Announcement Announcement Module
Collapse
No announcement yet.
Problem in LDAP-setup Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    I'm pretty sure I've seen this brought up a few times already. You might want to do a search on the forum for the old answers.

    Comment


    • #32
      Hi,

      I have a very similar problem as mentioned in some of the previous posts. I would like to know if there was any resolution found. The issue is that I have users in MS Active Directory scattered across multiple OUs. I m able to directly connect to each OU (For eg: OU=Users, DC=company, DC=com )and test the functionality. But if I try to connect to the base for eg: DC=company, DC=com it gives me this error:

      org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;Unprocessed Continuation Reference(s): nested exception is javax.naming.PartialResultException:

      which I understand is because of the refernces that LDAP is sending back. In order to authenticate the users belonging to multiple OUs, is there a way to specify multiple OUs in Acegi? Any work around?

      Any help/suggestions ?

      Thanks
      Sunj

      Comment


      • #33
        Sample code/ JUnit Tests

        Hi,

        I am trying to develop an authentication solution using the spring, Acegi and Active Directory. I have got lot information from this thread and is very helpful for me. Does any of you have any sample code or JUnit tests that shows how to use these configurations and acegi APIs etc. This thread has much of the configuration details, but is there any sample or reference implementation that uses these configurations, I think that will be very helpful for the beginners on this, like me. Thanks in advance!

        Comment


        • #34
          Why don't you take a look at the LDAP Junit tests in the Acegi code base? These are configured to run against an embedded Apache DS server.

          Comment


          • #35
            Configuration for Lotus Domino 6.5.4 and AcegiSecurity 1.0 RC1 in detail

            Hello,

            Sorry to be so clueless and too green but, I've tried on setting "Configuration for Lotus Domino 6.5.4 and AcegiSecurity 1.0 RC1 " above like million times and it did not work. I need help. The setting I prepared is exactly the same as the above setting except for ldap server. And I think that at login it's already working and failing at getting ROLE. The thing I can not get correctly from above is the setting on Lotus Domino in detail. I know this is Spring forum and this question goes a bit far from it but, Could I ask the setting on Lotus Domino for Spring LDAP a little bit?

            Here are several questions.

            >>The groups have the form
            >>APPNAME_ROLE/Groups

            Does the "form" above mean Lotus Domino's "Internet Certifier" or "Organization" or literally "Form" or what?
            I first thought "/Groups" above was Lotus Domino's "Organization" so, what I did was below.

            1. ADD "Groups" as a "Organization" via Doimono Administrator's Registration of Tools.
            2. Use "ADD Group" button to add a Group named "APPNAME_ADMIN/Groups" on "Groups" of "People & Groups".
            (you replace APPNAME with your application's name)
            3. Then Domino shows "APPNAME_ADMIN/Groups" as the name of the group
            and categorize the group as "Groups".
            4. Add users that you'd like to let have Administrator permission (in this case)to "Members" on the groups.

            I think may be these are far from the correct setting.
            Any help would be appreciated.

            Thanks

            Comment


            • #36
              frod,

              form does not refer to a Notes form. It rather refers to a pattern or format.
              I generally think your configuration is correct, although I did not apply step 1.

              Did you try to increase loglevel? Can you post the results? (Maybe even pm it to me)

              CU
              zorak

              Comment


              • #37
                Same problem

                Any solution found for this problem?

                Thanks in advance

                Originally posted by Sunj View Post
                Hi,

                I have a very similar problem as mentioned in some of the previous posts. I would like to know if there was any resolution found. The issue is that I have users in MS Active Directory scattered across multiple OUs. I m able to directly connect to each OU (For eg: OU=Users, DC=company, DC=com )and test the functionality. But if I try to connect to the base for eg: DC=company, DC=com it gives me this error:

                org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;Unprocessed Continuation Reference(s): nested exception is javax.naming.PartialResultException:

                which I understand is because of the refernces that LDAP is sending back. In order to authenticate the users belonging to multiple OUs, is there a way to specify multiple OUs in Acegi? Any work around?

