[RESOLVED] Jasper 5.1 : LDAP search stops after "Found DN" : [LDAP: error code 49 - Invalid Credentials]

I configure 2 types of LDAP one with CAS is doing well, but the other one without CAS doesn't work .. it stops like this :

 


2013-11-20 15:03:06,987 DEBUG FilterBasedLdapUserSearch,TP-Processor11:109 - Searching for user 'test', with user search [ searchFilter: '(& (cn={0}) (employeeType=*STATS_CONSULT*))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2013-11-20 15:03:06,987 DEBUG FilterBasedLdapUserSearch,TP-Processor11:109 - Searching for user 'test', with user search [ searchFilter: '(& (cn={0}) (employeeType=*STATS_CONSULT*))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2013-11-20 15:03:07,025 DEBUG SpringSecurityLdapTemplate,TP-Processor11:197 - Searching for entry in under DN 'ou=personnes,o=ADALIS,dc=inpes,dc=com', base = '', filter = '(& (cn={0}) (employeeType=*STATS_CONSULT*))'
2013-11-20 15:03:07,025 DEBUG SpringSecurityLdapTemplate,TP-Processor11:197 - Searching for entry in under DN 'ou=personnes,o=ADALIS,dc=inpes,dc=com', base = '', filter = '(& (cn={0}) (employeeType=*STATS_CONSULT*))'
2013-11-20 15:03:07,032 DEBUG SpringSecurityLdapTemplate,TP-Processor11:214 - Found DN: cn=test
2013-11-20 15:03:07,032 DEBUG SpringSecurityLdapTemplate,TP-Processor11:214 - Found DN: cn=test

And we don't have any further information on what is wrong.

Any idea ?

 

For example with CAS authentication we've got :

2013-11-20 11:38:34,959 DEBUG SpringSecurityLdapTemplate,TP-Processor9:214 - Found DN: cn=adminStats
2013-11-20 11:38:34,959 DEBUG SpringSecurityLdapTemplate,TP-Processor9:214 - Found DN: cn=adminStats

and after that :


2013-11-20 11:38:34,983 DEBUG DefaultLdapAuthoritiesPopulator,TP-Processor9:176 - Getting authorities for user cn=adminStats,ou=personnes,o=A_A,dc=inpes,dc=com
2013-11-20 11:38:34,983 DEBUG DefaultLdapAuthoritiesPopulator,TP-Processor9:176 - Getting authorities for user cn=adminStats,ou=personnes,o=A_A,dc=inpes,dc=com
etc ...

 

Here is a part of my configuration :

 

<bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">

<constructor-arg>

<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">

<constructor-arg><ref local="ldapContextSource"/></constructor-arg>

<property name="userSearch" ref="userSearch"/>

</bean>

</constructor-arg>

<constructor-arg>

<bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">

<constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>

<constructor-arg index="1"><value></value></constructor-arg>

<property name="groupRoleAttribute" value="title"/>

<property name="groupSearchFilter" value="(cn={1})"/>

<property name="searchSubtree" value="true"/>

<!-- Can setup additional external default roles here <property name="defaultRole" value="LDAP"/> -->

</bean>

</constructor-arg>

</bean>

 

<bean id="userSearch"

class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">

<constructor-arg index="0">

<value></value>

</constructor-arg>

<constructor-arg index="1">

<value>(&amp; (cn={0}) (employeeType=*STATS_CONSULT*))</value>

</constructor-arg>

<constructor-arg index="2">

<ref local="ldapContextSource" />

</constructor-arg>

<property name="searchSubtree">

<value>true</value>

</property>

</bean>


 

Boris Gisselere's picture
Joined: Apr 10 2013 - 1:48am
Last seen: 9 months 1 week ago

2 Answers:

 

We did it. So it was what we suspected the other day .. we just took the part of code to encrypt password which was used in Creating users application in LDAP, ans do we made a single jar of it, and implemented it with this code in application context file :

