z0-9_]+. Skipping this role for the user ZZ" To fix the problem, please modify permittedExternalRoleNameRegex which is [A-Za-z0-9_]+ regex by default. To do that, add this property to applicationContext-externalAuth-LDAP.xml externalUserSetupProcessor bean as follows: <bean id="externalUserSetupProcessor" class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.ExternalUserSetupProcessor" parent="abstractExternalProcessor"> <property name="userAuthorityService"> <ref bean="${bean.internalUserAuthorityService}"/> </property> ..... <property name="permittedExternalRoleNameRegex" value="[A-Za-z0-9_s]+"> </bean> The property permittedExternalRoleNameRegex was added to fix another bug at or after the time of the actual doc writing. Apologies.

Also, it looks like authentication does happen. It must be something else in the config.

Any way you could post up your old and new config files (hide passwords)? Also, perhaps you could upload the ldif file.