JasperServer 4, try to use LDAP... What am I missing??

[chuttner]

I have the JasperSoft Cookbook "Authentication Cookbook 4.0" and I still can't figure this out.

First think that confuses me is from the book...

2.2.1 Files to Modify
All configuration changes for external LDAP authentication are made in the following files:
<js-webapp>/WEB-INF/applicationContext-security.xml
<js-webapp>/WEB-INF/applicationContext-security-web.xml (This file is never mentioned in the LDAP section again)
<js-webapp>/WEB-INF/applicationContext-multiTenancy-security.xml in commercial editions, which have the organization architecture

Next thing is the logging... I am not even sure I have it turned on right cause I only get like 3 lines that are LDAP related and they haven't been help full.

LOG
2011-05-19 08:32:02,317 DEBUG AbstractContextSource,main:328 - AuthenticationSource not set - using default implementation
2011-05-19 08:32:02,320 DEBUG AbstractContextSource,main:350 - Not using LDAP pooling
2011-05-19 08:32:02,327 DEBUG AbstractContextSource,main:371 - Trying provider Urls: ldap://domaincontroller.domain.com/dc=domain,dc=com

Please let me know if you see anything or have so advice or need to see another file. 

Code:

Post Edited by chuttner at 05/19/2011 18:53

[chuttner]

bump...
Anything? I have configured other systems to use LDAP on our Active Directory (IBM Rational Suit, LSoft LISTSERV, SVN to name a few). Is there some other file I can post that will make it easier to find what I am doing wrong? I am running JasperReport Server CP 4.0.0, is there a newer version? Would that even help?

[chuttner]

Bump

[chuttner]

I have included my LOG file and applicationContext-securuty config file. I have read what documentation I can, and this forum for help to no avail. Thank you for looking at this.

[caseys]

Did you ever find a fix for this? I'm having a similar issue.

[sergenz]

I'm trying to setup Jasper Server to authenticate against AD as well. I am following the guide found at: http://jasperforge.org/plugins/mwiki/index.php/Jasperserver/AuthenticationConfiguration

Will let you know how it goes.

[sergenz]

Ok, managed to get it working, although the instructions I started off with were a bit crap. I ended up following this article: http://protocol7.com/archives/2006/07/16/acegi-security-system-and-active-directory-howto/

which made sense for me. The one thing to note is that in the article the "initialDirContextFactory" which is referred to is actually the bean with the id "ldapContextSource" in the configuration. Also, the properties "userDn" and "password" correspond to "managerDn" and "managerPassword" in the article.


If you get stuck, doing a google search for "making acegi plugin work with ActiveDirectory" seems to return quite a few results.

Good luck

[caseys]

Could you attach your applicationContext-security.xml file. I'm still having some issues and would like to run a compare on my file vs. your file.

 

Thanks!

[sergenz]

Ok, I've attached the full file. The relevant bits are:

At the top of the file, enabling the LDAP authentication provider:

<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref local="ldapAuthenticationProvider"/>
                <ref bean="${bean.daoAuthenticationProvider}"/>
                <ref bean="anonymousAuthenticationProvider"/>
                <!--ref local="jaasAuthenticationProvider"/-->
            </list>

        </property>
</bean>

 

And then the LDAP configuration sections:

   For LDAP authentication
     -->
   <bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
     <constructor-arg value="ldap://dc1.company.internal:389"/>
  
     <!--
     You may not need the next properties
     -->
     <property name="userDn"><value>CN=Jasper Ldap,OU=Resource,OU=Employees,DC=company,DC=internal</value></property>
     <property name="password"><value>password</value></property>
   </bean>
  
   <!--
   For LDAP authentication
   This bean is not used by default
   -->
   <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
     <constructor-arg index="0">
       <value>OU=Employees,DC=company,DC=internal</value>
     </constructor-arg>
     <constructor-arg index="1">
    <value>(sAMAccountName={0})</value>
     </constructor-arg>
     <constructor-arg index="2">
       <ref local="ldapContextSource" />
     </constructor-arg>           
     <property name="searchSubtree">
       <value>true</value>
     </property>           
   </bean>           
  
   <!--
   For LDAP authentication
   -->
   <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
     <constructor-arg>
       <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
          <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
          <!-- -property name="userDnPatterns"><list><value>uid={0}</value></list></property- -->
          <property name="userSearch" ref="userSearch"/>
       </bean>
     </constructor-arg>
     <constructor-arg>
       <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
          <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
          <constructor-arg index="1"><value>OU=Groups,OU=Employees,DC=company,DC=internal</value></constructor-arg>
          <property name="groupRoleAttribute"><value>cn</value></property>
          <!--<property name="groupSearchFilter"><value>(&(uniqueMember={0})(objectclass=groupofuniquenames))</value></property>-->
          <property name="searchSubtree"><value>true</value></property>           
       </bean>
     </constructor-arg>
   </bean>

 

Note that I created the "Jasper Ldap" user to be able to access AD in the first place (it doesn't allow anonymous access) and that in our setup we have an OU called "Employees" off of the domain. Your setup might be slightly different, in that you might have an OU called "People" and then "Employees" off of that (or you might call the OU "Workers" etc...), please adjust according to your setup.

[caseys]

Got it working! 

Thanks for all the help!  

[sergenz]

That's great! :) You're welcome

[cameronp]

 Did it create the groups and organization as well?

 

I've got it to read the groups from AD 2008 R2, but only on the pro install, and then well, the db does a rollback and fails anways..lol

 

so im going to try and install to oracle first, then try it and see how ti goes

 

when i try the same config with the community version, it only logs me in, wont create the groups and the likes tho..

 

Its meant to auto sync org, groups, and user from my understanding.

[sergenz]

What I found was that it didn't automatically pull all groups from AD, but rather when an AD authenticated user logs in, it creates a whole bunch of new Roles, based on all of the groups that the newly authenticated user is a member of.

If the roles already exist (for example when another user, which is a member of the same groups logs in) I guess it sees that those roles already exist and merely associates it with the new user.

[gdrumond]

Do you changed another file? Or only applicationContext-securuty.

Thanks.