Announcement Announcement Module
Collapse
No announcement yet.
Problem in LDAP-setup Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Authentication with Microsoft Active Directory

    Hi,
    Thanks for your posts with examples of configuration.
    Did you notice the change in the LDAP classes in the 1.0.0 RC2?

    I have tried to adapt your configuration to access a Microsoft Active Directory 2003 and I keep getting the error:

    net.sf.acegisecurity.BadCredentialsException: Bad credentials; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece

    Do you have a clue? A google search suggests that the admin user doesn't have the credentials but I'd like to know what parameter exactly is wrong (searchFilter, dn=, cn=, password ...)

    I will post the answers in the forum once everything works ...

    Regards,

    Jean-Michel

    Comment


    • #17
      Thank you for the information on Active Directory setup using LDAP. I have it mostly working, but for some reason, I am getting a PartialResultException. I believe this is because the Active Directory is returning referral information. I have looked at the traffic with Ethereal and I can see the user information getting returned up to the referrals. I did set java.naming.referral=forward as recommended (I also set it in the jndi.properties file in JBoss just in case).

      Any thoughts on why Acegi is not handling the referrals? I am so close....

      Thanks!

      John Westerkamp

      Comment


      • #18
        To ganierjm:

        I have found that that response is almost always due to the manager credentials. To get it to work for me with Active Directory, I had to use the principal name, ie., [email protected] (no cn's or dc's). That fixed mine right up.

        Hope this helps!

        John Westerkamp

        Comment


        • #19
          Hi Again,

          Ok, I have figured out how to work Active Directory with Acegi LDAP. The reason I was getting the PartialResultException was that Active Directory was returning referrals when Acegi started its authentication bind for the user logging into the application. Apparently, Active Directory disregards the Manage Referrals code sent by the client as part of LDAP v3. In my case, I was setting the search base to the top of the directory, i.e., dc=example,dc=com. In addition to the Users ou in the ldap tree, there are several other system ou's and these cause Active Directory to return referrals which causes the PartialResultException. Try it with something like

          ldapsearch -x -b dc=example,dc=com -D [email protected] sAMAccountName=username -W

          and you will see the referrals since the -b argument is set to the top of the directory.

          Now, to get Acegi to work, you must specify the ou containing your user accounts in the userSearch bean as per the previous example. Since the search is limited to that ou, no referrals are obtained and Acegi works! Again, try it with an ldapsearch like

          ldapsearch -x -b ou=Users,dc=example,dc=com -D [email protected] sAMAccountName=username -W

          Note the addition of the ou=Users to the search base. The result will not contain the referrals.

          Since some of the setup is different than the previous example for RC2, I am including my setup beans for Acegi LDAP authentication against Active Directory. Thanks for all the help!

          <bean id="initialDirContextFactory" class="org.acegisecurity.providers.ldap.DefaultIni tialDirContextFactory">
          <constructor-arg value="ldap://ad.example.com:389/dc=example,dc=com"/>
          <property name="managerDn"><value>[email protected]</value></property>
          <property name="managerPassword"><value>password</value></property>
          <property name="extraEnvVars">
          <map>
          <entry key="java.naming.referral">
          <value>follow</value>
          </entry>
          </map>
          </property>
          </bean>

          <bean id="userSearch" class="org.acegisecurity.providers.ldap.search.Fil terBasedLdapUserSearch">
          <constructor-arg index="0">
          <value>ou=Users</value>
          </constructor-arg>
          <constructor-arg index="1">
          <value>(sAMAccountName={0})</value>
          </constructor-arg>
          <constructor-arg index="2">
          <ref local="initialDirContextFactory" />
          </constructor-arg>
          <property name="searchSubtree">
          <value>true</value>
          </property>
          </bean>

          <bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthen ticationProvider">
          <constructor-arg>
          <bean class="org.acegisecurity.providers.ldap.authentica tor.BindAuthenticator">
          <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
          <property name="userSearch">
          <ref local="userSearch" />
          </property>
          </bean>
          </constructor-arg>
          <constructor-arg>
          <bean
          class="org.acegisecurity.providers.ldap.populator. DefaultLdapAuthoritiesPopulator">
          <constructor-arg>
          <ref local="initialDirContextFactory" />
          </constructor-arg>
          <constructor-arg>
          <value>ou=Roles</value>
          </constructor-arg>
          <property name="convertToUpperCase">
          <value>true</value>
          </property>
          <property name="rolePrefix">
          <value></value>
          </property>
          <property name="searchSubtree">
          <value>true</value>
          </property>
          <property name="groupSearchFilter">
          <value>member={0}</value>
          </property>
          <property name="groupRoleAttribute">
          <value>cn</value>
          </property>
          </bean>
          </constructor-arg>
          </bean>

          Comment


          • #20
            Is the last pasted code on this page still the best practice on using Active Directory?

            Comment


            • #21
              Hi, I am trying to set the Oracle OID with configurations specified in this post. I am able to get the user logged in but it gives me access denied. I am using appfuse.

              Can someone help me on this?

              Thanks in advance.

