Announcement Announcement Module
Collapse
No announcement yet.
LDAP, Active Directory, and Jasper Reports Server 4.5 CE Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP, Active Directory, and Jasper Reports Server 4.5 CE

    Before simply telling me to look in the forums for similar posts, let me state that I have read over 100 posts, tried everything they suggest, and have spent 4-5 days on this with no success. I am new to Java, JasperReports Server, and Spring.

    Some facts:
    The latest JasperReports Server uses Spring Security 2.0 (I think), which is not the newest version.
    I think we use AD 2003.
    I have successfully used LDAP Browser, and the Drupal LDAP module using the same info.
    I have added a couple of lines to Jasper's default log4j.properties file thus:
    log4j.category.org.springframework.security=DEBUG, MISC, ERROR, INFO
    log4j.category.org.springframework.security.ldap=D EBUG, MISC, ERROR, INFO
    I don't know what else I can do to 'see' what is happening during the log in process. These don't seem to help much as you'll see below.

    My Active Directory info is this:

    root.myserver.org
    -Facility1
    --Users
    ---Admins
    --Groups
    -Facility2
    --Users
    ---Admins
    --Groups
    etc.

    A service account which can query the server and is used on other systems:
    User: CN=ldapuser,OU=Users,OU=Facility1,DC=root,DC=myser ver,DC=org
    Password: password
    Error messages in jasperserver.log:
    2012-05-09 14:49:17,982 INFO DefaultSpringSecurityContextSource,Thread-1:56 - URL 'ldap://root.myserver.org:389/dc=root,dc=myserver,dc=org', root DN is 'dc=root,dc=myserver,dc=org'
    2012-05-09 14:49:31,443 DEBUG ProviderManager,http-8080-2:183 - Authentication attempt using org.springframework.security.providers.ldap.LdapAu thenticationProvider
    2012-05-09 14:49:31,446 DEBUG FilterBasedLdapUserSearch,http-8080-2:109 - Searching for user 'constar1', with user search [ searchFilter: 'sAMAccountName={0}', searchBase: 'DC=root,DC=myserver,DC=org', scope: subtree, searchTimeLimit: 0, derefLinkFlag: true ]
    2012-05-09 14:49:31,502 DEBUG ProviderManager,http-8080-2:183 - Authentication attempt using org.springframework.security.providers.dao.DaoAuth enticationProvider
    2012-05-09 14:49:31,534 WARN LoggerListener,http-8080-2:60 - Authentication event AuthenticationFailureBadCredentialsEvent: constar1; details: org.springframework.security.ui.WebAuthenticationD etails@0: RemoteIpAddress: 10.145.156.100; SessionId: D07A60737C086D8FB4AD14BE703F87DC; exception: Bad credentials
    I only put in those which seem related. You can see that LDAP is unsuccessful and so DAO is used next which, of course, fails to find the user.

