Windows LDAP or Active Directory integration

witto · July 7, 2009

There all,

Here is, for our company, a working solution to integrate JasperServer (3.1) in a Windows (2003) Active Directory.

Create in your Windows Active Directory a user to make LDAP Queries, i.e. "LDAPQueryUser". An ordinary "Domain User" is enough, no elevated rights are needed.

Modify the file "applicationContext-security.xml". You can find it in the directory "C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps\jasperserver\WEB-INF".

Find "ldapAuthenticationProvider"

<list>

</list>

</property>

</bean>

Remove the remark tags

<list>

</list>

</property>

</bean>

Find "bean id="initialDirContextFactory""

<!--

For LDAP authentication

<constructor-arg value="ldap://scopeserv1:389/dc=panscopic,dc=com"/>

-->

<!--

You may not need the next properties

<property name="managerDn"><value>cn=manager,dc=acegisecurity,dc=org</value></property>

<property name="managerPassword"><value>acegisecurity</value></property>

-->

<!--

</bean>

-->

Modifications

<!--

For LDAP authentication

-->

<constructor-arg value="ldap://mydc1:3268/dc=mydomain,dc=local"/>

<!--

You may not need the next properties -->

<property name="managerDn"><value>LDAPQueryUser</value></property>

<map>

</map>

</property>

</bean>

Find “bean id="userSearch"”

<!--

For LDAP authentication

This bean is not used by default

<bean id="userSearch"

class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">

<constructor-arg index="0">

</constructor-arg>

<constructor-arg index="1">

</constructor-arg>

<constructor-arg index="2">

</constructor-arg>

</property>

</bean>

-->

Modifications

<!--

For LDAP authentication

This bean is not used by default -->

<bean id="userSearch"

class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">

<constructor-arg index="0">

<value></value>

</constructor-arg>

<constructor-arg index="1">

<value>(sAMAccountName={0})</value>

</constructor-arg>

<constructor-arg index="2">

</constructor-arg>

</property>

</bean>

Find "bean id="ldapAuthenticationProvider""

<!--

For LDAP authentication

<constructor-arg>

<constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>

</bean>

</constructor-arg>

<constructor-arg>

<constructor-arg index="0"><ref local="initialDirContextFactory"/></constructor-arg>

<constructor-arg index="1"><value></value></constructor-arg>

<property name="groupSearchFilter"><value>(&(uniqueMember={0})(objectclass=groupofuniquenames))</value></property>

</bean>

</constructor-arg>

</bean>

-->

Modifications

<!--

For LDAP authentication -->

<constructor-arg>

<constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>

</bean>

</constructor-arg>

<constructor-arg>

<constructor-arg index="0"><ref local="initialDirContextFactory"/></constructor-arg>

<constructor-arg index="1"><value></value>  </constructor-arg>

<property name="groupSearchFilter"><value>member={0}</value></property>

</bean>

</constructor-arg>

</bean>

Restart your JasperServer (or your Apache Tomcat server).

More information:

http://forum.springsource.org/showthread.php?t=41167

Regards,

Post Edited by witto at 07/07/2009 22:47

Post Edited by witto at 07/27/2009 11:55

witto · July 8, 2009

Dear all,

In our solution above, I don't like the

<property name="managerDn"><value>CN=LDAPQueryUser,CN=Users,DC=mydomain,DC=local</value></property>

Does anybody know how to reduce this to

<property name="managerDn"><value>LDAPQueryUser</value></property>

About

<constructor-arg value="ldap://mydc1:3268/dc=mydomain,dc=local"/>

Does anybody know if it is possible to provide alternate LDAP server URL's in case the default is unavailable?

Thanks,

Kind regards

Post Edited by witto at 07/08/2009 11:51

witto · July 27, 2009

Forget the question about
<property name="managerDn"><value>LDAPQueryUser</value></property>
It works fine for me. I will change the topmost post.

