Announcement Announcement Module
Collapse
No announcement yet.
ldap manager security-how to give access to multiple users using ldap? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • ldap manager security-how to give access to multiple users using ldap?

    HI,

    My intialDirContextFactory bean looks like this.
    Code:
    <bean id="initialDirContextFactory"
    		class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
    		<constructor-arg
    			value="ldap://igdc.igi.ig.local:389/dc=igi,dc=ig,dc=local" />
    		<property name="extraEnvVars" ref="environmentMap" />
    		<property name="managerDn" value="CN=Harish Patharla,OU=IGIndia,OU=IGGroup,OU=IG Users,DC=igi,DC=ig,DC=local"/>
    		<property name="managerPassword" value="*********"/>
    </bean>
    when i use my credentials in login page i am able to login.
    here is the stacktrace:
    [CODE]2012-03-08 13:16:36,613 DEBUG ["http-apr-8080"-exec-5] org.acegisecurity.intercept.AbstractSecurityInterc eptor (AbstractSecurityInterceptor.java:317) - Previously Authenticated: org.acegisecurity.providers.UsernamePasswordAuthen ticationToken@ef283259: Username: org.acegisecurity.userdetails.ldap.LdapUserDetails Impl@8af9c9; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_RLE-BLR-DEV-JUNIOR AUTOMATION DEVELOPER-STAFF
    2012-03-08 13:16:36,641 DEBUG ["http-apr-8080"-exec-5] org.acegisecurity.intercept.AbstractSecurityInterc eptor (AbstractSecurityInterceptor.java:334) - Authorization successful
    2012-03-08 13:16:36,643 DEBUG ["http-apr-8080"-exec-5] org.acegisecurity.intercept.AbstractSecurityInterc eptor (AbstractSecurityInterceptor.java:345) - RunAsManager did not change Authentication object
    2012-03-08 13:16:36,665 DEBUG ["http-apr-8080"-exec-5] org.acegisecurity.intercept.AbstractSecurityInterc eptor (AbstractSecurityInterceptor.java:284) - Secure object: [ROLE_RLE-BLR-DEV-JUNIOR AUTOMATION DEVELOPER-STAFF, ROLE_RLE-BLR-DEV-AUTOMATION QA TEAM LEADER, ROLE_RLE-BLR-DEV-QA Engineer 4-staff]; ConfigAttributes: [ROLE_RLE-BLR-DEV-JUNIOR AUTOMATION DEVELOPER-STAFF, ROLE_RLE-BLR-DEV-AUTOMATION QA TEAM LEADER, ROLE_RLE-BLR-DEV-QA Engineer 4-staff]
    2012-03-08 13:16:36,668 DEBUG ["http-apr-8080"-exec-5] org.acegisecurity.intercept.AbstractSecurityInterc eptor (AbstractSecurityInterceptor.java:317) - Previously Authenticated: org.acegisecurity.providers.UsernamePasswordAuthen ticationToken@ef283259: Username: org.acegisecurity.userdetails.ldap.LdapUserDetails Impl@8af9c9; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_RLE-BLR-DEV-JUNIOR AUTOMATION DEVELOPER-STAFF
    2012-03-08 13:16:36,669 DEBUG ["http-apr-8080"-exec-5] org.acegisecurity.intercept.AbstractSecurityInterc eptor (AbstractSecurityInterceptor.java:334) - Authorization successful
    2012-03-08 13:16:36,671 DEBUG ["http-apr-8080"-exec-5] org.acegisecurity.intercept.AbstractSecurityInterc eptor (AbstractSecurityInterceptor.java:345) - RunAsManager did not change Authentication object


