Announcement Announcement Module
Collapse
No announcement yet.
Active Directory Auth. using j_username and j_password as managerDN and managerPasswo Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory Auth. using j_username and j_password as managerDN and managerPasswo

    I am new to java, spring and acegi and have been using the tutorial to get a simple web app up and running. Active Directory does not allow anonymous authentication so I must enter a valid managerDN and managerPassword in my content.xml file for DefaultInitialDirContextFactory to bind to ldap.

    We require our passwords to change every 60 days so if I hard-coded a manager password in it would eventually fail. I want to use j_username and j_password from my login form when I bind to ldap. But as soon as you start the web app it runs the DefaultInitialDirContextFactory. At that time it needs a valid managerDN and managerPassword to work. Well, I don't have the j_username or j_password values yet.

    Is there a way to change the flow so that I don't need to bind to ldap until I can capture the j_username and j_password? How would I go about doing this?

    Thanks for any help!

  • #2
    Can you explain what you mean by "runs the DefaultInitialDirContextFactory"?

    If you look at the constructor for this class

    http://acegisecurity.org/multiprojec...ctory.html#119

    you'll see that it doesn't attempt to bind when the bean is created, so you'll need to provide more information on where it fails.

    Comment


    • #3
      Thanks for responding. Sorry for being unclear.
      If I have valid data in my context.xml for managerDN and managerPassword my stdout log file starts with these two lines:
      [INFO,DefaultInitialDirContextFactory,ContainerBack groundProcessor[StandardEngine[Catalina]]] URL 'ldap://earth.ad.ilstu.edu/DC=ad,DC=ilstu,DC=edu', root DN is 'DC=ad,DC=ilstu,DC=edu'
      [INFO,DefaultInitialDirContextFactory,ContainerBack groundProcessor[StandardEngine[Catalina]]] URL 'ldap://earth.ad.ilstu.edu/DC=ad,DC=ilstu,DC=edu', root DN is 'DC=ad,DC=ilstu,DC=edu'
      [INFO,FilterBasedLdapUserSearch,ContainerBackground Processor[StandardEngine[Catalina]]] SearchBase not set. Searches will be performed from the root: DC=ad,DC=ilstu,DC=edu
      [INFO,FilterBasedLdapUserSearch,ContainerBackground Processor[StandardEngine[Catalina]]] SearchBase not set. Searches will be performed from the root: DC=ad,DC=ilstu,DC=edu
      [INFO,DefaultLdapAuthoritiesPopulator,ContainerBack groundProcessor[StandardEngine[Catalina]]] groupSearchBase is empty. Searches will be performed from the root: DC=ad,DC=ilstu,DC=edu
      [INFO,DefaultLdapAuthoritiesPopulator,ContainerBack groundProcessor[StandardEngine[Catalina]]] groupSearchBase is empty. Searches will be performed from the root: DC=ad,DC=ilstu,DC=edu

      If the managerDN and managerPassword are not in the context.xml file the log file does not start with DefaultInitialDirContextFactory.

      But all I was trying to say is that it looks like it is setting an instance of InitialDirContextFactory for me as soon as my web app starts and I want to be able to use j_username and j_password (which don't exist at startup) as my managerDN and managerPassword in DefaultInitialContextFactory.

      How/where can I add j_user_name as the managerDN and j_password name to managerPassword after the user has logged on to the page so that I can use their name and password to bind to ldap? Can I do that in the xml or in a class that I have to extend-and if so what class? I have to "force" the InitialDirContxtFactory to use these values if at startup they are left blank by not including them in the context.xml file.

      Thanks.

      Comment


      • #4
        I want to be able to use j_username and j_password (which don't exist at startup) as my managerDN and managerPassword in DefaultInitialContextFactory
        This doesn't really make sense since these will be different for each user and by definition there is only one manager user. If you are using bind authentication then the initial bind will take place using the username and password, but any additional search for roles will use the manager identity as this uses a separate strategy. So if you need this, then you can't do it this way.

        You would probably be better to expose the configuration for the manager user in your app, using a properties file (PropertyPlaceholderConfig...) or JMX or you could just create a separate user with reduced privileges who has rights to read the roles. You don't get the benefits of connection pooling if you are only using individual user names.

        Comment


        • #5
          Thank you for responding. With your response we were able to convince the AD admins to give us a user with read only rights and no password expiration to use in acegi. Thanks!

          Comment

          Working...
          X