Active Directory problem with v4.5 CE

0

I hope that someone can throw some light on a problem with Active Directory authentication on v4.5 Community Edition.

We have a proof of concept project based on v4.5 CE running on Windows 2008 R2.  It is a standard installation, using Tomcat and Postgres.

Everything works pretty much as expected apart from AD authentication.

We have set up a user - LDAPQueryUser - for the authentication searches.  We can connect to the AD with LDAPQueryUser credentials using Softerra LDAP Admin Tool, so I think that's working okay.

We have been through the Authentication Cookbook LDAP pages, the Spring documentation and some detailed posts in the Forums, but cannot pinpoint likely sources of the problem.

An extract of the current configuration is attached (we have been through many variants of the BindAuthenticator and userSearch), all of which yield pretty much the same result - Bad credentials - as in the log extract below.

2012-04-28 16:36:39,653  WARN SingletonEhCacheProvider,Thread-1:92 - Could not find a specific ehcache configuration for cache named (org.hibernate.cache.UpdateTimestampsCache); using defaults.
2012-04-28 16:36:39,668  WARN SingletonEhCacheProvider,Thread-1:92 - Could not find a specific ehcache configuration for cache named (org.hibernate.cache.StandardQueryCache); using defaults.
2012-04-28 16:36:41,075  WARN PermissionsListProtectionDomainProvider,Thread-1:61 - A security manager has not been configured for the JVM. The protection domain set for the reports will NOT be effective.
2012-04-28 16:36:44,132  WARN SecurityConfiguration,Thread-1:175 - SECURITY for (sql) is OFF
2012-04-28 16:36:44,369  WARN ChainedTilesRequestContextFactory,Thread-1:105 - Cannot find TilesRequestContextFactory class org.apache.tiles.portlet.context.PortletTilesRequestContextFactory
2012-04-28 16:36:46,445  WARN XmlaServlet,Thread-1:615 - Use default character encoding from HTTP client
2012-04-28 16:36:48,866  WARN JSESAPISecurityConfiguration,http-8080-1:652 - SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from 'esapi/' using current thread context class loader!
2012-04-28 16:36:48,874  WARN JSESAPISecurityConfiguration,http-8080-1:652 - SUCCESSFULLY LOADED validation.properties via the CLASSPATH from 'esapi/' using current thread context class loader!
2012-04-28 16:36:48,932 DEBUG BindAuthenticator,http-8080-1:106 - Attemptimg to bind as uid=UUUUUU,dc=domain,dc=co,dc=uk
2012-04-28 16:36:48,932 DEBUG BindAuthenticator,http-8080-1:106 - Attemptimg to bind as uid=UUUUUU,dc=domain,dc=co,dc=uk
2012-04-28 16:36:49,145  WARN LoggerListener,http-8080-1:60 - Authentication event AuthenticationFailureBadCredentialsEvent: UUUUUU; details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 192.168.4.188; SessionId: 69D888C1DC5E09EB29A95DDA5C5CD6F0; exception: Bad credentials.

Log4J debugging is on for Spring, but we get little other than the two DEBUG messages above.

Given the configuration, does anyone have any suggestions for ways to pinpoint the problem, or steps to try?  We are stumped.  Any suggestions would be appreciated.
 

Code:
<!-- ======================== AUTHENTICATION ======================= -->
<bean class="org.springframework.security.providers.ProviderManager" id="authenticationManager">
   <property name="providers">
      <list>
                <ref local="ldapAuthenticationProvider"> </ref>
                <ref bean="${bean.daoAuthenticationProvider}"></ref>
                <ref bean="anonymousAuthenticationProvider"></ref>
                <!--ref local="jaasAuthenticationProvider"/-->
      </list>
   </property>
</bean>
 
<!--  ***************************** LDAP authentication START **************************************** -->
<bean class="org.springframework.security.ldap.DefaultSpringSecurityContextSource" id="ldapContextSource">
   <constructor-arg value="ldap://ADSERVER:389/DC=domain, DC=co, DC=uk">     
      <property name="userDn">
	 <value>CN=LDAPQueryUser,OU=XXXXX,OU=YYYYY,OU=ZZZZZ,DC=domain,DC=co,DC=uk</value>
      </property>
      <property name="password">
         <value>s3cr3t#</value>
      </property>
   </constructor-arg>
</bean>
 
<bean class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch" id="userSearch">
   <constructor-arg index="0"> 
      <value>OU=YYYYY</value>
   </constructor-arg>
   <constructor-arg index="1">
      <value>(sAMAccountName={0})</value>
   </constructor-arg>
   <constructor-arg index="2">
      <ref local="ldapContextSource"></ref>
   </constructor-arg>            
   <property name="searchSubtree">
      <value>true</value>
   </property>            
</bean>            
 
<bean class="org.springframework.security.providers.ldap.LdapAuthenticationProvider" id="ldapAuthenticationProvider">
   <constructor-arg>
      <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
         <constructor-arg>
            <ref local="ldapContextSource"></ref>
         </constructor-arg>
         <property name="userDnPatterns">
            <list>
               <value>(sAMAccountName={0})</value>
            </list>
         </property>
         <property name="userSearch" ref="userSearch"></property>
      </bean>
   </constructor-arg>
   <constructor-arg>
      <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
         <constructor-arg index="0">
            <ref local="ldapContextSource"></ref>
         </constructor-arg>
         <constructor-arg index="1">
            <value>OU=Groups</value>
         </constructor-arg>
         <property name="groupRoleAttribute">
            <value>CN</value>
         </property>
         <property name="groupSearchFilter">
            <value>(member={0}(CN=*)</value>
         </property>
         <property name="searchSubtree">
            <value>true</value>
         </property> 
         <property name="defaultRole">
            <value>ROLE_USER</value>
         </property> 
      </bean>
   </constructor-arg>
</bean>
 
<!--  ***************************** LDAP authentication END **************************************** -->

 

gedmf's picture
7
Joined: Sep 9 2011 - 4:14am
Last seen: 3 years 10 months ago

1 Answer:

0

Did you ever resolve this? I am having the same problem..

dnoe's picture
4
Joined: Dec 1 2014 - 12:14pm
Last seen: 2 months 2 days ago
Feedback
randomness