If anybody knows if it is possible to provide information about an alternate LDAP server, then I am still interested in the answer.

Post Edited by witto at 07/27/2009 11:56

witto · July 27, 2009

Dear all,

I seem to understand that "Spring LDAP" is used for LDAP Authentication.

I also seem to understand that "Spring LDAP" supports the configuration of multiple alternate LDAP servers.

Can anyone give an example how this is configured in JasperServer?

Should I write something like:

<constructor-arg value="ldap://mydc1:3268/dc=mydomain,dc=local ldap://mydc1:3268/dc=mydomain,dc=local"/>

???

More information:

http://static.springsource.org/spring-ldap/docs/1.3.x/reference/html/

http://static.springsource.org/spring-ldap/docs/1.3.x/reference/html/configuration.html#dir-context-url

8.1.1. LDAP Server URLs
The URL of the LDAP server is specified using the url property. The URL should be in the format ldap://myserver.example.com:389. For SSL access, use the ldaps protocol and the appropriate port, e.g. ldaps://myserver.example.com:636
It is possible to configure multiple alternate LDAP servers using the urls property. In this case, supply all server urls in a String array to the urls property.

Kind regards

Post Edited by witto at 07/27/2009 14:11

Post Edited by witto at 07/27/2009 14:33

Post Edited by witto at 07/27/2009 14:35

jhliang90us · August 4, 2009

I am using the code posted here in applicationContext-security.xml. The authenticate is done on windows 2000 active directory. It worked fine. The only problem is that it take unbearable long time (70 seconds) to just authenticate. Is there anyone else has the same problem? How did you resolve it. Thanks a lot.

witto · September 25, 2009

I really don't know. You see I do not even get an answer on the rather simple question that I asked. Do you see a difference in speed between "ldap://mydc1:389/dc=mydomain,dc=local" and "ldap://mydc1:3268/dc=mydomain,dc=local"?

witto · October 7, 2009

Dear JasperForge,
Doesn't anybody know how to configure multiple alternate LDAP servers?
Can someone provide an example?

linvicch · October 12, 2009

I probably should be reading more into the documentation but it would be great if someone can give some direction. I don't have much experience in AD and LDAP.

All i am required to do is to allow user to authenticate JS via AD. Please correct me if I am wrong in anyway.

I do not require role mapping.
using JS3.5 PRO

how I see this working is

create user in JS, assign username/password (same as AD login, different pw perhaps)
assign organization and roles in JS
user logins into JS
JS retrieve login and match password
allows access into JS based on JS security setup

Is this possible? the primarily reason we want to use AD is just for the login/password.

Please advice :D

witto · October 12, 2009

I presume you do not have to create any user in JasperServer that has the same name and password as in your Active Directory. I presume you can follow the steps that I posted in the first post. Even for jasperServer 3.5.

But we did not implement (yet) JasperServer 3.5.

linvicch · October 13, 2009

This post definitely deserve some karma for sharing :D

So if we are not require to create any user, what kind of role will the user get? is that where we have to map roles?

swood · October 13, 2009

Yes - a great post. I added a link to this in the wiki.

This will work for JasperServer 3.5.

The users are automatically created. They are flagged as "external". There are default roles you can add to them by changing WEB-INF/applicationContext.xml. See the defaultInternalRoles property below. These roles will always get added to a new external user. I think this is what you need, linvicch.

Sherman

Jaspersoft

Code:

    <bean id="userAuthorityServiceTarget"        class="com.jaspersoft.jasperserver.api.metadata.user.service.impl.UserAuthorityServiceImpl">        <property name="sessionFactory" ref="sessionFactory"/>        <property name="objectMappingFactory" ref="mappingResourceFactory"/>        <property name="persistentClassFactory" ref="persistentMappings"/>        <property name="profileAttributeService" ref="profileAttributeService"/>        <property name="defaultInternalRoles">          <list>            <value>ROLE_USER</value>          </list>        </property>        <property name="tenantPersistenceResolver"><ref bean="hibernateTenantService"/></property>    </bean>

linvicch · October 14, 2009

Thank you everyone :)

witto · October 14, 2009

Dear Sherman Wood,

What do you know about the possibility to configure one or more "alternate LDAP servers" Is it enough to enumerate all the LDAP or Global Catalog servers divided by spaces?

<bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
 <constructor-arg value="ldap://mydc1:3268/dc=mydomain,dc=local ldap://mydc2:3268/dc=mydomain,dc=local"/>
 <property name="managerDn"><value>LDAPQueryUser</value></property>
 <property name="managerPassword"><value>?S3cr3tP@ssw0rd!</value></property>
 <property name="extraEnvVars">
  <map>
   <entry key="java.naming.referral" value="follow"/>
  </map>
 </property>
</bean>

linvicch · October 16, 2009

Hiya,

is it possible to configure the login for JS without changing code to enable the following below:

Create user in JS with roles
on login, verfiy the password and login details with AD
On successful authentication, map the username in AD with the user in JS
if user in JS is found, allow access with the role that have been setup earlier
if user in JS is not found, denied access.

The reason we are doing it this way is because we have 2 teams, 1 is the BI team that manages JS. The other team is the windows administrator that looks after AD.

BI team will need to have control as to who gains access to JS
The AD team will not and is not involve in the current project hence we can't make any modification to the groups and roles of users in AD. It have also been very stressing and frustrating to get the windows admins(busiest ppl in any office) to get anything done and would be better if they can be left out of the picture altogether.

All we really need is to still use the default internal authentication of JS except instead of using the password stored in JS internal database, we would like to retrieve the password stored in AD. the login name in JS for user A will be the same login name for user A in AD.

Thank you for any advice given :)

swood · October 17, 2009

witto,

You can't just add additional URLs in the constructor arg.

You could add a different set of beans for the second LDAP configuration, and add it into the list of authentation managers:

Also, if memory serve me right, you should be able to configure your LDAP service to do this with a single IP address. LDAP services are usually designed up to be fault tolerant and scalable, so they can have a number of LDAP servers behind 1 IP address.

Sherman

Jaspersoft

swood · October 17, 2009

linvicch,

You can do what you want. I designed it that way ;-).

LDAP is the external authentication mechanism. Using LDAP, JS will authenticate the user name and password. Roles can be pulled from LDAP and attached to the user in JS. You can set the default roles externally defined users will have by changing the userAuthorityService bean in WEB-INF/applicationContext.xml:

The Authentication Cookbook walks you through this process.

Sherman

Jaspersoft

linvicch · October 20, 2009

Thank Sherman,

But thats not what we need. are we able to allow the user to take on roles that have been assigned to them in jasperserver?

In essence, all we really need is to use the standard login implementation of JS. The only difference we want is for the password to be retrieve from AD.

The user and roles should all be using the default implementation of JS, where we create a user in JS, assign specific roles within JS.

eg. John and Peter are both users in AD

Only Peter is setup in JS

in this senario, only peter should be able to gain access to JS and his role will be whatever he was setup as in JS

This will probably sound strange to you as to why we are doing it this way and i also agree that it makes more sense to assign roles to user base on their group in AD but due to environmental restriction, we are not able to achieve that.

Pls guide thxs :)

Post Edited by linvicch at 10/20/2009 08:13

witto · October 20, 2009

swood
Wrote:

witto,

You can't just add additional URLs in the constructor arg.

You could add a different set of beans for the second LDAP configuration, and add it into the list of authentation managers:

Also, if memory serve me right, you should be able to configure your LDAP service to do this with a single IP address. LDAP services are usually designed up to be fault tolerant and scalable, so they can have a number of LDAP servers behind 1 IP address.

