Announcement Announcement Module
Collapse
No announcement yet.
Spring Security does not work with AD in WinServ2008 Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security does not work with AD in WinServ2008

    I am trying to make Spring Security work with ActiveDirectory (in JasperServer WebApp). It won't work. Here is the configuration of my System.

    -I have an Active Directory on Windows Server 2008 with the domain corp.ama-eve.dyndns.org
    -I am able to bind to Active Directory on the machine where my WebApp is. For binding I use LDAP Administrator. The LDAP URL used in LDAP Administrator is ldap://192.168.5.101:389/DC=corp,DC=ama-eve,DC=dyndns,DC=org??one?(objectClass=*)
    -Anonym browsing of AD is forbidden. For browsing ldap folders I can use different principals like: CN=Administrator,CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org ([email protected]) or CN=service_acc,CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org ([email protected])

    -> The Active Direcotry seems to work well <-

    Now I try to bind to AD in Spring Security.

    I have added the ldap provider in applicationContext-security.xml:
    Code:
     <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
            <property name="providers">
                <list><ref local="ldapAuthenticationProvider"/>
                    <ref bean="${bean.daoAuthenticationProvider}"/>
                    <ref bean="anonymousAuthenticationProvider"/></list>
            </property>
        </bean>
    I have entered the correct ldap url (Spring Security can connect to the ldap since it reacts on entering wrong ldap url):
    Code:
       <bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
         <constructor-arg value="ldap://192.168.5.101:389/DC=corp,DC=ama-eve,DC=dyndns,DC=org"/>
       	 <property name="userDn"><value>CN=service_acc,CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org</value></property>
         <property name="password"><value>MyPassword</value></property>
       </bean>
    I use userSearch for finding users:
    Code:
       <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
         <constructor-arg>
           <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
              <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
    		  <property name="userSearch" ref="userSearch"/>
           </bean>
         </constructor-arg>
    Code:
       <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
         <constructor-arg index="0"><value>CN=Users</value></constructor-arg>     
    	 <constructor-arg index="1"><value>(sAMAccountName={0})</value></constructor-arg>     
    	 <constructor-arg index="2"><ref local="ldapContextSource"/></constructor-arg> 
    	 <property name="searchSubtree"><value>true</value></property>            
       </bean>
    Symptoms:
    - When I try to connect using credentials from ldap I get this:
    Code:
    2011-05-04 16:07:30,160  WARN LoggerListener,http-8484-5:60 - Authentication event AuthenticationFailureBadCredentialsEvent: Administrator; details: com.jaspersoft.jasperserver.multipleTenancy.MTWebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: D5043C32241F76C089F3D182546C5239; exception: Bad credentials
    - I've tried to change userDn for ldap bind to [email protected] - nothing happens.

    - Any changes to UserDN and Password in ldapContextSource have no effect. (logging in log4j.properties is set to log4j.logger.org.springframework.security.provider s.ldap=ALL, stdout, fileout)

    - Adding userDnPatterns to BindAuthenticator:
    Code:
    <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
         <constructor-arg>
           <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
              <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
              <property name="userDnPatterns">
    		    <list>
    		      <value>sAMAccountName={0}, CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org</value>
    			  <value>sAMAccountName={0}, OU=Sales,DC=corp,DC=ama-eve,DC=dyndns,DC=org</value>
    			  <value>sAMAccountName={0}, OU=accounts,DC=corp,DC=ama-eve,DC=dyndns,DC=org</value>
    		   </list>
    		  </property>
    		  <property name="userSearch" ref="userSearch"/>
           </bean>
         </constructor-arg>
    ...
    generate following log output:
    Code:
    2011-05-04 16:07:29,988 DEBUG BindAuthenticator,http-8484-5:117 
    
    - Failed to bind as sAMAccountName=Administrator, CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]
    2011-05-04 16:07:30,020 DEBUG BindAuthenticator,http-8484-5:117 - Failed to bind as sAMAccountName=Administrator, OU=Sales,DC=corp,DC=ama-eve,DC=dyndns,DC=org: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]
    2011-05-04 16:07:30,051 DEBUG BindAuthenticator,http-8484-5:117 - Failed to bind as sAMAccountName=Administrator, OU=accounts,DC=corp,DC=ama-eve,DC=dyndns,DC=org: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]
    - I have tried to change
    Code:
    <value>sAMAccountName={0}, CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org</value>
    to
    Code:
    <value>sAMAccountName={0}, CN=Users</value>
    no effect.