   <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
        <constructor-arg>
                <bean class="org.springframework.security.providers.ldap.authenticator.PasswordComparisonAuthenticator">
                        <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
                        <property name="userSearch" ref="userSearch"/>
                        <property name="passwordEncoder" ref="OurPasswordEncoder"/>
                </bean>
        </constructor-arg>
        <constructor-arg>
            <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
                <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
                <constructor-arg index="1"><value></value></constructor-arg>
                <property name="groupRoleAttribute" value="title"/>
                <property name="groupSearchFilter" value="(cn={1})"/>
                <property name="searchSubtree" value="true"/>
                <!-- Can setup additional external default roles here  <property name="defaultRole" value="LDAP"/> -->
            </bean>
        </constructor-arg>
    </bean>


    <bean class="our.jasper.auth.encoding.JasperPasswordEncoder" id="OurPasswordEncoder"/>


 

Boris Gisselere's picture
Joined: Apr 10 2013 - 1:48am
Last seen: 9 months 1 week ago

I am having the same issue. Did you end up creating a custom password encoder. How did you find your LDAP's encoding procedures? Thanks in advance

k.mertic - 7 years 11 months ago

Did you set referral to follow in the ldapContextSource like mentioned on the Secure Active Directory/LDAP/LDAPS Authentication for Groups wiki?

d.moonen's picture
105
Joined: Oct 31 2013 - 1:47am
Last seen: 4 years 8 months ago

I didn't had set referral to follow before ... so i tried it .. but still blocked :-(

On the other hand I put more logs in log4j.properties and did have this :

2013-11-21 11:18:23,327 DEBUG SpringSecurityLdapTemplate,TP-Processor10:214 - Found DN: cn=adminStats2
2013-11-21 11:18:23,330 DEBUG BindAuthenticator,TP-Processor10:106 - Attemptimg to bind as cn=adminStats2,ou=personnes,o=ADALIS,dc=inpes,dc=com
2013-11-21 11:18:23,330 DEBUG BindAuthenticator,TP-Processor10:106 - Attemptimg to bind as cn=adminStats2,ou=personnes,o=ADALIS,dc=inpes,dc=com
2013-11-21 11:18:23,333 DEBUG BindAuthenticator,TP-Processor10:142 - Failed to bind as cn=adminStats2: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
2013-11-21 11:18:23,333 DEBUG BindAuthenticator,TP-Processor10:142 - Failed to bind as cn=adminStats2: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
2013-11-21 11:18:23,334 DEBUG ProviderManager,TP-Processor10:183 - Authentication attempt using com.jaspersoft.jasperserver.multipleTenancy.MTDaoAuthenticationProvider
2013-11-21 11:18:23,334 DEBUG ProviderManager,TP-Processor10:183 - Authentication attempt using com.jaspersoft.jasperserver.multipleTenancy.MTDaoAuthenticationProvider
2013-11-21 11:18:23,373 WARN LoggerListener,TP-Processor10:60 - Authentication event AuthenticationFailureBadCredentialsEvent: adminStats2; details: com.jaspersoft.jasperserver.multipleTenancy.MTWebAuthenticationDetails@b364: RemoteIpAddress: 160.92.7.69; SessionId: 32BC22B906AD965BB53C4B56FB90FF75.37DEE6C137D5D7C53E8C8EC6; exception: Bad credentials
2013-11-21 11:18:23,373 WARN LoggerListener,TP-Processor10:60 - Authentication event AuthenticationFailureBadCredentialsEvent: adminStats2; details: com.jaspersoft.jasperserver.multipleTenancy.MTWebAuthenticationDetails@b364: RemoteIpAddress: 160.92.7.69; SessionId: 32BC22B906AD965BB53C4B56FB90FF75.37DEE6C137D5D7C53E8C8EC6; exception: Bad credentials

We're thinking that LDAP user are created by an application which encrypt password before saving it in LDAP.
So, in the case of CAS connection, our CAS had a extra class passwordEncoder to match with the one of LDAP.

So maybe it comes from here and we have to try to do the same with Jaspersoft before attempting connection to LDAP ?
By the way, I tried to create an user direct in LDAP with clear password and it didn't work either .. so I'm still wondering what is the solution for this case ?

Boris Gisselere - 8 years 6 months ago
Feedback