                Any help/suggestions ?

                Thanks
                Sunj

                Comment


                • #38
                  I found a solution

                  Well, I found a solution to the problem of matching users in different OUs. Not the solution I wanted but solution at the end.
                  I have to match users in 2 different OUs, so I defined two UserSearch beans:

                  <bean id="userSearch"
                  class="org.acegisecurity.ldap.search.FilterBasedLd apUserSearch">
                  <!-- searchBase: Context name to search in, relative to the root DN of the configured InitialDirContextFactory. -->
                  <constructor-arg index="0">
                  <value>ou=firstOU</value>
                  </constructor-arg>
                  <!-- searchFilter: The filter expression used in the user search -->
                  <constructor-arg index="1">
                  <value>${acegi.ldap.searchFilter}</value>
                  </constructor-arg>
                  <constructor-arg index="2">
                  <ref local="initialDirContextFactory" />
                  </constructor-arg>
                  <!-- If true then searches the entire subtree as identified by context, if false (the default) then only
                  searches the level identified by the context -->
                  <property name="searchSubtree">
                  <value>${acegi.ldap.searchSubtree}</value>
                  </property>
                  </bean>

                  <bean id="userSearch_1"
                  class="org.acegisecurity.ldap.search.FilterBasedLd apUserSearch">
                  <!-- searchBase: Context name to search in, relative to the root DN of the configured InitialDirContextFactory. -->
                  <constructor-arg index="0">
                  <value>ou=secondOU</value>
                  </constructor-arg>
                  <!-- searchFilter: The filter expression used in the user search -->
                  <constructor-arg index="1">
                  <value>${acegi.ldap.searchFilter}</value>
                  </constructor-arg>
                  <constructor-arg index="2">
                  <ref local="initialDirContextFactory" />
                  </constructor-arg>
                  <!-- If true then searches the entire subtree as identified by context, if false (the default) then only
                  searches the level identified by the context -->
                  <property name="searchSubtree">
                  <value>${acegi.ldap.searchSubtree}</value>
                  </property>
                  </bean>

                  then I defined two LdapAuthenticationProvider, each one using one of the userSearch defined above:

                  <bean id="ldapAuthProvider"
                  class="org.acegisecurity.providers.ldap.LdapAuthen ticationProvider">
                  <constructor-arg>
                  <bean
                  class="org.acegisecurity.providers.ldap.authentica tor.BindAuthenticator">
                  <constructor-arg>
                  <ref local="initialDirContextFactory" />
                  </constructor-arg>
                  <property name="userSearch" ref="userSearch" />
                  </bean>
                  </constructor-arg>
                  <constructor-arg>
                  <ref local="populator"/>
                  </constructor-arg>
                  </bean>

                  <bean id="ldapAuthProvider_1"
                  class="org.acegisecurity.providers.ldap.LdapAuthen ticationProvider">
                  <constructor-arg>
                  <bean
                  class="org.acegisecurity.providers.ldap.authentica tor.BindAuthenticator">
                  <constructor-arg>
                  <ref local="initialDirContextFactory" />
                  </constructor-arg>
                  <property name="userSearch" ref="userSearch_1" />
                  </bean>
                  </constructor-arg>
                  <constructor-arg>
                  <ref local="populator"/>
                  </constructor-arg>
                  </bean>

                  and finally, I put both providers in the providers list:

                  <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager ">
                  <property name="providers">
                  <list>
                  <!-- Si se utiliza LDAP descomentar lo siguiente y comentar daoAuthenticationProvider -->
                  <ref local="ldapAuthProvider"/>
                  <ref local="ldapAuthProvider_1"/>
                  </list>
                  </property>
                  </bean>

                  I don't like this solution, but I couldn't find any better. If someone does, please let me know.

                  Alejandro

                  Comment


                  • #39
                    hi araiczyk,

                    did you try this http://documentation.wikia.com/wiki/AcegiMsad ?