              Error:
              [prodex] ERROR [http-8080-Processor25] [/prodex].setAttribute(1330) | Session attribute event listener threw exception
              java.lang.ClassCastException: org.acegisecurity.userdetails.User
              at com.lsi.test.webapp.listener.UserCounterListener.a ttributeAdded UserCounterListener.java:114)
              at org.apache.catalina.session.StandardSession.setAtt ribute(StandardSession.java:1311)
              at org.apache.catalina.session.StandardSessionFacade. setAttribute(StandardSessionFacade.java:129)
              at org.acegisecurity.context.HttpSessionContextIntegr ationFilter.doFilter(HttpSessionContextIntegration Filter.java:272)
              at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:303)
              at org.acegisecurity.util.FilterChainProxy.doFilter(F ilterChainProxy.java:173)
              at org.acegisecurity.util.FilterToBeanProxy.doFilter( FilterToBeanProxy.java:120)
              at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:202)
              at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:173)
              at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:213)
              at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:178)
              at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:126)
              at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:105)
              at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:107)
              at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:148)
              at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:869)
              at org.apache.coyote.http11.Http11BaseProtocol$Http11 ConnectionHandler.processConnection(Http11BaseProt ocol.java:664)
              at org.apache.tomcat.util.net.PoolTcpEndpoint.process Socket(PoolTcpEndpoint.java:527)
              at org.apache.tomcat.util.net.LeaderFollowerWorkerThr ead.runIt(LeaderFollowerWorkerThread.java:80)
              at org.apache.tomcat.util.threads.ThreadPool$ControlR unnable.run(ThreadPool.java:684)
              at java.lang.Thread.run(Unknown Source)
              Last edited by sunraider; Jul 7th, 2006, 06:02 AM.

              Comment


              • #22
                What's the code that is throwing the exception? It's not Acegi Security code - it looks like the problem is the coding of UserCounterListener.

                Comment


                • #23
                  Thank you.

                  Comment


                  • #24
                    Searching for groups in different OUs

                    Hi all, I have the same problem than Zorak had. I need to search for groups to which the user belongs in different OUs.

                    We have something like:

                    dc=company, dc=es
                    |
                    --OU=Location1
                    | |
                    | --OU=Group1
                    |
                    --OU=Location2
                    | |
                    | --OU=Group2
                    |
                    --OU=Location3
                    ...

                    And the user can belongs to group1, group2, etc. (roles). So, I would like to start the group search from the root, not from a specific OU... is there any technical reason why it cannot be done?

                    The solution proposed by Zorak (create a specific OU which groups together all the roles) doesn't work for me, because I have no control about the LDAP structure (and the system admins are not willing to help us).

                    Any idea?

                    Thanks in advance,

                    Josť Luis.

                    Comment


                    • #25
                      And the user can belongs to group1, group2, etc. (roles). So, I would like to start the group search from the root, not from a specific OU... is there any technical reason why it cannot be done?
                      Shouldn't be. Have you tried it (use an empty string for the search base)?

                      Comment


                      • #26
                        Hi luke, if I try with an empty string for the search base (something like this):

                        Code:
                        ...
                        <constructor-arg>
                        <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
                        		<constructor-arg index="0"><ref local="initialDirContextFactory"/></constructor-arg>
                        		
                        		<constructor-arg index="1"><value></value></constructor-arg>
                        		
                        		<property name="groupRoleAttribute"><value>cn</value></property>
                            <property name="groupSearchFilter"><value>member={0}</value></property>
                        		<property name="defaultRole"><value>ROLE_ANONYMOUS</value></property>
                        		<property name="searchSubtree"><value>true</value></property>
                        		<property name="rolePrefix"><value>ROLE_</value></property>
                        		<property name="convertToUpperCase"><value>true</value></property>
                        	</bean>
                        </constructor-arg>
                        
                        ...
                        I get the following exception:

                        Code:
                        java.lang.IllegalArgumentException: The groupSearchBase (name to search under), must be specified.
                        BTW: I'm using 1.0RC2

                        Comment


                        • #27
                          This has been changed after this issue was raised:

                          http://opensource.atlassian.com/proj...browse/SEC-225

                          Please try with a more recent build.

                          Comment


                          • #28
                            Hi Luke, I've tried with a more recent snapshot (27/05) but now I have another problem (well, packages have changed, but that's not important).

                            This snapshot is only compatible with Spring 2.0 because it uses org.springframework.dao.EmptyResultDataAccessExcep tion, and I have to use 1.2.3... is this an error or acegi 1.0 final will only be compatible with Spring 2.0?

                            Comment


                            • #29
                              I have updated the samples to AcegiSecurity 1.0.3

                              --> http://documentation.wikia.com/wiki/...ework#Security

                              Comment


                              • #30
                                ignoring roles

                                is there a way to have the LDAP support JUST do authentication and pass over the "role acquisition". reason i ask, our system (for one customer installation) has to use LDAP for authentication, but switch to obtaining roles/perms from a RDBMS backend after the auth phase is done (basically once the user is allowed into the system, ldap disappears from the equation).

                                i realize i could write my own implementation of the LdapAuthoritiesPopulator but i'd like to use the off-the-shelf stuff as much as possible (reduction of maintenance ;-> )

                                TIA

                                == sfisque

                                Comment

                                Working...
                                X