Announcement Announcement Module
Collapse
No announcement yet.
Spring Active Directory LDAP Error 32 - No Object Found Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Active Directory LDAP Error 32 - No Object Found

    I am trying to authenticate a user again AD LDS\ADAM using the Spring framework and Spring Security 3.0. I keep getting the following error and hopefully someone from here can explain where the problem lies.

    Code:
    [LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Users,DC=Domain,DC=local' ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Users,DC=Domain,DC=local' ]; remaining name 'cn=Mo Logan,cn=Users,dc=Domain,dc=local'
    Can anyone explain what the best match of and remaining name bits mean - this is really confusing me? Is this type of search case sensitive? And would problems like time differences between the server and client make a difference?

    From what I have read online error code 32 means that object cant be found - very helpful I'm sure you'll agree. Here is the configuration information which I am using:

    Code:
    <authentication-manager alias="ldapAuthenicationManager">   
        <ldap-authentication-provider
            user-search-base="cn=Users,dc=Domain,dc=local" 
            user-search-filter="(uid={0})" 
            role-prefix="Users"
        />
    </authentication-manager>
    
    <ldap-server url="ldap://server:50006/" manager-dn="CN=Admin,CN=Users,DC=Domain,DC=local" manager-password="Password" />
    Changing this config slightly like this has no effect either:

    Code:
    <authentication-manager alias="ldapAuthenicationManager">    
        	<ldap-authentication-provider 
           	 	user-search-base="cn=Users"  
           	 	user-search-filter="(uid={0})"          
        	>    
     	</ldap-authentication-provider>     
    </authentication-manager> 
    
    <ldap-server url="ldap://server:50006/dc=Domain,dc=local" manager-dn="CN=Admin,CN=Users,DC=Domain,DC=local" manager-password="Password" />

    I am searching by uid (no SAMAccountName in LDS) and when I search by the same criteria using ldap.exe on the server I can find the user correctly e.g:

    Code:
    ldap_search_s(ld, "CN=Users,DC=Domain,DC=local", 2, "(uid=mologan)", attrList,  0, &msg)
    
    ***Searching...
    
    ldap_search_s(ld, "CN=Users,DC=Domain,DC=local", 2, "(uid=mologan)", attrList,  0, &msg)
    
    Getting 1 entries:
    
    Dn: CN=Mo Logan,CN=Users,DC=Domain,DC=local
    
    badPasswordTime: 9/20/2011 1:19:51 PM GMT Standard Time; 
    
    badPwdCount: 0; 
    
    cn: Mo Logan; 
    
    distinguishedName: CN=Mo Logan,CN=Users,DC=Domain,DC=local; 
    
    dSCorePropagationData: 0x0 = (  ); 
    
    instanceType: 0x4 = ( WRITE ); 
    
    lastLogonTimestamp: 9/20/2011 9:10:32 AM GMT Standard Time; 
    
    lockoutTime: 0; 
    
    memberOf (2): CN=DMSUsers,CN=Users,DC=Domain,DC=local; CN=Users,CN=Roles,CN=Users,DC=Domain,DC=local; 
    
    msDS-UserAccountDisabled: FALSE; 
    
    name: Mo Logan; 
    
    objectCategory: CN=Person,CN=Schema,CN=Configuration,CN={BD500A33-CE7C-492F-9007-BF1B17F972EE}; 
    
    objectClass (4): top; person; organizationalPerson; user; 
    
    objectGUID: 40f74ed4-6cf3-495e-a28c-6aa080a0333b; 
    
    objectSid: S-1-514506224-2209559093-2723712157-1234827279-3369888698-2052446679; 
    
    pwdLastSet: 9/20/2011 8:19:06 AM GMT Standard Time; 
    
    uid: mologan; 
    
    uSNChanged: 13994; 
    
    uSNCreated: 13985; 
    
    whenChanged: 9/20/2011 9:10:32 AM GMT Standard Time; 
    
    whenCreated: 9/20/2011 8:16:54 AM GMT Standard Time;
    I am binding to AD LDS as an administrator account which belongs to the reader group under roles. This user sits at the same level as the username I am trying to verify.

