LDAP (Active Directory) Issue With Users In Multiple Branches

[rusty.ross]

I am seeing an LDAP issue in JRS 5.5.

LDAP (Active Directory) authentication is configured and working as expected.

However, users are in multiple branches, ie:

CN=exampleuser1,OU=Users,DC=mycompany,DC=com

CN=exampleuser2,OU=Staff,DC=mycompany,DC=com

 

If configured as follows, then only exampleuser1 (and other users in ou=Users) can log in:

 

    <bean id="userSearch"

          class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">

        <constructor-arg index="0">

            <value>ou=Users</value>

        </constructor-arg>

        <constructor-arg index="1">

            <value>(sAMAccountName={0})</value>

        </constructor-arg>

        <constructor-arg index="2">

            <ref local="ldapContextSource" />

        </constructor-arg>

        <property name="searchSubtree">

            <value>true</value>

        </property>

    </bean>

 

    <bean id="ldapContextSource" class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource">

        <constructor-arg value="ldaps://1.2.3.4:636/dc=mycompany,dc=com"/>

        <!-- manager user name and password (may not be needed)  -->

        <property name="userDn" value="CN=manager1,OU=staff,dc=mycompany,dc=com"/>

        <property name="password" value="manager_password"/>

        <property name="referral" value="follow" />

    </bean>

 

 

If the search branch is changed to Staff, then only exampleuser2 (and other users in ou=Staff) can log in:

 

       <constructor-arg index="0">

            <value>ou=Staff</value>

        </constructor-arg>

 

 

If the search branch is left unspecified, then all users can log in, BUT login takes about 60 seconds:

 

      <constructor-arg index="0">

            <value></value>

        </constructor-arg>

 

 

How can I either (1) specify multiple search branches, or (2) eliminate the long delay when leaving the search branch unspecified?

 

 

 

 

 

 

 

 

 

[dlitvak]

Try userDnPatterns in ldapAuthenticationProvider's BindAuthenticator.  This might help http://community.jaspersoft.com/documentation/jasperreports-server-authentication-cookbook/specifying-userdnpatterns-parameters

    <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">        <constructor-arg>            <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">                <constructor-arg><ref local="ldapContextSource"/></constructor-arg>      <property name="userDnPatterns">        <list>            <value>CN={0},OU=Users,DC=mycompany,DC=com</value>            <value>CN={0},OU=Staff,DC=mycompany,DC=com</value>        </list>      </property>            </bean>        </constructor-arg>         .......     </bean> [/code]

If that is not enough, configure several ldapAuthenticationProvider's pointing to different branches.

    <bean id="ldapAuthenticationManager" class="org.springframework.security.providers.ProviderManager">        <property name="providers">            <list>                <ref local="ldapAuthenticationProvider1"/>                <ref local="ldapAuthenticationProvider2"/>                       ....               <ref local="ldapAuthenticationProviderN"/>                <ref bean="${bean.daoAuthenticationProvider}"/>            </list>        </property>    </bean>[/code]

Each ldapAuthenticationProvider can point to the its own userSearch1...N

[rusty.ross]

userDnPatterns is not viable because the search needs (and multi-branching of user records) are actually a bit more complex than the example I posted here.

Howver, I did implement your 2nd suggestion prior to your posting it, and that seems to work fine.

I guess I still wonder why not specifying the branch at all (and simply searching the entire base path) takes such a long time.

If I perform an indentical search (of the entire base path) on the CLI using ldapsearch, the result is returned immediately.