rusty.ross Posted November 26, 2013 Share Posted November 26, 2013 I am seeing an LDAP issue in JRS 5.5.LDAP (Active Directory) authentication is configured and working as expected.However, users are in multiple branches, ie:CN=exampleuser1,OU=Users,DC=mycompany,DC=comCN=exampleuser2,OU=Staff,DC=mycompany,DC=com If configured as follows, then only exampleuser1 (and other users in ou=Users) can log in: <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> <constructor-arg index="0"> <value>ou=Users</value> </constructor-arg> <constructor-arg index="1"> <value>(sAMAccountName={0})</value> </constructor-arg> <constructor-arg index="2"> <ref local="ldapContextSource" /> </constructor-arg> <property name="searchSubtree"> <value>true</value> </property> </bean> <bean id="ldapContextSource" class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource"> <constructor-arg value="ldaps://1.2.3.4:636/dc=mycompany,dc=com"/> <!-- manager user name and password (may not be needed) --> <property name="userDn" value="CN=manager1,OU=staff,dc=mycompany,dc=com"/> <property name="password" value="manager_password"/> <property name="referral" value="follow" /> </bean> If the search branch is changed to Staff, then only exampleuser2 (and other users in ou=Staff) can log in: <constructor-arg index="0"> <value>ou=Staff</value> </constructor-arg> If the search branch is left unspecified, then all users can log in, BUT login takes about 60 seconds: <constructor-arg index="0"> <value></value> </constructor-arg> How can I either (1) specify multiple search branches, or (2) eliminate the long delay when leaving the search branch unspecified? Link to comment Share on other sites More sharing options...
dlitvak Posted November 26, 2013 Share Posted November 26, 2013 Try userDnPatterns in ldapAuthenticationProvider's BindAuthenticator. This might help http://community.jaspersoft.com/documentation/jasperreports-server-authentication-cookbook/specifying-userdnpatterns-parameters <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg><ref local="ldapContextSource"/></constructor-arg> <property name="userDnPatterns"> <list> <value>CN={0},OU=Users,DC=mycompany,DC=com</value> <value>CN={0},OU=Staff,DC=mycompany,DC=com</value> </list> </property> </bean> </constructor-arg> ....... </bean> [/code]If that is not enough, configure several ldapAuthenticationProvider's pointing to different branches. <bean id="ldapAuthenticationManager" class="org.springframework.security.providers.ProviderManager"> <property name="providers"> <list> <ref local="ldapAuthenticationProvider1"/> <ref local="ldapAuthenticationProvider2"/> .... <ref local="ldapAuthenticationProviderN"/> <ref bean="${bean.daoAuthenticationProvider}"/> </list> </property> </bean>[/code]Each ldapAuthenticationProvider can point to the its own userSearch1...N Link to comment Share on other sites More sharing options...
rusty.ross Posted November 26, 2013 Author Share Posted November 26, 2013 userDnPatterns is not viable because the search needs (and multi-branching of user records) are actually a bit more complex than the example I posted here.Howver, I did implement your 2nd suggestion prior to your posting it, and that seems to work fine.I guess I still wonder why not specifying the branch at all (and simply searching the entire base path) takes such a long time.If I perform an indentical search (of the entire base path) on the CLI using ldapsearch, the result is returned immediately. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now