    As you can probably tell I am flat out of ideas as to why I am getting this error and hopefully someone will be able to help me out or point me in the right direction,

    Cheers & thanks in advance

  • #2
    Trying to shed more light on the problem:

    If I use the following code I am able to connect to AD, search for the user and retrieve details such as groups:

    LdapContext ctx = null;
    Hashtable env = new Hashtable();
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.SECURITY_AUTHENTICATION, "Simple");
    env.put(Context.SECURITY_PRINCIPAL, "CN=Admin,CN=Users,DC=Domain,DC=local");
    env.put(Context.SECURITY_CREDENTIALS, "Password");

    env.put(Context.PROVIDER_URL, "ldap://server:50006");
    ctx = new InitialLdapContext(env, null);
    System.out.println("Connection Successful.");

    SearchControls searchCtls = new SearchControls();
    String returnedAtts[]={"distinguishedName", "memberOf"};
    searchCtls.setReturningAttributes(returnedAtts);

    searchCtls.setSearchScope(SearchControls.SUBTREE_S COPE);

    String searchFilter = "(&(uid=mologan)(memberof=CN=MyGroup,CN=Users,DC=D omain,DC=local))";

    String searchBase = "CN=Users,DC=Domain,DC=local";

    NamingEnumeration answer = lc.search(searchBase, searchFilter, searchCtls);

    SearchResult result = (SearchResult)answer.next();
    System.out.println("Name in namespace: " + result.getNameInNamespace());
    System.out.println("Name: " + result.getName());
    System.out.println("Groups: " + result.getAttributes().get("memberOf"));
    List groups = new ArrayList(); Attribute memberOf = result.getAttributes().get("memberOf");

    Hopefully this will help shed more light on the issue I dont see what is different between this and what Spring is trying to do - any ideas what I am missing?

    Comment


    • #3
      Hi Mo

      If possible could you post the DEBUG output of of your spring login attempt ?

      I remember getting that error but I can't quite remember what I did to solve it . I think this was more AD strangeness.

      Also what is the full version of Spring security you are using ? 3.0.7 ?

      Comment


      • #4
        Mo

        I think we might have the same problem .

        My AD/LDS server is a 2008 R2 and not a 2003 ( which returns vastly different results FYI ) ..

        I put a break point in SpringSecurityLdapTemplate.searchForSingleValues at line 173 ( search(base, formattedFilter, ctls, roleMapper)

        I get my crash here everytime.

        At this point I "think" the problem is that the criteria for a successful search and the criteria required to retrieve the attributes ( memberOf for groups) are not the same .

        troubleshooting this I have also seen LDAP errors 49 ( bad credential ) and "Unprocessed Continuation Reference; remaining name '' errors as I mess with the values possible on my ldap-user-service.

        for the record using ldp.exe the following criteria are required for a successful attributes retrieval

        BaseDN:CN:Users,DC=my,DC=serv,DC=local
        Filter : (cn=test_user)
        scope : subtree
        Attributes : memberOf

        I will check more and let you know what I find but if you code throws the exception at the same point then its the same problem (or the inverse the problem lies in the search ) .

        Comment


        • #5
          Hi Stimpy,

          Here is the DEBUG log - hopefully it will help with this out:

          DEBUG o.s.s.web.FilterChainProxy - /j_spring_security_check at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
          DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
          DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession:
          Session Object Internals:
          id : rmOHU38p6q6itI9AR1whiHy
          hashCode : 1816161344
          create time : Fri Sep 23 16:30:27 BST 2011
          last access : Fri Sep 23 16:45:16 BST 2011
          max inactive interval : 1800
          user name : anonymous
          valid session : true
          new session : false
          overflowed : false
          app name : default_host/applicationname
          non-serializable app specific session data : null
          serializable app specific session data : {SPRING_SECURITY_LAST_USERNAME=mologan, SPRING_SECURITY_LAST_EXCEPTION=org.springframework .security.authentication.AuthenticationServiceExce ption: [LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of:
          'CN=Users,DC=Domain,DC=local'
          ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of:
          'CN=Users,DC=Domain,DC=local'
          ]; remaining name 'cn=Mo Logan,cn=Users'}
          . A new one will be created.
          DEBUG o.s.s.web.FilterChainProxy - /j_spring_security_check at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
          DEBUG o.s.s.web.FilterChainProxy - /j_spring_security_check at position 3 of 9 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
          DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Request is to process authentication
          DEBUG o.s.s.a.ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.L dapAuthenticationProvider
          DEBUG o.s.s.l.a.LdapAuthenticationProvider - Processing authentication request for user: mologan
          DEBUG o.s.s.l.s.FilterBasedLdapUserSearch - Searching for user 'mologan', with user search [ searchFilter: '(uid={0})', searchBase: 'cn=Users', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
          DEBUG o.s.s.l.SpringSecurityLdapTemplate - Searching for entry in under DN 'dc=Domain,dc=local', base = 'cn=Users', filter = '(uid={0})'
          DEBUG o.s.s.l.SpringSecurityLdapTemplate - Found DN: cn=Mo Logan,cn=Users
          DEBUG o.s.s.l.a.BindAuthenticator - Attempting to bind as cn=Mo Logan,cn=Users,dc=Domain,dc=local
          DEBUG o.s.s.l.DefaultSpringSecurityContextSource - Removing pooling flag for user cn=Mo Logan,cn=Users,dc=Domain,dc=local
          DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.Authen ticationServiceException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of:
          'CN=Users,DC=Domain,DC=local'
          ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of:
          'CN=Users,DC=Domain,DC=local'
          ]; remaining name 'cn=Mo Logan,cn=Users'

          Hopefully that helps somewhat,

          Comment


          • #6
            Hi Stimpy,

            Hopefully that debug log makes sense.