Sherman

Jaspersoft

Dear Sherman,

Could you elaborate on your example? I am looking for working examples and "how to get there" descriptions.

I have been testing on a test server with configurations like:

<constructor-arg value="ldap://mydc1:3268/dc=mydomain,dc=local ldap://mydc2:3268/dc=mydomain,dc=local"/>

<property name="managerDn"><value>LDAPQueryUser</value></property>
<property name="managerPassword"><value>?S3cr3tP@ssw0rd!</value></property>
<property name="extraEnvVars">
    <map>
      <entry key="java.naming.referral" value="follow"/>
    </map>
</property>

</bean>

Kind regards,

Post Edited by at 10/20/2009 11:38

Post Edited by witto at 10/20/2009 11:44

swood · October 21, 2009

You could create multiple sets of LDAP configuration beans, one for each of your mydc1, mydc2 and dummy LDAP servers, and then list the LDAP authentication beans in the authentication manager. When the user tries to authenticate, JasperServer will run through the list until it is successful, or fails, which is why the anonymousAuthenticationProvider is last in the chain.

The approach with a load balanced/fault tolerant LDAP environment will be a single LDAP configuration from the JasperServer perspective.

Sherman

Jaspersoft

witto · October 21, 2009

Dear Sherman,

I really do not see how this should be configured.

Please forgive my ignorance, but I know anything about Java beans, except the beans I use to make coffee.

As far as I can see through the configuration in my topmost post, the tag

is reused in the "bean tag"

and in that part, I do not see any configuration about the dlap servers that should be used. I do see that there is a tag constructor-arg with a subtag that refers to initialDirContextFactory:

<constructor-arg index="0"><ref local="initialDirContextFactory"/></constructor-arg>

Under the bean tag

the LDAP server is provided.

But I still do not see what I should change to configure more than one LDAP server.

Can you please shed some light in the darkness and maybe provide a working example configuration?

Thank you very much for your suggestions so far.

witto · October 27, 2009

Dear Sherman,

If I try to follow your suggestions, I would end up with the following modifications:

<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
        <property name="providers">
            <list>
                
                <ref bean="${bean.daoAuthenticationProvider}"/>
                    <ref local="ldapAuthenticationProvider-1"/>
                    <ref local="ldapAuthenticationProvider-2"/>
                <ref local="daoAuthenticationProvider"/>
                <ref local="anonymousAuthenticationProvider"/>
                
            </list>
        </property>
    </bean>

<bean id="initialDirContextFactory-1" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
     
     
     
     <constructor-arg value="ldap://mydc1:3268/dc=mydomain,dc=local"/>
     
     
     
     <property name="managerDn"><value>LDAPQueryUser</value></property>
     <property name="managerPassword"><value>?S3cr3tP@ssw0rd!</value></property>
     <property name="extraEnvVars">
      <map>
       <entry key="java.naming.referral" value="follow"/>
      </map>
     </property>
     
     
   </bean>

<bean id="initialDirContextFactory-2" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
     
     
     
     <constructor-arg value="ldap://mydc2:3268/dc=mydomain,dc=local"/>
     
     
     
     <property name="managerDn"><value>LDAPQueryUser</value></property>
     <property name="managerPassword"><value>?S3cr3tP@ssw0rd!</value></property>
     <property name="extraEnvVars">
      <map>
       <entry key="java.naming.referral" value="follow"/>
      </map>
     </property>
     
     
   </bean>

<bean id="userSearch"
            class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
     <constructor-arg index="0">
       <value></value>       
     </constructor-arg>
     <constructor-arg index="1">
       <value>(sAMAccountName={0})</value>       
     </constructor-arg>
     <constructor-arg index="2">
       <ref local="initialDirContextFactory" />
     </constructor-arg>
     <property name="searchSubtree">
       <value>true</value>
     </property>
   </bean>

