witto Posted July 7, 2009 Share Posted July 7, 2009 There all,Here is, for our company, a working solution to integrate JasperServer (3.1) in a Windows (2003) Active Directory.Create in your Windows Active Directory a user to make LDAP Queries, i.e. "LDAPQueryUser". An ordinary "Domain User" is enough, no elevated rights are needed.Modify the file "applicationContext-security.xml". You can find it in the directory "C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps\jasperserver\WEB-INF".Find "ldapAuthenticationProvider" <!-- ======================== AUTHENTICATION ======================= --> <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <!-- not on by default <ref local="ldapAuthenticationProvider"/> --> <ref local="daoAuthenticationProvider"/> <ref local="anonymousAuthenticationProvider"/> <!--ref local="jaasAuthenticationProvider"/--> </list> </property> </bean> Remove the remark tags <!-- ======================== AUTHENTICATION ======================= --> <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <ref local="ldapAuthenticationProvider"/><!-- not on by default --> <ref local="daoAuthenticationProvider"/> <ref local="anonymousAuthenticationProvider"/> <!--ref local="jaasAuthenticationProvider"/--> </list> </property> </bean> Find "bean id="initialDirContextFactory"" <!-- For LDAP authentication <bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> <constructor-arg value="ldap://scopeserv1:389/dc=panscopic,dc=com"/> --> <!-- You may not need the next properties <property name="managerDn"><value>cn=manager,dc=acegisecurity,dc=org</value></property> <property name="managerPassword"><value>acegisecurity</value></property> --> <!-- </bean> --> Modifications <!-- For LDAP authentication --> <bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> <!-- LDAP Query --> <!-- <constructor-arg value="ldap://mydc1:389/dc=mydomain,dc=local"/> --> <!-- Global Catalog Query --> <constructor-arg value="ldap://mydc1:3268/dc=mydomain,dc=local"/> <!-- --> <!-- You may not need the next properties --> <!-- <property name="managerDn"><value>CN=LDAPQueryUser,CN=Users,DC=mydomain,DC=local</value></property> --> <property name="managerDn"><value>LDAPQueryUser</value></property> <property name="managerPassword"><value>?S3cr3tP@ssw0rd!</value></property> <property name="extraEnvVars"> <map> <entry key="java.naming.referral" value="follow"/> </map> </property> <!-- --> <!-- --> </bean> <!-- --> Find “bean id="userSearch"” <!-- For LDAP authentication This bean is not used by default <bean id="userSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch"> <constructor-arg index="0"> <value></value> </constructor-arg> <constructor-arg index="1"> <value>(uid={0})</value> </constructor-arg> <constructor-arg index="2"> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="searchSubtree"> <value>true</value> </property> </bean> --> Modifications <!-- For LDAP authentication This bean is not used by default --> <bean id="userSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch"> <constructor-arg index="0"> <value></value> <!-- <value>cn=users</value> --> </constructor-arg> <constructor-arg index="1"> <value>(sAMAccountName={0})</value> <!-- <value>(uid={0})</value> --> </constructor-arg> <constructor-arg index="2"> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="searchSubtree"> <value>true</value> </property> </bean> <!-- --> Find "bean id="ldapAuthenticationProvider"" <!-- For LDAP authentication <bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> <property name="userDnPatterns"><list><value>uid={0}</value></list></property> </bean> </constructor-arg> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg index="0"><ref local="initialDirContextFactory"/></constructor-arg> <constructor-arg index="1"><value></value></constructor-arg> <property name="groupRoleAttribute"><value>cn</value></property> <property name="groupSearchFilter"><value>(&(uniqueMember={0})(objectclass=groupofuniquenames))</value></property> </bean> </constructor-arg> </bean> --> Modifications <!-- For LDAP authentication --> <bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> <property name="userSearch"><ref local="userSearch" /></property> <!-- <property name="userDnPatterns"><list><value>uid={0}</value></list></property> --> </bean> </constructor-arg> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg index="0"><ref local="initialDirContextFactory"/></constructor-arg> <constructor-arg index="1"><value></value> <!-- <value>cn=users</value> --> </constructor-arg> <property name="convertToUpperCase"><value>true</value></property> <property name="rolePrefix"><value></value></property> <property name="searchSubtree"><value>true</value></property> <property name="groupSearchFilter"><value>member={0}</value></property> <property name="groupRoleAttribute"><value>cn</value></property> <!-- <property name="groupSearchFilter"><value>(&(uniqueMember={0})(objectclass=groupofuniquenames))</value></property> --> </bean> </constructor-arg> </bean> <!-- --> Restart your JasperServer (or your Apache Tomcat server).More information:http://forum.springsource.org/showthread.php?t=41167Regards,Post Edited by witto at 07/07/2009 22:47Post Edited by witto at 07/27/2009 11:55 Link to comment Share on other sites More sharing options...
