JasperServer LDAP/Active directory integration question

0

One more AD integration question:

Here is my applicationContext-externalAuth-LDAP.xml file


<bean id="ldapAuthenticationProvider"
      class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
        <constructor-arg>
            <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
                <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
                <property name="userSearch" ref="userSearch"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
            <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
                <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
                <constructor-arg index="1"><value>CN=Users</value></constructor-arg>
                <property name="groupRoleAttribute"> <value>CN</value></property>
                <property name="groupSearchFilter"> <value>(member={0}(CN=*)</value></property>
                <property name="searchSubtree"> <value>true</value></property>
                <property name="defaultRole"> <value>ROLE_USER</value></property>
 
<!-- Can setup additional external default roles here <property name="defaultRole" value="LDAP"/> -->
            </bean>
        </constructor-arg>
    </bean>
 
    <bean id="userSearch"
          class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
        <constructor-arg index="0">
            <value>cn=Users</value>
        </constructor-arg>
        <constructor-arg index="1">
            <value>(sAMAccountName={0})</value>
        </constructor-arg>
        <constructor-arg index="2">
            <ref local="ldapContextSource" />
        </constructor-arg>
        <property name="searchSubtree">
            <value>true</value>
        </property>
    </bean>
 
    <bean id="ldapContextSource"
          class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource">
 
<constructor-arg
value="ldap://servername.domainname.com:389/cn=Users,dc=domainname,dc=com?sAMAccountName?sub?(objectClass=*)"/>
        <!-- manager user name and password (may not be needed)  -->
        <property name="userDn"   value="user.name"/>
        <property name="password" value="xxxxxxx"  />
    </bean>
    <!-- ############ LDAP authentication ############ -->

Login of AD user always fails with the following error messages in log:

2013-09-05 15:47:44,164 DEBUG ProviderManager,           http-9090-7:183 - Authentication attempt using org.springframework.security.providers.ldap.LdapAuthenticationProvider
2013-09-05 15:47:44,164 DEBUG ProviderManager,           http-9090-7:183 - Authentication attempt using org.springframework.security.providers.ldap.LdapAuthenticationProvider
2013-09-05 15:47:44,170 DEBUG FilterBasedLdapUserSearch, http-9090-7:109 - Searching for user 'user.name', with user search [ searchFilter: '(sAMAccountName={0})', searchBase: 'cn=Users', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2013-09-05 15:47:44,170 DEBUG FilterBasedLdapUserSearch, http-9090-7:109 - Searching for user 'user.name', with user search [ searchFilter: '(sAMAccountName={0})', searchBase: 'cn=Users', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2013-09-05 15:47:44,191 DEBUG SpringSecurityLdapTemplate,http-9090-7:197 - Searching for entry in under DN 'cn=Users,dc=domainname,dc=com', base = 'cn=Users', filter = '(sAMAccountName={0})'
2013-09-05 15:47:44,191 DEBUG SpringSecurityLdapTemplate,http-9090-7:197 - Searching for entry in under DN 'cn=Users,dc=domainname,dc=com', base = 'cn=Users', filter = '(sAMAccountName={0})'
2013-09-05 15:47:44,199 DEBUG ProviderManager,           http-9090-7:183 - Authentication attempt using com.jaspersoft.jasperserver.api.security.internalAuth.InternalDaoAuthenticationProvider
2013-09-05 15:47:44,199 DEBUG ProviderManager,           http-9090-7:183 - Authentication attempt using com.jaspersoft.jasperserver.api.security.internalAuth.InternalDaoAuthenticationProvider
2013-09-05 15:47:44,212  WARN LoggerListener,            http-9090-7:60  - Authentication event AuthenticationFailureBadCredentialsEvent: user.name; details: org.springframework.security.ui.WebAuthenticationDetails@3bcc: RemoteIpAddress: xxx.xxx.xxx.xxx; SessionId: A09C6210D892B0BE9614CD9C7AC942FD; exception: Bad credentials
2013-09-05 15:47:44,212  WARN LoggerListener,            http-9090-7:60  - Authentication event AuthenticationFailureBadCredentialsEvent: user.name; details: org.springframework.security.ui.WebAuthenticationDetails@3bcc: RemoteIpAddress: xxx.xxx.xxx.xxx; SessionId: A09C6210D892B0BE9614CD9C7AC942FD; exception: Bad credentials

Tried many possible variants following cookbook, but getting the same error message.

Same LDAP URL - ldap://servername.domainname.com:389/cn=Users,dc=domainname,dc=com works fine with other apps and their integration with our AD.

What could be wrong ?

AlexVasiliev's picture
Joined: Sep 3 2013 - 12:33pm
Last seen: 5 years 10 months ago

2 Answers:

0

Please, take care in your configuration: DefaultLdapAuthoritiesPopulator groupSearchFilter is invalid (member={0}(CN=*).  I recommend dropping DefaultLdapAuthoritiesPopulator property altogether until you can login.  DefaultLdapAuthoritiesPopulator is responsible for extracting user roles.  If you remove it, the authenticated users will be roleless.  But this is fine since JasperServer assigns a default ROLE_USER.  To write groupSearchFilter correctly, please refer to Spring LDAP reference documentation.

Also, what's the reason for all extra attributes in ldapContextSource url?  They don't hurt anything, but make it hard to review configs.

 

 

 

 

dlitvak's picture
38
Joined: May 30 2013 - 6:53am
Last seen: 4 months 3 weeks ago
2

I hope you solved this by now.

To everyone with the same problem hoping to find an answer: make sure you add <property name="referral" value="follow"/> to the ldapContextSource.

My working ldapAuthenticationProvider and userSearch beans:

    <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
        <constructor-arg>
            <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
                <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
                <property name="userSearch" ref="userSearch"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
            <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
                <constructor-arg index="0">
                    <ref local="ldapContextSource"/>
                </constructor-arg>
                <constructor-arg index="1">
                    <value></value>
                </constructor-arg>
 
                <!-- Properties -->
                <property name="groupRoleAttribute">
                    <value>CN</value>
                </property>
                <property name="groupSearchFilter">
                    <value>(&amp;(objectClass=group)(member={0}))</value>
                </property>
                <property name="searchSubtree" value="true"/>
                <property name="defaultRole" value="ROLE_LDAP"/>
                <!-- Can setup additional external default roles here  <property name="defaultRole" value="LDAP"/> -->
            </bean>
        </constructor-arg>
    </bean>
 
    <bean id="userSearch"
          class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
        <constructor-arg index="0">
            <value></value>
        </constructor-arg>
        <constructor-arg index="1">
            <value>(&amp;(objectClass=user)(sAMAccountName={0}))</value>
        </constructor-arg>
        <constructor-arg index="2">
            <ref local="ldapContextSource"/>
        </constructor-arg>
        <property name="searchSubtree">
            <value>true</value>
        </property>
    </bean>

d.moonen's picture
Joined: Oct 31 2013 - 1:47am
Last seen: 1 year 10 months ago
Feedback