                    Comment


                    • #40
                      Now I did

                      Originally posted by zorak View Post
                      I tryed it, and I get this exception:

                      2007-11-30 18:09:00,482 DEBUG [org.acegisecurity.providers.ldap.LdapAuthenticatio nProvider] - Retrieving user araiczyk
                      2007-11-30 18:09:00,483 DEBUG [org.acegisecurity.ldap.DefaultInitialDirContextFac tory] - Creating InitialDirContext with environment {java.naming.provider.url=ldap://10.1.2.177:389/DC=prueba,DC=com, java.naming.factory.initial=com.sun.jndi.ldap.Ldap CtxFactory, java.naming.security.principal=CN=araiczyk,CN=User s,DC=prueba,DC=com, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.security.credentials=******, java.naming.referral=follow}
                      2007-11-30 18:09:00,608 DEBUG [org.acegisecurity.ldap.search.FilterBasedLdapUserS earch] - Searching for user 'araiczyk', in context javax.naming.directory.InitialDirContext@1d62a85, with user search [ searchFilter: '(sAMAccountName={0})', searchBase: '', scope: subtreesearchTimeLimit: 0derefLinkFlag: true ]
                      2007-11-30 18:09:00,642 DEBUG [org.acegisecurity.ldap.DefaultInitialDirContextFac tory] - Creating InitialDirContext with environment {java.naming.provider.url=ldap://10.1.2.177:389/DC=prueba,DC=com, java.naming.factory.initial=com.sun.jndi.ldap.Ldap CtxFactory, java.naming.security.principal=CN=araiczyk,CN=User s,DC=prueba,DC=com, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.security.credentials=******, java.naming.referral=follow}
                      2007-11-30 18:09:57,238 DEBUG [org.apache.catalina.session.ManagerBase] - Start expire sessions StandardManager at 1196446197238 sessioncount 1
                      2007-11-30 18:09:57,238 DEBUG [org.apache.catalina.session.ManagerBase] - End expire sessions StandardManager processingTime 0 expired sessions: 0
                      2007-11-30 18:10:04,468 DEBUG [org.springframework.web.context.support.XmlWebAppl icationContext] - Publishing event in context [Root WebApplicationContext]: org.acegisecurity.event.authentication.Authenticat ionFailureServiceExceptionEvent[source=org.acegisecurity.providers.UsernamePasswor dAuthenticationToken@5f1b65e0: Username: araiczyk; Password: [PROTECTED]; Authenticated: false; Details: org.acegisecurity.ui.WebAuthenticationDetails@fffc 7f0c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 926022EBD91CFF39B466A827C6DB711A; Not granted any authorities]
                      2007-11-30 18:10:04,468 WARN [org.acegisecurity.event.authentication.LoggerListe ner] - Authentication event AuthenticationFailureServiceExceptionEvent: araiczyk; details: org.acegisecurity.ui.WebAuthenticationDetails@fffc 7f0c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 926022EBD91CFF39B466A827C6DB711A; exception: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: prueba.com:389 [Root exception is java.net.ConnectException: Connection timed out: connect]]; nested exception is org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: prueba.com:389 [Root exception is java.net.ConnectException: Connection timed out: connect]]
                      2007-11-30 18:10:04,469 DEBUG [net.technisys.acegi.filter.CustomAuthenticationPro cessingFilter] - Updated SecurityContextHolder to contain null Authentication

                      any sugestion?

                      Thanks in advance.

                      Comment


                      • #41
                        Have a look at @ this article

                        If you want to configure LDAP with Acegi, have a look at below article. It explains Acegi configuration with LDAP in detail.

                        http://www.ibm.com/developerworks/ja...gi2/index.html

                        Comment


                        • #42
                          it's always best to use the global catalog server on ms ad. it has port 3268.
                          single ad servers tend to redirect you to the domain, which normally does NOT run an ldap service (see your connection timeout on prueba.com:389).
                          http://technet2.microsoft.com/window....mspx?mfr=true has a good explanation what gc is

                          Comment


                          • #43
                            Thanks

                            It worked, thanks a lot.

                            Comment

                            Working...
                            X