Announcement Announcement Module
Collapse
No announcement yet.
Spring 3.1: LDAP: "Bad Credentials" That Aren't Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring 3.1: LDAP: "Bad Credentials" That Aren't

    Spring 3.1
    Tomcat 6.*

    I'm working on making a Spring 3.1 webapp, authenticating with LDAP. When I hit submit on my login page, it just hangs and after a very, very long time returns with this error message:

    Reason: ldap-itc.sam.acme.com:636/o=acme.com
    socket closed;
    nested exception is javax.naming.ServiceUnavailableException:
    ldap-itc.sam.acme.com:636/o=acme.com; socket closed



    I was able to connect to my organizations LDAP server by using Softerra's LDAP browser using a real user's password and plugging in the "principal" ( with the username swapped out for "uid={0}" ), which I use in my *-security.xml file:

    uid={0},ou=People,o=acme.com


    I was also able to connect with a JNDI styled Java program I wrote (quoted below ). That program dumped all of the users attributes, including the password, which seems to be encrypted on the LDAP server. Do I need to tell Spring 3.1 this or encrypt the password that is collected on the login screen?

    I noticed that Java program I wrote/copied/adapted specified "ssl" in the context. When I commented that out, the client program also hanged for a long time and returned with the same error message as Spring 3.1. I uncommented that out, changed "ldap://" to "ldaps://" in the client program and that worked fine.

    I tried the same thing in my *-security.xml. I changed "ldap://" to "ldaps://" in the ldap url. This time the webapp did not hang, but returned very quickly with a message of

    "Bad Credentials"

    I tested my username and password out. They are legitimate.

    I also tried typing in the encrypted version of my password, but that didn't make a difference.

    I'm guessing something with SSL and/or password encryption is now my problem.

    Any ideas of things I could check out?

    My *-security.xml and the java LDAP demo I wrote are quoted below

    Thanks.




    My *-security.xml file:


    Code:
        <beans xmlns="http://www.springframework.org/schema/beans"  
          xmlns:s="http://www.springframework.org/schema/security"  
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
          xsi:schemaLocation="http://www.springframework.org/schema/beans  
            http://www.springframework.org/schema/beans/spring-beans-3.0.xsd  
            http://www.springframework.org/schema/security  
            http://www.springframework.org/schema/security/spring-security-3.1.xsd">  
           
             
          
          <s:http auto-config="true">  
            <s:intercept-url pattern="/welcome*" access="ROLE_USER" />  
            <s:form-login login-page="/login" default-target-url="/welcome"  
              authentication-failure-url="/loginfailed" />  
            <s:logout logout-success-url="/logout" />  
          </s:http>  
           
          
          
          <s:ldap-server url = "ldap://ldap-itc.sam.acme.com:636/o=acme.com"/>  
          
         <s:authentication-manager>
             <s:ldap-authentication-provider user-dn-pattern="uid={0},ou=People,o=noaa.gov" >
                 <s:password-compare hash="md5">
                     <s:password-encoder hash="md5"/>
                 </s:password-compare>
            </s:ldap-authentication-provider>
      </s:authentication-manager>
          
        </beans>
    Here is the JNDI style LDAP Java program that WORKS with the same credentials:

    Code:
    mport javax.naming.*;  
    import javax.naming.directory.*;  
    import java.util.*;  
    import java.sql.*;  
      
    public class LDAPDEMO {  
      
        public static void main(String args[]) {  
      
            String lcf                = "com.sun.jndi.ldap.LdapCtxFactory";  
            String ldapurl            = "ldap://ldap-itc.sam.acme.com:636/o=acme.com";  
            String loginid            = "John.A.Smith";  
            String password           = "passowordforjohn";  
            DirContext ctx            = null;  
            Hashtable env             = new Hashtable();  
            Attributes attr           = null;  
            Attributes resultsAttrs   = null;  
            SearchResult result       = null;  
            NamingEnumeration results = null;  
            int iResults              = 0;  
      
      
            env.put(Context.INITIAL_CONTEXT_FACTORY, lcf);  
            env.put(Context.PROVIDER_URL, ldapurl);  
            env.put(Context.SECURITY_PROTOCOL, "ssl");  
            env.put(Context.SECURITY_AUTHENTICATION, "simple");  
            env.put(Context.SECURITY_PRINCIPAL, "uid=" + loginid + ",ou=People,o=acme.com");  
            env.put(Context.SECURITY_CREDENTIALS, password);  
            try {  
      
                ctx     = new InitialDirContext(env);  
                attr    = new BasicAttributes(true);  
                attr.put(new BasicAttribute("uid",loginid));  
                results = ctx.search("ou=People",attr);  
      
                while (results.hasMore()) {  
                    result       = (SearchResult)results.next();  
                    resultsAttrs = result.getAttributes();  
      
                    for (NamingEnumeration enumAttributes  = resultsAttrs.getAll(); enumAttributes.hasMore();) {  
                        Attribute a = (Attribute)enumAttributes.next();  
                        System.out.println("attribute: " + a.getID() + " : " + a.get().toString());  
      
      
                    }// end for loop  
      
                    iResults++;  
                }// end while loop  
      
                System.out.println("iResults == " + iResults);  
      
            }// end try  
            catch (Exception e) {  
                e.printStackTrace();  
            }  
      
      
      
        }// end function main()  
    }// end class LDAPDEMO

  • #2
    I got it working. The final version of my *-security.xml is quoted below.

    I took the "o=acme.com" out of the DN pattern and the LDAP worked.

    I had originally put the "o=acme.com" in both the LDAP URL and the DN pattern because I am new to Spring 3.1 and LDAP, and that is similar to how it is/was done in the Java JNDI version of the LDAP demo I wrote based on the legacy code I am replacing. That demo program is quoted in the original post above.


    Code:
    <beans xmlns="http://www.springframework.org/schema/beans"  
      xmlns:s="http://www.springframework.org/schema/security"  
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
      xsi:schemaLocation="http://www.springframework.org/schema/beans  
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd  
        http://www.springframework.org/schema/security  
        http://www.springframework.org/schema/security/spring-security-3.1.xsd">  
    
    
    
      <s:http auto-config="true" use-expressions="true">  
        **<s:intercept-url pattern="/welcome*" access="isAuthenticated()" />** 
        <s:form-login login-page="/login" default-target-url="/welcome"  
          authentication-failure-url="/loginfailed" />  
        <s:logout logout-success-url="/logout" />  
      </s:http>  
    
    
    
      <s:ldap-server url = "ldap://ldap-itc.sam.acme.com:636/o=acme.com"/>  
    
      <s:authentication-manager>
        <s:ldap-authentication-provider user-dn-pattern="uid={0},ou=People" />
      </s:authentication-manager>
    
    </beans>

    Comment

    Working...
    X