witto Posted July 8, 2009 Author Share Posted July 8, 2009 Dear all, In our solution above, I don't like the<property name="managerDn"><value>CN=LDAPQueryUser,CN=Users,DC=mydomain,DC=local</value></property>Does anybody know how to reduce this to<property name="managerDn"><value>LDAPQueryUser</value></property> About<constructor-arg value="ldap://mydc1:3268/dc=mydomain,dc=local"/>Does anybody know if it is possible to provide alternate LDAP server URL's in case the default is unavailable? Thanks,Kind regardsPost Edited by witto at 07/08/2009 11:51 Link to comment Share on other sites More sharing options...
witto Posted July 27, 2009 Author Share Posted July 27, 2009 Forget the question about<property name="managerDn"><value>LDAPQueryUser</value></property>It works fine for me. I will change the topmost post.If anybody knows if it is possible to provide information about an alternate LDAP server, then I am still interested in the answer.Post Edited by witto at 07/27/2009 11:56 Link to comment Share on other sites More sharing options...
witto Posted July 27, 2009 Author Share Posted July 27, 2009 Dear all,I seem to understand that "Spring LDAP" is used for LDAP Authentication.I also seem to understand that "Spring LDAP" supports the configuration of multiple alternate LDAP servers.Can anyone give an example how this is configured in JasperServer?Should I write something like:<constructor-arg value="ldap://mydc1:3268/dc=mydomain,dc=local ldap://mydc1:3268/dc=mydomain,dc=local"/> ??? More information:http://static.springsource.org/spring-ldap/docs/1.3.x/reference/html/http://static.springsource.org/spring-ldap/docs/1.3.x/reference/html/configuration.html#dir-context-url 8.1.1. LDAP Server URLsThe URL of the LDAP server is specified using the url property. The URL should be in the format ldap://myserver.example.com:389. For SSL access, use the ldaps protocol and the appropriate port, e.g. ldaps://myserver.example.com:636It is possible to configure multiple alternate LDAP servers using the urls property. In this case, supply all server urls in a String array to the urls property. Kind regards Post Edited by witto at 07/27/2009 14:11Post Edited by witto at 07/27/2009 14:33Post Edited by witto at 07/27/2009 14:35 Link to comment Share on other sites More sharing options...
jhliang90us Posted August 4, 2009 Share Posted August 4, 2009 I am using the code posted here in applicationContext-security.xml. The authenticate is done on windows 2000 active directory. It worked fine. The only problem is that it take unbearable long time (70 seconds) to just authenticate. Is there anyone else has the same problem? How did you resolve it. Thanks a lot. Link to comment Share on other sites More sharing options...
witto Posted September 25, 2009 Author Share Posted September 25, 2009 I really don't know. You see I do not even get an answer on the rather simple question that I asked. Do you see a difference in speed between "ldap://mydc1:389/dc=mydomain,dc=local" and "ldap://mydc1:3268/dc=mydomain,dc=local"? Link to comment Share on other sites More sharing options...
witto Posted October 7, 2009 Author Share Posted October 7, 2009 Dear JasperForge,Doesn't anybody know how to configure multiple alternate LDAP servers?Can someone provide an example? Link to comment Share on other sites More sharing options...
linvicch Posted October 12, 2009 Share Posted October 12, 2009 I probably should be reading more into the documentation but it would be great if someone can give some direction. I don't have much experience in AD and LDAP.All i am required to do is to allow user to authenticate JS via AD. Please correct me if I am wrong in anyway. I do not require role mapping. using JS3.5 PROhow I see this working is create user in JS, assign username/password (same as AD login, different pw perhaps) assign organization and roles in JS user logins into JS JS retrieve login and match password allows access into JS based on JS security setupIs this possible? the primarily reason we want to use AD is just for the login/password.Please advice :D Link to comment Share on other sites More sharing options...
