Announcement Announcement Module
Collapse
No announcement yet.
Authorizing Users In Active Directory Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authorizing Users In Active Directory

    Hi Guys,

    I've been using the sample tutorial as a base for my acegi/ldap test rig. I have to say for someone who has very little knowledge of Active Directory actually wiring acegi to connect to AD it wasn't so bad, once I had the basics down. The problem is finding the right data once connected.

    Basically I can authenticate users but I cannot authorize them to use resources I've defined in the object definition source as part of the filterInvocationInterceptor. If I remember right the populator reads the business roles of the user that has been authenticated. The userSearch bean ,with the authenticator, authenticates users and is configured as follows;

    Code:
    <bean id="userSearch"
    		class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
    		<constructor-arg index="0" value="OU=IT,OU=SJMB,OU=Retail Users" />
    		<constructor-arg index="1" value="sAMAccountName={0}" />
    		<constructor-arg index="2">
    			<ref local="initialDirContextFactory" />
    		</constructor-arg>
    </bean>
    again as I said this works. So i thought the following configuration of the object definition source and populator would work fine;

    Code:
    <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
    ...
    <property name="objectDefinitionSource">
    			<value>
    				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    				PATTERN_TYPE_APACHE_ANT
    				/secure/extreme/**=ROLE_All_Speke_Users
    				/secure/**=IS_AUTHENTICATED_REMEMBERED
    				/**=IS_AUTHENTICATED_ANONYMOUSLY
    			</value>
    		</property>
    
    </bean>
    
    <bean id="populator" class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
    		<constructor-arg index="0">
    			<ref local="initialDirContextFactory" />
    		</constructor-arg>
    		<constructor-arg index="1">
    			<value>OU=IT,OU=SJMB,OU=Retail Users</value>
    		</constructor-arg>
    		<property name="groupRoleAttribute" value="memberOf"/>
    		<property name="groupSearchFilter" value="sAMAccountName={0}" />
    		<property name="searchSubtree">
    			<value>true</value>
    		</property>
    	</bean>
    each user has an attribute called memberOf, where the roles that I want to use are stored. Using the above config i get the following error;

    Code:
    org.acegisecurity.AccessDeniedException: Access is denied
    
    Authentication object as a String: [email protected]0fbf22b: Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@41d471; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@1c07a: RemoteIpAddress: 127.0.0.1; SessionId: 5E5BD4576B542F13572C1B2BF2520218; Granted Authorities:
    What does this error mean? Why does it not work?

    I have an idea of why it doesn't work, but im not sure its the correct explanation and im not sure how to correct the problem itself.

    The populator would attach the second contructor argument (RDN) to the first constructor (initial directory context) and then using the group search filter property it would find the DN and hence the user that has just been authenticated. The value of the group role attribute would be checked and if that matches the object definition source than the user is authorized.

    In the object definition source I have to affix ROLE as the prefix otherwise the role voter wont be able to find the definition. I wasn't so sure how to set the rest of the definition so everything after 'ROLE_' was just guess work. For some reason i thought ROLE_All_Speke_Users would be translated to All Speke Users and this would be used for the authorization. However the memberOf attribute has the following value;

    Code:
    CN=*All Speke Users,OU=Distribution Groups,DC=retail2u,DC=trcg,DC=co,DC=uk
    so i'm guessing that acegi when making the comparison compares the role definition with this value as just a string, sees that they are different so refuses authorization. So then the solution would be to define the object definition so that it mataches above. The first obvious problem is then, how would the role voter find the definition?

    Im not sure where to go from here to be honest. I've little experience and knowledge with AD. Any help would be appreciated.

  • #2
    I'd have a search on the forum, lots of people have posted working examples in the past.
    http://www.protocol7.com/archives/20...rectory-howto/
    Last edited by karldmoore; Aug 29th, 2007, 11:28 AM.

    Comment


    • #3
      That link is going on my bookmarks. I have been using the following;

      http://www.ibm.com/developerworks/ja....html#download

      and although this is great once you get things up and running, its alot to digest when you first starting off.

      I have one more question. Its about the populator. The populator assigns the roles to the user. However in the example only one role is being assigned to the user. Is there anyway that more than one can be assigned?

      Say for example I wanted to check if a user was part of a group, then having been authorized as part of that group I wanted to make sure he was also part of another group. Can I do this?

      Comment


      • #4
        okay I had a problem very similar to zorak and qvark in the following thread;

        http://forum.springframework.org/sho...t=20969&page=3

        in that I have several groups I want to authorize against in different organisational units (OU). Luke, acegi team member, advised that an empty string should be used for the search base. I tried this as follows;

        Code:
        <bean id="populator" class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
        		<constructor-arg index="0">
        			<ref local="initialDirContextFactory1" />
        		</constructor-arg>
        		<constructor-arg index="1">
        			<value> </value>
        		</constructor-arg>
        		<property name="groupRoleAttribute" value="cn"/>
        		<property name="groupSearchFilter"><value>member={0}</value></property>
        		<property name="rolePrefix"><value>ROLE_</value></property>
        		<property name="convertToUpperCase"><value>true</value></property>
        		<property name="searchSubtree">
        			<value>true</value>
        		</property>
        	</bean>
        but it doesn't work. I get the following error;

        Code:
         Your login attempt was not successful, try again.
        
        Reason: LdapCallback; : [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8350, best match of: ',DC=example,DC=tr,DC=co,DC=uk' �]; nested exception is javax.naming.InvalidNameException: : [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8350, best match of: ',DC=example,DC=tr,DC=co,DC=uk' �]; remaining name ' '; nested exception is org.acegisecurity.ldap.LdapDataAccessException: LdapCallback; : [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8350, best match of: ',DC=example,DC=tr,DC=co,DC=uk' �]; nested exception is javax.naming.InvalidNameException: : [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8350, best match of: ',DC=example,DC=tr,DC=co,DC=uk' �]; remaining name ' '
        can anyone tell me why this is? I will be a very happy bunny if I can get this working.

        Comment


        • #5
          can anyone offer some input on this please?

          Comment


          • #6
            for an answer, look here;

            http://forum.springframework.org/showthread.php?t=41130

            Comment

            Working...
            X