    -I have tried to change first constr argument in FilterBasedLdapUserSearch from
    Code:
    <constructor-arg index="0"><value>CN=Users</value></constructor-arg>
    to
    Code:
    <constructor-arg index="0"><value></value></constructor-arg>
    no effect.

    - Changes in FilterBasedLdapUserSearch does not provide additional log output so I can't trace it.
    -----------------------------------------------------------------
    It seems, that the initial bind for browsing ldap folders does not work. Can somebody please give me a hint, which direction I should try?

    With regards,

    Friedirch

  • #2
    Active directory doesn't tend to fit too well with normal LDAP usage patterns.

    You might want to take a look at the ActiveDirectoryLdapAuthenticationProvider which is in 3.1.0.RC2.

    It is pretty-much self-contained, so even if you have to stay on 3.0.5, you could still make use of the code.

    Comment


    • #3
      Originally posted by Luke Taylor View Post
      Active directory doesn't tend to fit too well with normal LDAP usage patterns.

      You might want to take a look at the ActiveDirectoryLdapAuthenticationProvider which is in 3.1.0.RC2.

      It is pretty-much self-contained, so even if you have to stay on 3.0.5, you could still make use of the code.
      There is some mapping for roles and organization along with the simple authentication in JasperServer. That makes it not easier. I am wondering because this authentication procedure via AD is officialy supported by JasperServer while using the old ldapAuthenticationProvider

      Comment


      • #4
        Binding with the samAccountName as part of the DN won't work. You either need to use the full DN as stored in Active Directory, or one of AD's "special" names (like the userPrincipalName - user@domain).

        I don't know anything about Jasper Server. But as with most LDAP issues, you are best to try a simple Java LDAP test case before you try to assemble a Spring Security configuration. Check the FAQ for an example.

        Comment


        • #5
          Problem was solved?

          Comment


          • #6
            Originally posted by Luke Taylor View Post
            Binding with the samAccountName as part of the DN won't work. You either need to use the full DN as stored in Active Directory, or one of AD's "special" names (like the userPrincipalName - user@domain).

            I don't know anything about Jasper Server. But as with most LDAP issues, you are best to try a simple Java LDAP test case before you try to assemble a Spring Security configuration. Check the FAQ for an example.
            Luke,

            I have a similar problem to Nebula; i.e. cannot authenticate to Jasperserver via AD on Windows 2008 R2.

            I have probably trawled through most of the same Jasperforge Forum pages and tried all the same approaches to configuring the ldapContextSource, userSearch, BindAuthenticator and AuthoritiesPopulator beans without success.

            Almost irrespective of how I configure, the log messages are the same:

            Code:
            2012-04-29 07:21:13,457 DEBUG BindAuthenticator,http-8080-1:106 - Attemptimg to bind as uid=username,dc=domain,dc=co,dc=uk
            2012-04-29 07:21:13,457 DEBUG BindAuthenticator,http-8080-1:106 - Attemptimg to bind as uid=username,dc=domain,dc=co,dc=uk
            2012-04-29 07:21:13,648  WARN LoggerListener,http-8080-1:60 - Authentication event AuthenticationFailureBadCredentialsEvent: username; details: [email protected]: RemoteIpAddress: 192.168.4.188; SessionId: 0E34083AF0B7D326725CEAAC0D9EB9E6; exception: Bad credentials
            I have considered your advice to Nebula about AD's special names but don't see how this could be achieved. Could you expand a little, please?


            As far as Spring code versions go, because Jasperserver ships with Spring libraries, we would want to remain with the shipped versions, unless it can be proven that a feature will not work.