witto Posted October 12, 2009 Author Share Posted October 12, 2009 I presume you do not have to create any user in JasperServer that has the same name and password as in your Active Directory. I presume you can follow the steps that I posted in the first post. Even for jasperServer 3.5.But we did not implement (yet) JasperServer 3.5. Link to comment Share on other sites More sharing options...
linvicch Posted October 13, 2009 Share Posted October 13, 2009 This post definitely deserve some karma for sharing :DSo if we are not require to create any user, what kind of role will the user get? is that where we have to map roles? Link to comment Share on other sites More sharing options...
swood Posted October 13, 2009 Share Posted October 13, 2009 Yes - a great post. I added a link to this in the wiki. This will work for JasperServer 3.5. The users are automatically created. They are flagged as "external". There are default roles you can add to them by changing WEB-INF/applicationContext.xml. See the defaultInternalRoles property below. These roles will always get added to a new external user. I think this is what you need, linvicch. ShermanJaspersoftCode: <bean id="userAuthorityServiceTarget" class="com.jaspersoft.jasperserver.api.metadata.user.service.impl.UserAuthorityServiceImpl"> <property name="sessionFactory" ref="sessionFactory"/> <property name="objectMappingFactory" ref="mappingResourceFactory"/> <property name="persistentClassFactory" ref="persistentMappings"/> <property name="profileAttributeService" ref="profileAttributeService"/> <property name="defaultInternalRoles"> <list> <value>ROLE_USER</value> </list> </property> <property name="tenantPersistenceResolver"><ref bean="hibernateTenantService"/></property> </bean> Link to comment Share on other sites More sharing options...
linvicch Posted October 14, 2009 Share Posted October 14, 2009 Thank you everyone :) Link to comment Share on other sites More sharing options...
witto Posted October 14, 2009 Author Share Posted October 14, 2009 Dear Sherman Wood,What do you know about the possibility to configure one or more "alternate LDAP servers" Is it enough to enumerate all the LDAP or Global Catalog servers divided by spaces? <bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> <constructor-arg value="ldap://mydc1:3268/dc=mydomain,dc=local ldap://mydc2:3268/dc=mydomain,dc=local"/> <property name="managerDn"><value>LDAPQueryUser</value></property> <property name="managerPassword"><value>?S3cr3tP@ssw0rd!</value></property> <property name="extraEnvVars"> <map> <entry key="java.naming.referral" value="follow"/> </map> </property> </bean> Link to comment Share on other sites More sharing options...
linvicch Posted October 16, 2009 Share Posted October 16, 2009 Hiya,is it possible to configure the login for JS without changing code to enable the following below: Create user in JS with roles on login, verfiy the password and login details with AD On successful authentication, map the username in AD with the user in JS if user in JS is found, allow access with the role that have been setup earlier if user in JS is not found, denied access.The reason we are doing it this way is because we have 2 teams, 1 is the BI team that manages JS. The other team is the windows administrator that looks after AD. BI team will need to have control as to who gains access to JS The AD team will not and is not involve in the current project hence we can't make any modification to the groups and roles of users in AD. It have also been very stressing and frustrating to get the windows admins(busiest ppl in any office) to get anything done and would be better if they can be left out of the picture altogether.All we really need is to still use the default internal authentication of JS except instead of using the password stored in JS internal database, we would like to retrieve the password stored in AD. the login name in JS for user A will be the same login name for user A in AD.Thank you for any advice given :) Link to comment Share on other sites More sharing options...
swood Posted October 17, 2009 Share Posted October 17, 2009 witto, You can't just add additional URLs in the constructor arg. You could add a different set of beans for the second LDAP configuration, and add it into the list of authentation managers: <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager"> <property name="providers"> <list> <!-- not on by default <ref local="ldapAuthenticationProvider"/> --> <ref bean="${bean.daoAuthenticationProvider}"/> <ref local="ldapAuthenticationProvider-1"/> <ref local="ldapAuthenticationProvider-2"/> <ref local="anonymousAuthenticationProvider"/> </list> </property> </bean> Also, if memory serve me right, you should be able to configure your LDAP service to do this with a single IP address. LDAP services are usually designed up to be fault tolerant and scalable, so they can have a number of LDAP servers behind 1 IP address. ShermanJaspersoft Link to comment Share on other sites More sharing options...