            To Answer your other questions:

            I am using Spring Security 3.0.4 at the moment.

            When I debug the code the error seems to happen line 1260 of the DirContextAdapter:

            Code:
            	/*
            	 * (non-Javadoc)
            	 * 
            	 * @see org.springframework.ldap.support.DirContextOperations#getDn()
            	 */
            	public Name getDn() {
            		return new DistinguishedName(dn);
            	}
            	
            	/**
            	 * Construct a new <code>DistinguishedName</code> from the supplied
            	 * {@link Name}. The parts of the supplied {@link Name} must be
            	 * syntactically correct {@link LdapRdn}s.
            	 * 
            	 * @param name the {@link Name} to construct a new
            	 * <code>DistinguishedName</code> from.
            	 */
            	public DistinguishedName(Name name) {
            		Assert.notNull(name, "name cannot be null");
            		if (name instanceof CompositeName) {
            			parse(LdapUtils.convertCompositeNameToString((CompositeName) name));
            			return;
            		}
            		names = new LinkedList();
            		for (int i = 0; i < name.size(); i++) {
            			names.add(new LdapRdn(name.get(i)));
            		}
            	}
            So I am guessing that it is to do with the format of the info being retrieved by the query. I'll need to find out more about LdapRdn values.

            Hope that is of use

            Comment


            • #7
              Hi mo


              I would suggest that you upgrade to 3.0.7 just to rule our an issues.

              The way I read your debug log is that the string used to bind for authentication is not a match.

              I am not at my workstation right now but i will post the my setup monday.

              Comment


              • #8
                Hi, Ill try to upgrade to 3.0.7 and you know how I get on

                The thing is when I try to bind using ldp.exe with the name username I am able to bind without problems.

                Do you know of a way to log AD activity on the server - I have tried two tools without seeing anything thing useful. Does LDS log anything do you know?

                Comment


                • #9
                  Stimpy, you started me thinking and I took a quick look at the security event log on the server I am using:

                  The domain controller attempted to validate the credentials for an account.

                  Event Id: 4776
                  Task Category: Credential Validation
                  Keywords: Audit Success

                  Authentication Package: ADAM_LDSTestInstance
                  Logon Account: CN=Mo Logan,CN=Users,DC=Domain,DC=local
                  Source Workstation: My Ip Number:55072
                  Error Code: 0x0

                  From this I guess the validation is working correctly - this is so confusing!!

                  Comment


                  • #10
                    Mo

                    I agree that configuring spring security to work with a AD LDS is troublesome.

                    In part this seems to be due to the fact that getting successful results from the search,bind and authorities steps seems to require very different configuration of base,dn/cn etc.

                    take a look at the docs here http://static.springsource.org/sprin...namespace.html in the section under LDAP namespace options

                    I think what you need to do is configure an LDAP provider element and ref that .

                    I had to tweak all the elements (group-search-filter, group-search-base, group-role-attribute,etc) to get it to work .

                    Comment


                    • #11
                      Hurrah!! Problem solved!

                      Well, at least I think so!!

                      This is the configuration I am using:


                      Code:
                      <authentication-manager alias="ldapAuthenicationManager">    
                      	<ldap-authentication-provider   		
                             	 	user-search-filter="(uid={0})" 
                             	 	group-search-filter="(member=userGroup)"
                          	>     
                       	</ldap-authentication-provider>     
                      </authentication-manager> 
                      
                      <ldap-server url="ldap://server:50006/$CN=Users,CN=Domain,CN=local" manager-dn="Cn=Admin,CN=Domain,CN=local" manager-password="Pssword101" />
                      I had to create a user in LDS called admin and allocated it to the reader role in LDS (if you dont have this, import it from the ldf files provided for LDS).
                      After this I created a user and then a group, I added my user to the group I create ad

                      At this point I was getting Ldap error 32. After a serious amount of debugging through the spring security code and looking at the event logs of the server I guessed that the problem was with how AD LDS was set up. After a lot of fiddling and guess work I stumbled upon the problem.

                      To resolve this I ended up having to add the user I wanted to log in with (not the manager-dn) to the reader group also to allow a successful bind. Doing that resolved the problem for me

                      Hopefully this is of use?

                      Comment

                      Working...
                      X