            The Spring libraries released with Jasperserver 4.5 are:
            spring-2.4.6.SEC03
            spring-binding-2.07.RELEASE
            spring-context-support-2.5.6.SEC03
            spring-js-2.07.RELEASE
            spring-ldap-core-1.3.0.RELEASE
            spring-ldap-core-tiger-1.3.0.RELEASE
            spring-orm-2.5.6.SEC03
            spring-security-cas-client-2.07.RELEASE
            spring-security-core-2.0.7.RELEASE
            spring-security-taglibs-2.0.7.RELEASE
            spring-web-2.5.6.SEC03
            spring-webflow-2.0.7.RELEASE
            spring-webmvc-2.5.6.SEC03

            Code:
               <!-- ======================== AUTHENTICATION ======================= -->
                <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
                    <property name="providers">
            		<list>
                            <ref local="ldapAuthenticationProvider"/> 
                            <ref bean="${bean.daoAuthenticationProvider}"/>
                            <ref bean="anonymousAuthenticationProvider"/>
                            <!--ref local="jaasAuthenticationProvider"/-->
                        </list>
                    </property>
                </bean>
                 
               <!--  ***************************** LDAP authentication START **************************************** -->
               
               <bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
            		<constructor-arg value="ldap://ADSERVER:389/DC=domain, DC=co, DC=uk"/>     
                 		<property name="userDn">
            			<value>CN=LDAPQueryUser,OU=XXXXX,OU=YYYYY,OU=ZZZZZ,DC=domain,DC=co,DC=uk</value>
            		</property>
                 		<property name="password">
            			<value>s3cr3t#</value>
            		</property>
            	</bean>
               
            	<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
            		<constructor-arg index="0"> 
            			<value>OU=YYYYY</value>
            		</constructor-arg>
            		<constructor-arg index="1">
            			<value>(sAMAccountName={0})</value>
            		</constructor-arg>
            		<constructor-arg index="2">
            			<ref local="ldapContextSource" />
            		</constructor-arg>            
            		<property name="searchSubtree">
            			<value>true</value>
            		</property>            
            	</bean>            
               
            	<bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
            		<constructor-arg>
            			<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
            				<constructor-arg>
            					<ref local="ldapContextSource"/>
            				</constructor-arg>
            				<property name="userDnPatterns">
            					<list>
            						<value>(sAMAccountName={0})</value>
            					</list>
            				</property>
            				<property name="userSearch" ref="userSearch"/> 
            			</bean>
            		</constructor-arg>
            		<constructor-arg>
            			<bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
            				<constructor-arg index="0">
            					<ref local="ldapContextSource"/>
            				</constructor-arg>
            				<constructor-arg index="1">
            					<value>OU=Groups</value>
            				</constructor-arg>
            				<property name="groupRoleAttribute">
            					<value>CN</value>
            				</property>
            				<property name="groupSearchFilter">
            					<value>(member={0}(CN=*)</value>
            				</property>
            				<property name="searchSubtree">
            					<value>true</value>
            				</property> 
            				<property name="defaultRole">
            					<value>ROLE_USER</value>
            				</property> 
            			</bean>
            		</constructor-arg>
            	</bean>
            
               <!--  ***************************** LDAP authentication END **************************************** -->

            Comment


            • #7
              After fighting with this for 3 days I figured I'd post my solution. I had my config authenticating against 2 other brands of LDAP servers for testing purposes but couldn't get it to authenticate to AD.

              Apparently, the problem is in the ldapContextSource bean. It needs to have a an additional property (referral) with value "follow" added to it. Example:

              <bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSp ringSecurityContextSource">
              <constructor-arg value="ldap://ldapserveraddress:389/DC=MyDomain,DC=com"/>
              <property name="userDn"><value>CN=Admin User,OU=Users,DC=MyDomain,DC=com</value></property>
              <property name="password"><value>password</value></property>
              <property name="referral" value="follow" />
              </bean>
              If you're starting with the based LDAP example make sure you change uid to sAMAccountName but other than that you should be good.

              Comment

              Working...
              X