swood Posted October 17, 2009 Share Posted October 17, 2009 linvicch, You can do what you want. I designed it that way ;-). LDAP is the external authentication mechanism. Using LDAP, JS will authenticate the user name and password. Roles can be pulled from LDAP and attached to the user in JS. You can set the default roles externally defined users will have by changing the userAuthorityService bean in WEB-INF/applicationContext.xml: <bean id="userAuthorityServiceTarget" class="com.jaspersoft.jasperserver.api.metadata.user.service.impl.UserAuthorityServiceImpl"> <property name="sessionFactory" ref="sessionFactory"/> <property name="objectMappingFactory" ref="mappingResourceFactory"/> <property name="persistentClassFactory" ref="persistentMappings"/> <property name="profileAttributeService" ref="profileAttributeService"/> <property name="defaultInternalRoles"> <list> <value>ROLE_USER</value> </list> </property> <property name="tenantPersistenceResolver"><ref bean="${bean.hibernateTenantService}"/></property> <property name="auditContext" ref="${bean.auditContext}"/> </bean> The Authentication Cookbook walks you through this process. ShermanJaspersoft Link to comment Share on other sites More sharing options...
linvicch Posted October 20, 2009 Share Posted October 20, 2009 Thank Sherman,But thats not what we need. are we able to allow the user to take on roles that have been assigned to them in jasperserver?In essence, all we really need is to use the standard login implementation of JS. The only difference we want is for the password to be retrieve from AD.The user and roles should all be using the default implementation of JS, where we create a user in JS, assign specific roles within JS.eg. John and Peter are both users in ADOnly Peter is setup in JSin this senario, only peter should be able to gain access to JS and his role will be whatever he was setup as in JS This will probably sound strange to you as to why we are doing it this way and i also agree that it makes more sense to assign roles to user base on their group in AD but due to environmental restriction, we are not able to achieve that.Pls guide thxs :) Post Edited by linvicch at 10/20/2009 08:13 Link to comment Share on other sites More sharing options...
witto Posted October 20, 2009 Author Share Posted October 20, 2009 swoodWrote: witto, You can't just add additional URLs in the constructor arg. You could add a different set of beans for the second LDAP configuration, and add it into the list of authentation managers: <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager"> <property name="providers"> <list> <!-- not on by default <ref local="ldapAuthenticationProvider"/> --> <ref bean="${bean.daoAuthenticationProvider}"/> <ref local="ldapAuthenticationProvider-1"/> <ref local="ldapAuthenticationProvider-2"/> <ref local="anonymousAuthenticationProvider"/> </list> </property> </bean> Also, if memory serve me right, you should be able to configure your LDAP service to do this with a single IP address. LDAP services are usually designed up to be fault tolerant and scalable, so they can have a number of LDAP servers behind 1 IP address. Sherman Jaspersoft Dear Sherman,Could you elaborate on your example? I am looking for working examples and "how to get there" descriptions.I have been testing on a test server with configurations like: <bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> <!-- Testing alternate LDAP servers --> <!-- <constructor-arg value="ldap://mydc1:3268/dc=mydomain,dc=local ldap://dummy:3268/dc=mydomain,dc=local"/> --> <!-- <constructor-arg value="ldap://dummy:3268/dc=mydomain,dc=local ldap://mydc1:3268/dc=mydomain,dc=local"/> --> <!-- <constructor-arg value="ldap://mydc2:3268/dc=mydomain,dc=local ldap://dummy:3268/dc=mydomain,dc=local"/> --> <!-- <constructor-arg value="ldap://dummy:3268/dc=mydomain,dc=local ldap://mydc2:3268/dc=mydomain,dc=local"/> --> <!-- At first glance, the examples above seem to work --> <!-- Global Catalog Search --> <constructor-arg value="ldap://mydc1:3268/dc=mydomain,dc=local ldap://mydc2:3268/dc=mydomain,dc=local"/> <!-- LDAP Query --> <!-- <constructor-arg value="ldap://mydc1:389/dc=mydomain,dc=local ldap://mydc2:389/dc=mydomain,dc=local"/> --> <property name="managerDn"><value>LDAPQueryUser</value></property> <property name="managerPassword"><value>?S3cr3tP@ssw0rd!</value></property> <property name="extraEnvVars"> <map> <entry key="java.naming.referral" value="follow"/> </map> </property></bean> Kind regards,Post Edited by at 10/20/2009 11:38Post Edited by witto at 10/20/2009 11:44 Link to comment Share on other sites More sharing options...
