LDAP (Active Directory) Issue With Users In Multiple Branches

0

I am seeing an LDAP issue in JRS 5.5.

LDAP (Active Directory) authentication is configured and working as expected.

However, users are in multiple branches, ie:

CN=exampleuser1,OU=Users,DC=mycompany,DC=com

CN=exampleuser2,OU=Staff,DC=mycompany,DC=com

 
If configured as follows, then only exampleuser1 (and other users in ou=Users) can log in:
 
    <bean id="userSearch"
          class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
        <constructor-arg index="0">
            <value>ou=Users</value>
        </constructor-arg>
        <constructor-arg index="1">
            <value>(sAMAccountName={0})</value>
        </constructor-arg>
        <constructor-arg index="2">
            <ref local="ldapContextSource" />
        </constructor-arg>
        <property name="searchSubtree">
            <value>true</value>
        </property>
    </bean>
 
    <bean id="ldapContextSource" class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource">
        <constructor-arg value="ldaps://1.2.3.4:636/dc=mycompany,dc=com"/>
        <!-- manager user name and password (may not be needed)  -->
        <property name="userDn" value="CN=manager1,OU=staff,dc=mycompany,dc=com"/>
        <property name="password" value="manager_password"/>
        <property name="referral" value="follow" />
    </bean>
 
 
If the search branch is changed to Staff, then only exampleuser2 (and other users in ou=Staff) can log in:
 
       <constructor-arg index="0">
            <value>ou=Staff</value>
        </constructor-arg>
 
 
If the search branch is left unspecified, then all users can log in, BUT login takes about 60 seconds:
 
      <constructor-arg index="0">
            <value></value>
        </constructor-arg>
 
 
How can I either (1) specify multiple search branches, or (2) eliminate the long delay when leaving the search branch unspecified?
 
 
 
 
 
 
 
 
 
rusty.ross's picture
Joined: Nov 5 2013 - 9:37pm
Last seen: 3 years 8 months ago

2 Answers:

0

Try userDnPatterns in ldapAuthenticationProvider's BindAuthenticator.  This might help http://community.jaspersoft.com/documentation/jasperreports-server-authe...

    <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
        <constructor-arg>
            <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
                <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
      <property name="userDnPatterns">
        <list>
            <value>CN={0},OU=Users,DC=mycompany,DC=com</value>
            <value>CN={0},OU=Staff,DC=mycompany,DC=com</value>
        </list>
      </property>
            </bean>
        </constructor-arg>
         .......
     </bean> 

If that is not enough, configure several ldapAuthenticationProvider's pointing to different branches.

    <bean id="ldapAuthenticationManager" class="org.springframework.security.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref local="ldapAuthenticationProvider1"/>
                <ref local="ldapAuthenticationProvider2"/>
                       ....
               <ref local="ldapAuthenticationProviderN"/>
                <ref bean="${bean.daoAuthenticationProvider}"/>
            </list>
        </property>
    </bean>

Each ldapAuthenticationProvider can point to the its own userSearch1...N

dlitvak's picture
38
Joined: May 30 2013 - 6:53am
Last seen: 9 months 3 weeks ago
0

userDnPatterns is not viable because the search needs (and multi-branching of user records) are actually a bit more complex than the example I posted here.

Howver, I did implement your 2nd suggestion prior to your posting it, and that seems to work fine.

I guess I still wonder why not specifying the branch at all (and simply searching the entire base path) takes such a long time.

If I perform an indentical search (of the entire base path) on the CLI using ldapsearch, the result is returned immediately.

 

rusty.ross's picture
Joined: Nov 5 2013 - 9:37pm
Last seen: 3 years 8 months ago
Feedback