    My applicationContext-security.xml file contains the following LDAP settings:
    Code:
    <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
            <property name="providers">
                <list>
                    <ref local="ldapAuthenticationProvider"/>
                    <ref bean="${bean.daoAuthenticationProvider}"/>
                    <ref bean="anonymousAuthenticationProvider"/>
                    <!--ref local="jaasAuthenticationProvider"/-->
                </list>
            </property>
        </bean>
    Code:
    <bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
         <constructor-arg value="ldap://root.myserver.org:389/dc=root,dc=myserver,dc=org"/>
         <property name="userDn"><value>CN=ldapuser,OU=Users,OU=Facility1,DC=root,DC=myserver,DC=org</value></property>
         <property name="password"><value>password</value></property>
       </bean>
    Code:
    <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
         <constructor-arg index="0">
           <value>DC=root,DC=myserver,DC=org</value>
         </constructor-arg>
         <constructor-arg index="1">
           <value>sAMAccountName={0}</value>
         </constructor-arg>
         <constructor-arg index="2">
           <ref local="ldapContextSource" />
         </constructor-arg>            
         <property name="searchSubtree">
           <value>true</value>
         </property>      
         <property name="derefLinkFlag">
           <value>true</value>
         </property>	 
       </bean>
    Code:
    <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
         <constructor-arg>
           <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
              <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
              <!-- <property name="userDnPatterns"><list><value>uid={0}</value></list></property> -->
              <property name="userSearch" ref="userSearch"/>
           </bean>
         </constructor-arg>
         <constructor-arg>
           <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
              <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
              <constructor-arg index="1"><value>OU=Groups,OU=Facility2,DC=root,DC=myserver,DC=org</value></constructor-arg>
              <!--<property name="groupRoleAttribute"><value>cn</value></property>-->
              <!--<property name="groupSearchFilter"><value>(&amp;(uniqueMember={0})(objectclass=groupofuniquenames))</value></property>-->
    		  <!--<property name="groupSearchFilter"><value>(member={0})</value></property>-->
              <property name="searchSubtree"><value>true</value></property> 
    </bean>
         </constructor-arg>
       </bean>
    My questions are:
    1. What can I do to see better what is going on behind the scenes?
    2. Given my directory structure, what settings are wrong on my xml file? Should this be working as-is?
    3. Are there settings elsewhere I didn't address or are missing (here or on other files)?
    4. Why does this forum introduce spaces in some words?

    Thanks in advance for any help.

  • #2
    As it turns out, I'm a huge idiot. I found a typo in the credentials for the LDAP query user.

    Still, for those who want another working example, here you go:

    Code:
    <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
      <property name="providers">
        <list>
          <ref local="ldapAuthenticationProvider"/>
          <ref bean="${bean.daoAuthenticationProvider}"/>
          <ref bean="anonymousAuthenticationProvider"/>
          <!--ref local="jaasAuthenticationProvider"/-->
        </list>
      </property>
    </bean>
    
    <bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
      <constructor-arg value="ldap://root.myserver.org:389/dc=root,dc=myserver,dc=org"/>
      <property name="userDn"><value>CN=ldapuser,OU=Service Accounts,OU=Users,OU=Facility1,DC=root,DC=myserver,DC=org</value></property>
      <property name="password"><value>password</value></property>
      <property name="referral" value="follow" />
    </bean>
    
    <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
      <constructor-arg index="0">
        <value></value>
      </constructor-arg>
      <constructor-arg index="1">
        <value>(sAMAccountName={0})</value>
      </constructor-arg>
      <constructor-arg index="2">
        <ref local="ldapContextSource" />
      </constructor-arg>            
      <property name="searchSubtree">
        <value>true</value>
      </property>      
      <property name="derefLinkFlag">
        <value>true</value>
      </property>	
    </bean> 
    
    <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
      <constructor-arg>
        <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
           <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
           <property name="userSearch" ref="userSearch"/>
        </bean>
      </constructor-arg>
      <constructor-arg>
        <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
          <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
          <constructor-arg index="1"><value></value></constructor-arg>
          <property name="convertToUpperCase"><value>true</value></property>
          <property name="groupRoleAttribute"><value>cn</value></property>
          <property name="rolePrefix"><value></value></property>
          <property name="groupSearchFilter"><value>(member={0})</value></property>
          <property name="searchSubtree"><value>true</value></property>   
          <!--<property name="defaultRole"><value>ROLE_USER</value></property>-->
        </bean>
      </constructor-arg>
    </bean>
    Now all I need to figure out is whether I can check AD groups against Jasper roles WITHOUT importing the rest of the groups as roles.

    Comment


    • #3
      I used that example code and still can not get LDAP to work. Can anyone help? I get this in the error log:

      2012-09-12 09:38:28,317 ERROR ContextLoader,main:307 - Context initialization failed
      org.springframework.beans.factory.xml.XmlBeanDefin itionStoreException: Line 856 in XML document from ServletContext resource [/WEB-INF/applicationContext-security.xml] is invalid; nested exception i
      s org.xml.sax.SAXParseException: cvc-complex-type.2.3: Element 'beans' cannot have character [children], because the type's content type is element-only.

      Comment

      Working...
      X