swood Posted October 21, 2009 Share Posted October 21, 2009 You could create multiple sets of LDAP configuration beans, one for each of your mydc1, mydc2 and dummy LDAP servers, and then list the LDAP authentication beans in the authentication manager. When the user tries to authenticate, JasperServer will run through the list until it is successful, or fails, which is why the anonymousAuthenticationProvider is last in the chain. The approach with a load balanced/fault tolerant LDAP environment will be a single LDAP configuration from the JasperServer perspective. ShermanJaspersoft Link to comment Share on other sites More sharing options...
witto Posted October 21, 2009 Author Share Posted October 21, 2009 Dear Sherman,I really do not see how this should be configured.Please forgive my ignorance, but I know anything about Java beans, except the beans I use to make coffee.As far as I can see through the configuration in my topmost post, the tag<ref local="ldapAuthenticationProvider"/>is reused in the "bean tag"<bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">and in that part, I do not see any configuration about the dlap servers that should be used. I do see that there is a tag constructor-arg with a subtag that refers to initialDirContextFactory:<constructor-arg index="0"><ref local="initialDirContextFactory"/></constructor-arg>Under the bean tag<bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">the LDAP server is provided.But I still do not see what I should change to configure more than one LDAP server.Can you please shed some light in the darkness and maybe provide a working example configuration?Thank you very much for your suggestions so far. Link to comment Share on other sites More sharing options...
witto Posted October 27, 2009 Author Share Posted October 27, 2009 Dear Sherman,If I try to follow your suggestions, I would end up with the following modifications: <!-- ======================== AUTHENTICATION ======================= --> <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <!-- not on by default <ref local="ldapAuthenticationProvider"/> --> <ref bean="${bean.daoAuthenticationProvider}"/> <ref local="ldapAuthenticationProvider-1"/> <ref local="ldapAuthenticationProvider-2"/> <ref local="daoAuthenticationProvider"/> <ref local="anonymousAuthenticationProvider"/> <!--ref local="jaasAuthenticationProvider"/--> </list> </property> </bean> <!-- For LDAP authentication --> <bean id="initialDirContextFactory-1" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> <!-- LDAP Query --> <!-- <constructor-arg value="ldap://mydc1:389/dc=mydomain,dc=local"/> --> <!-- Global Catalog Query --> <constructor-arg value="ldap://mydc1:3268/dc=mydomain,dc=local"/> <!-- --> <!-- You may not need the next properties --> <!-- <property name="managerDn"><value>CN=LDAPQueryUser,CN=Users,DC=mydomain,DC=local</value></property> --> <property name="managerDn"><value>LDAPQueryUser</value></property> <property name="managerPassword"><value>?S3cr3tP@ssw0rd!</value></property> <property name="extraEnvVars"> <map> <entry key="java.naming.referral" value="follow"/> </map> </property> <!-- --> <!-- --> </bean> <!-- --> <bean id="initialDirContextFactory-2" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> <!-- LDAP Query --> <!-- <constructor-arg value="ldap://mydc2:389/dc=mydomain,dc=local"/> --> <!-- Global Catalog Query --> <constructor-arg value="ldap://mydc2:3268/dc=mydomain,dc=local"/> <!-- --> <!-- You may not need the next properties --> <!-- <property name="managerDn"><value>CN=LDAPQueryUser,CN=Users,DC=mydomain,DC=local</value></property> --> <property name="managerDn"><value>LDAPQueryUser</value></property> <property name="managerPassword"><value>?S3cr3tP@ssw0rd!</value></property> <property name="extraEnvVars"> <map> <entry key="java.naming.referral" value="follow"/> </map> </property> <!-- --> <!-- --> </bean> <!-- --> <!-- For LDAP authentication This bean is not used by default --> <bean id="userSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch"> <constructor-arg index="0"> <value></value> <!-- <value>cn=users</value> --> </constructor-arg> <constructor-arg index="1"> <value>(sAMAccountName={0})</value> <!-- <value>(uid={0})</value> --> </constructor-arg> <constructor-arg index="2"> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="searchSubtree"> <value>true</value> </property> </bean> <!-- --> <!-- For LDAP authentication --> <bean id="ldapAuthenticationProvider-1" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg><ref local="initialDirContextFactory-1"/></constructor-arg> <property name="userSearch"><ref local="userSearch" /></property> <!