<bean id="ldapAuthenticationProvider-1" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
     <constructor-arg>
       <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
          <constructor-arg><ref local="initialDirContextFactory-1"/></constructor-arg>
          <property name="userSearch"><ref local="userSearch" /></property>
          
       </bean>
     </constructor-arg>
     <constructor-arg>
       <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
          <constructor-arg index="0"><ref local="initialDirContextFactory-1"/></constructor-arg>
          <constructor-arg index="1"><value></value>  </constructor-arg>
          <property name="convertToUpperCase"><value>true</value></property>
          <property name="rolePrefix"><value></value></property>
          <property name="searchSubtree"><value>true</value></property>
          <property name="groupSearchFilter"><value>member={0}</value></property>
          <property name="groupRoleAttribute"><value>cn</value></property>
          
       </bean>
     </constructor-arg>
   </bean>

<bean id="ldapAuthenticationProvider-2" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
     <constructor-arg>
       <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
          <constructor-arg><ref local="initialDirContextFactory-2"/></constructor-arg>
          <property name="userSearch"><ref local="userSearch" /></property>
          
       </bean>
     </constructor-arg>
     <constructor-arg>
       <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
          <constructor-arg index="0"><ref local="initialDirContextFactory"/></constructor-arg>
          <constructor-arg index="1"><value></value>  </constructor-arg>
          <property name="convertToUpperCase"><value>true</value></property>
          <property name="rolePrefix"><value></value></property>
          <property name="searchSubtree"><value>true</value></property>
          <property name="groupSearchFilter"><value>member={0}</value></property>
          <property name="groupRoleAttribute"><value>cn</value></property>
          
       </bean>
     </constructor-arg>
   </bean>

I did not try the modifications above at all.

Can you please give your comments on the the these modifications?

Kind regards,

linvicch · November 2, 2009

Will anyone be kind enough to post their configuration for jasperserver pro applicationContext-multiTenancy-security.xml?

Is applicationContext-multiTenancy-security.xml used to configure the multi tenancy?

linvicch · November 6, 2009

is there anyway to debug on why i get a

Applying rules to determine whether transaction should rollback on org.acegisecurity.userdetails.UsernameNotFoundException: User not found with username

from jasperserver.log with acegisecurity debugging turned on?

Based on the configuration I tried at home, everything works but bring it to work and nothing works.

I have attached a copy of my applicationContext-security.xml

I have a feeling its something to do with security that is not allowing me to retrieve the password or something along that line. A search was definitely performed but my sAMAccount could not be found.

My DN is

CN=Trey\, Victor,OU=Infrastructure & ICT Operations,OU=Business & Technology Services,OU=Business Units,OU=XXX,DC=xxx,DC=com,DC=au

and i have also placed that in the first constructor arg for the userSearch Bean and it didn't work as well.. How do i determine if its my set up or AD setup?

dwberry · April 9, 2010

Hopefully someone can help me understand what is wrong with my configuration.

Using JasperServer pro 3.7.0.1 i have configured the applicationContext-security.xml file as others have posted earlier. By watching the log file for the Active Directory, I can see a successful authentication but I receive 'Invalid credentials' on the login screen and the following error message in the jasperserver.log file...

WARN loggerListener, http-808-Processor25:60 - Authentication event AuthenticationFailureBadCredentialsEvent: dwberry; detail: com.jaspersoft.jasperserver.multipleTenancy.MTWebAuthenticationDetails@166c8:RemoteIpAddress: xx.xxx.xx.xxx; SessionId: BDC9D5E04E3E84E334C1CDF02E51927F; exceptioin: Bad credentials

We are using a single organization and it was my understanding from the documentation that jasperserver pro users do not have to worry about the multitenancy thing.

Any insight or suggestions would be greatly appreciated.

Windows LDAP or Active Directory integration

Recommended Posts

Link to comment

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Link to comment

Share on other sites

Link to comment

Share on other sites

8.1.1. LDAP Server URLs

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Products

Explore