    and when i try to login "not as a manager user" it fails.
    Here is the lotrace for this:
    Code:
    26:36,826 DEBUG ["http-apr-8080"-exec-7] org.acegisecurity.providers.ProviderManager (ProviderManager.java:190) - Authentication attempt using org.acegisecurity.providers.ldap.LdapAuthenticationProvider
    2012-03-08 12:26:36,826 DEBUG ["http-apr-8080"-exec-7] org.acegisecurity.providers.ldap.LdapAuthenticationProvider (LdapAuthenticationProvider.java:220) - Retrieving user dubeys
    2012-03-08 12:26:36,827 DEBUG ["http-apr-8080"-exec-7] org.acegisecurity.ldap.search.FilterBasedLdapUserSearch (FilterBasedLdapUserSearch.java:110) - Searching for user 'dubeys', with user search [ searchFilter: 'sAMAccountName={0}', searchBase: 'ou=IGGroup,ou=IG Users', scope: subtreesearchTimeLimit: 0derefLinkFlag: false ]
    2012-03-08 12:26:36,993 DEBUG ["http-apr-8080"-exec-7] org.acegisecurity.ldap.DefaultInitialDirContextFactory (DefaultInitialDirContextFactory.java:176) - Creating InitialDirContext with environment {java.naming.provider.url=ldap://igdc.igi.ig.local:389/dc=igi,dc=ig,dc=local, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=CN=Shubhang Dubey,OU=IGIndia,ou=IGGroup,ou=IG Users,dc=igi,dc=ig,dc=local, java.naming.security.authentication=simple, java.naming.security.credentials=******}
    2012-03-08 12:26:37,476 DEBUG ["http-apr-8080"-exec-7] org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator (DefaultLdapAuthoritiesPopulator.java:178) - Getting authorities for user CN=Shubhang Dubey,OU=IGIndia,ou=IGGroup,ou=IG Users,dc=igi,dc=ig,dc=local
    2012-03-08 12:26:37,478 DEBUG ["http-apr-8080"-exec-7] org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator (DefaultLdapAuthoritiesPopulator.java:224) - Searching for roles for user 'dubeys', DN = 'CN=Shubhang Dubey,OU=IGIndia,ou=IGGroup,ou=IG Users,dc=igi,dc=ig,dc=local', with filter (member={0}) in search base 'ou=Role,ou=Security Groups,ou=Administrative Area'
    2012-03-08 12:26:37,479 DEBUG ["http-apr-8080"-exec-7] org.acegisecurity.ldap.DefaultInitialDirContextFactory (DefaultInitialDirContextFactory.java:176) - Creating InitialDirContext with environment {java.naming.provider.url=ldap://igdc.igi.ig.local:389/dc=igi,dc=ig,dc=local, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=CN=Harish Patharla,OU=IGIndia,OU=IGGroup,OU=IG Users,DC=igi,DC=ig,DC=local, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.security.credentials=******}
    2012-03-08 12:26:37,634 DEBUG ["http-apr-8080"-exec-7] org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator (DefaultLdapAuthoritiesPopulator.java:232) - Roles from search: [RLE-BLR-DEV-QA Engineer 4-staff]
    2012-03-08 12:26:37,635 INFO  ["http-apr-8080"-exec-7] uk.co.igindex.regression.web.pages.Login (Login.java:79) - authResult is : [email protected]15cd0cc: Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@1679bb1; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_RLE-BLR-DEV-QA ENGINEER 4-STAFF
    2012-03-08 12:26:37,642 DEBUG ["http-apr-8080"-exec-7] org.acegisecurity.context.HttpSessionContextIntegrationFilter (HttpSessionContextIntegrationFilter.java:411) - SecurityContext stored to HttpSession: 'org.acegisecurity.context.SecurityContextImpl@415cd0cc: Authentication: [email protected]15cd0cc: Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@1679bb1; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_RLE-BLR-DEV-QA ENGINEER 4-STAFF'
    2012-03-08 12:26:37,643 DEBUG ["http-apr-8080"-exec-7] nu.localhost.tapestry.acegi.services.internal.AcegiExceptionTranslationFilter (AcegiExceptionTranslationFilter.java:70) - Chain processed normally
    2012-03-08 12:26:37,644 DEBUG ["http-apr-8080"-exec-7] org.acegisecurity.context.HttpSessionContextIntegrationFilter (HttpSessionContextIntegrationFilter.java:269) - SecurityContextHolder now cleared, as request processing completed
    2012-03-08 12:26:37,647 DEBUG ["http-apr-8080"-exec-8] org.acegisecurity.context.HttpSessionContextIntegrationFilter (HttpSessionContextIntegrationFilter.java:227) - Obtained a valid SecurityContext from ACEGI_SECURITY_CONTEXT to associate with SecurityContextHolder: 'org.acegisecurity.context.SecurityContextImpl@415cd0cc: Authentication: [email protected]15cd0cc: Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@1679bb1; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_RLE-BLR-DEV-QA ENGINEER 4-STAFF'
    
    
    
    2012-03-08 12:26:37,659 DEBUG ["http-apr-8080"-exec-8] org.acegisecurity.intercept.AbstractSecurityInterceptor (AbstractSecurityInterceptor.java:284) - Secure object: [ROLE_RLE-BLR-DEV-JUNIOR AUTOMATION DEVELOPER-STAFF, ROLE_RLE-BLR-DEV-AUTOMATION QA TEAM LEADER, ROLE_RLE-BLR-DEV-QA Engineer 4-staff]; ConfigAttributes: [ROLE_RLE-BLR-DEV-JUNIOR AUTOMATION DEVELOPER-STAFF, ROLE_RLE-BLR-DEV-AUTOMATION QA TEAM LEADER, ROLE_RLE-BLR-DEV-QA Engineer 4-staff]
    2012-03-08 12:26:37,660 DEBUG ["http-apr-8080"-exec-8] org.acegisecurity.intercept.AbstractSecurityInterceptor (AbstractSecurityInterceptor.java:317) - Previously Authenticated: [email protected]15cd0cc: Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@1679bb1; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_RLE-BLR-DEV-QA ENGINEER 4-STAFF
    2012-03-08 12:26:37,661 ERROR ["http-apr-8080"-exec-8] org.apache.tapestry5.internal.services.RenderQueueImpl (RenderQueueImpl.java:82) - Render queue error in BeginRender[Start]: Access is denied
    org.apache.tapestry5.ioc.internal.util.TapestryException: Access is denied
    The above log says that FilterBasedLdapUserSearch is searching user in AD and creating InitialDirContext is searching for roles.I doubt if its following all steps as following:
    If the LDAP directory finds the user, it returns the user's DN back to the authenticator.

    The authenticator sends the user's DN and password to the LDAP directory to check whether the user's password is correct. If the LDAP directory finds that the password is correct, the user is said to be bound with the LDAP directory.

    The authenticator sends the user information back to the LDAP authentication provider.

    The LDAP authentication provider transfers control to the populator bean.

    The populator searches for groups the user belongs to.

    The LDAP directory returns the user's role information to the populator.

    The populator returns the role information to the LDAP authentication provider.

    Looks like its following these above steps from logs but cant figure out what the problem is.
    Do i have to request for some manager permissions as i am manageruser of this webapp in my organisation?

    Quick response is highly appreciated.please dont suggest to change to spring security coz i have tried that already.

  • #2
    To obtain an initial context, the client calls the newInitialDirContext method. There are two signatures - one with no arguments and one which allows binding with a specific username and password.

    The no-args version will bind anonymously unless a manager login has been configured using the properties managerDn and managerPassword, in which case it will bind as the manager user.

    what if i use no-args version which will bind anonymously.

    Comment

    Working...
    X