-- <property name="userDnPatterns"><list><value>uid={0}</value></list></property> --> </bean> </constructor-arg> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg index="0"><ref local="initialDirContextFactory-1"/></constructor-arg> <constructor-arg index="1"><value></value> <!-- <value>cn=users</value> --> </constructor-arg> <property name="convertToUpperCase"><value>true</value></property> <property name="rolePrefix"><value></value></property> <property name="searchSubtree"><value>true</value></property> <property name="groupSearchFilter"><value>member={0}</value></property> <property name="groupRoleAttribute"><value>cn</value></property> <!-- <property name="groupSearchFilter"><value>(&(uniqueMember={0})(objectclass=groupofuniquenames))</value></property> --> </bean> </constructor-arg> </bean> <!-- --> <!-- For LDAP authentication --> <bean id="ldapAuthenticationProvider-2" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg><ref local="initialDirContextFactory-2"/></constructor-arg> <property name="userSearch"><ref local="userSearch" /></property> <!-- <property name="userDnPatterns"><list><value>uid={0}</value></list></property> --> </bean> </constructor-arg> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg index="0"><ref local="initialDirContextFactory"/></constructor-arg> <constructor-arg index="1"><value></value> <!-- <value>cn=users</value> --> </constructor-arg> <property name="convertToUpperCase"><value>true</value></property> <property name="rolePrefix"><value></value></property> <property name="searchSubtree"><value>true</value></property> <property name="groupSearchFilter"><value>member={0}</value></property> <property name="groupRoleAttribute"><value>cn</value></property> <!-- <property name="groupSearchFilter"><value>(&(uniqueMember={0})(objectclass=groupofuniquenames))</value></property> --> </bean> </constructor-arg> </bean> <!-- --> I did not try the modifications above at all.Can you please give your comments on the the these modifications?Kind regards, Link to comment Share on other sites More sharing options...
linvicch Posted November 2, 2009 Share Posted November 2, 2009 Will anyone be kind enough to post their configuration for jasperserver pro applicationContext-multiTenancy-security.xml?Is applicationContext-multiTenancy-security.xml used to configure the multi tenancy? Link to comment Share on other sites More sharing options...
linvicch Posted November 6, 2009 Share Posted November 6, 2009 is there anyway to debug on why i get aApplying rules to determine whether transaction should rollback on org.acegisecurity.userdetails.UsernameNotFoundException: User not found with usernamefrom jasperserver.log with acegisecurity debugging turned on?Based on the configuration I tried at home, everything works but bring it to work and nothing works.I have attached a copy of my applicationContext-security.xmlI have a feeling its something to do with security that is not allowing me to retrieve the password or something along that line. A search was definitely performed but my sAMAccount could not be found.My DN isCN=Trey\, Victor,OU=Infrastructure & ICT Operations,OU=Business & Technology Services,OU=Business Units,OU=XXX,DC=xxx,DC=com,DC=au and i have also placed that in the first constructor arg for the userSearch Bean and it didn't work as well.. How do i determine if its my set up or AD setup? Link to comment Share on other sites More sharing options...
dwberry Posted April 9, 2010 Share Posted April 9, 2010 Hopefully someone can help me understand what is wrong with my configuration. Using JasperServer pro 3.7.0.1 i have configured the applicationContext-security.xml file as others have posted earlier. By watching the log file for the Active Directory, I can see a successful authentication but I receive 'Invalid credentials' on the login screen and the following error message in the jasperserver.log file...WARN loggerListener, http-808-Processor25:60 - Authentication event AuthenticationFailureBadCredentialsEvent: dwberry; detail: com.jaspersoft.jasperserver.multipleTenancy.MTWebAuthenticationDetails@166c8:RemoteIpAddress: xx.xxx.xx.xxx; SessionId: BDC9D5E04E3E84E334C1CDF02E51927F; exceptioin: Bad credentialsWe are using a single organization and it was my understanding from the documentation that jasperserver pro users do not have to worry about the multitenancy thing.Any insight or suggestions would be greatly appreciated. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now