I configure 2 types of LDAP one with CAS is doing well, but the other one without CAS doesn't work .. it stops like this :
2013-11-20 15:03:06,987 DEBUG FilterBasedLdapUserSearch,TP-Processor11:109 - Searching for user 'test', with user search [ searchFilter: '(& (cn={0}) (employeeType=*STATS_CONSULT*))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2013-11-20 15:03:06,987 DEBUG FilterBasedLdapUserSearch,TP-Processor11:109 - Searching for user 'test', with user search [ searchFilter: '(& (cn={0}) (employeeType=*STATS_CONSULT*))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2013-11-20 15:03:07,025 DEBUG SpringSecurityLdapTemplate,TP-Processor11:197 - Searching for entry in under DN 'ou=personnes,o=ADALIS,dc=inpes,dc=com', base = '', filter = '(& (cn={0}) (employeeType=*STATS_CONSULT*))'
2013-11-20 15:03:07,025 DEBUG SpringSecurityLdapTemplate,TP-Processor11:197 - Searching for entry in under DN 'ou=personnes,o=ADALIS,dc=inpes,dc=com', base = '', filter = '(& (cn={0}) (employeeType=*STATS_CONSULT*))'
2013-11-20 15:03:07,032 DEBUG SpringSecurityLdapTemplate,TP-Processor11:214 - Found DN: cn=test
2013-11-20 15:03:07,032 DEBUG SpringSecurityLdapTemplate,TP-Processor11:214 - Found DN: cn=test
And we don't have any further information on what is wrong.
Any idea ?
For example with CAS authentication we've got :
2013-11-20 11:38:34,959 DEBUG SpringSecurityLdapTemplate,TP-Processor9:214 - Found DN: cn=adminStats
2013-11-20 11:38:34,959 DEBUG SpringSecurityLdapTemplate,TP-Processor9:214 - Found DN: cn=adminStats
and after that :
2013-11-20 11:38:34,983 DEBUG DefaultLdapAuthoritiesPopulator,TP-Processor9:176 - Getting authorities for user cn=adminStats,ou=personnes,o=A_A,dc=inpes,dc=com
2013-11-20 11:38:34,983 DEBUG DefaultLdapAuthoritiesPopulator,TP-Processor9:176 - Getting authorities for user cn=adminStats,ou=personnes,o=A_A,dc=inpes,dc=com
etc ...
Here is a part of my configuration :
<bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg><ref local="ldapContextSource"/></constructor-arg>
<property name="userSearch" ref="userSearch"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
<constructor-arg index="1"><value></value></constructor-arg>
<property name="groupRoleAttribute" value="title"/>
<property name="groupSearchFilter" value="(cn={1})"/>
<property name="searchSubtree" value="true"/>
<!-- Can setup additional external default roles here <property name="defaultRole" value="LDAP"/> -->
</bean>
</constructor-arg>
</bean>
<bean id="userSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0">
<value></value>
</constructor-arg>
<constructor-arg index="1">
<value>(& (cn={0}) (employeeType=*STATS_CONSULT*))</value>
</constructor-arg>
<constructor-arg index="2">
<ref local="ldapContextSource" />
</constructor-arg>
<property name="searchSubtree">
<value>true</value>
</property>
</bean>
2 Answers:
We did it. So it was what we suspected the other day .. we just took the part of code to encrypt password which was used in Creating users application in LDAP, ans do we made a single jar of it, and implemented it with this code in application context file :
<bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.providers.ldap.authenticator.PasswordComparisonAuthenticator">
<constructor-arg><ref local="ldapContextSource"/></constructor-arg>
<property name="userSearch" ref="userSearch"/>
<property name="passwordEncoder" ref="OurPasswordEncoder"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
<constructor-arg index="1"><value></value></constructor-arg>
<property name="groupRoleAttribute" value="title"/>
<property name="groupSearchFilter" value="(cn={1})"/>
<property name="searchSubtree" value="true"/>
<!-- Can setup additional external default roles here <property name="defaultRole" value="LDAP"/> -->
</bean>
</constructor-arg>
</bean>
<bean class="our.jasper.auth.encoding.JasperPasswordEncoder" id="OurPasswordEncoder"/>
Did you set referral to follow in the ldapContextSource like mentioned on the Secure Active Directory/LDAP/LDAPS Authentication for Groups wiki?
I didn't had set referral to follow before ... so i tried it .. but still blocked :-(
On the other hand I put more logs in log4j.properties and did have this :
2013-11-21 11:18:23,327 DEBUG SpringSecurityLdapTemplate,TP-Processor10:214 - Found DN: cn=adminStats2
2013-11-21 11:18:23,330 DEBUG BindAuthenticator,TP-Processor10:106 - Attemptimg to bind as cn=adminStats2,ou=personnes,o=ADALIS,dc=inpes,dc=com
2013-11-21 11:18:23,330 DEBUG BindAuthenticator,TP-Processor10:106 - Attemptimg to bind as cn=adminStats2,ou=personnes,o=ADALIS,dc=inpes,dc=com
2013-11-21 11:18:23,333 DEBUG BindAuthenticator,TP-Processor10:142 - Failed to bind as cn=adminStats2: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
2013-11-21 11:18:23,333 DEBUG BindAuthenticator,TP-Processor10:142 - Failed to bind as cn=adminStats2: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
2013-11-21 11:18:23,334 DEBUG ProviderManager,TP-Processor10:183 - Authentication attempt using com.jaspersoft.jasperserver.multipleTenancy.MTDaoAuthenticationProvider
2013-11-21 11:18:23,334 DEBUG ProviderManager,TP-Processor10:183 - Authentication attempt using com.jaspersoft.jasperserver.multipleTenancy.MTDaoAuthenticationProvider
2013-11-21 11:18:23,373 WARN LoggerListener,TP-Processor10:60 - Authentication event AuthenticationFailureBadCredentialsEvent: adminStats2; details: com.jaspersoft.jasperserver.multipleTenancy.MTWebAuthenticationDetails@b364: RemoteIpAddress: 160.92.7.69; SessionId: 32BC22B906AD965BB53C4B56FB90FF75.37DEE6C137D5D7C53E8C8EC6; exception: Bad credentials
2013-11-21 11:18:23,373 WARN LoggerListener,TP-Processor10:60 - Authentication event AuthenticationFailureBadCredentialsEvent: adminStats2; details: com.jaspersoft.jasperserver.multipleTenancy.MTWebAuthenticationDetails@b364: RemoteIpAddress: 160.92.7.69; SessionId: 32BC22B906AD965BB53C4B56FB90FF75.37DEE6C137D5D7C53E8C8EC6; exception: Bad credentials
We're thinking that LDAP user are created by an application which encrypt password before saving it in LDAP.
So, in the case of CAS connection, our CAS had a extra class passwordEncoder to match with the one of LDAP.
So maybe it comes from here and we have to try to do the same with Jaspersoft before attempting connection to LDAP ?
By the way, I tried to create an user direct in LDAP with clear password and it didn't work either .. so I'm still wondering what is the solution for this case ?
I am having the same issue. Did you end up creating a custom password encoder. How did you find your LDAP's encoding procedures? Thanks in advance