Announcement Announcement Module
Collapse
No announcement yet.
Spring Security 2.0.0 LDAP Authentication problems - "Bad Credentials" Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security 2.0.0 LDAP Authentication problems - "Bad Credentials"

    I am having problems getting a SpringMVC application with a Schema based configuration of a "ldap-authentication-provider" to work. The credentials given in the login screen fails.
    I have manually verified the password with a md5 tool and it matches the object in the LDAP catalog(OpenLDAP).
    I am aiming for a password compare, the user should not BIND with the LDAP(unless I am wrong about the BIND concept). All queries to the LDAP catalog are anonymous.

    Additional question:
    1. Is it possible to limit the search to oneLevel? I cannot find any documentation on how to do this with the schema based configuration


    Here is my xml config:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns:security="http://www.springframework.org/schema/security"
           xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
           http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
     
        <security:http auto-config="false">
            <security:intercept-url pattern="/**" access="ROLE_KOEADMIN" />
            <security:form-login />
            <security:anonymous />
            <security:logout />
        </security:http>
        
        <security:ldap-server id="ok_ldap" url="ldap://ldap.mydomain.no:389/"/>
        <security:ldap-authentication-provider 
                server-ref="ok_ldap"
                group-search-filter="cn={0}" 
                group-search-base="(ou=Auth, dc=mydomain, dc=no)"
                user-search-filter="(employeeNumber={0})"
                user-search-base="ou=People, dc=mydomain, dc=no"
                >
            <security:password-compare hash="md5"/>
        </security:ldap-authentication-provider>
    This is the LDAP entry(anonymized):
    http://stashbox.org/106144/ldap_search.png

    This is the resulting log:
    Code:
    2008-04-22 19:19:13,110 DEBUG [org.springframework.security.ui.webapp.AuthenticationProcessingFilter] - <Request is to process authentication>
    2008-04-22 19:19:13,111 DEBUG [org.springframework.security.providers.ProviderManager] - <Authentication attempt using org.springframework.security.providers.ldap.LdapAuthenticationProvider>
    2008-04-22 19:19:13,112 DEBUG [org.springframework.security.ldap.search.FilterBasedLdapUserSearch] - <Searching for user '79927', with user search [ searchFilter: '(employeeNumber={0})', searchBase: 'ou=People, dc=mydomain, dc=no', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]>
    2008-04-22 19:19:13,114 DEBUG [org.springframework.ldap.core.support.AbstractContextSource] - <Principal: ''>
    2008-04-22 19:19:13,157 DEBUG [org.springframework.ldap.core.support.AbstractContextSource] - <Got Ldap context on server 'ldap://ldap.mydomain.no:389/'>
    2008-04-22 19:19:13,592 DEBUG [org.springframework.security.providers.ldap.authenticator.PasswordComparisonAuthenticator] - <Performing LDAP compare of password attribute 'userPassword' for user 'uid=espen.tjonneland 79927@uke, ou=People, dc=mydomain, dc=no'>
    2008-04-22 19:19:13,596 DEBUG [org.springframework.ldap.core.support.AbstractContextSource] - <Principal: ''>
    2008-04-22 19:19:13,596 DEBUG [org.springframework.ldap.core.support.AbstractContextSource] - <Got Ldap context on server 'ldap://ldap.mydomain.no:389/'>
    2008-04-22 19:19:13,606 DEBUG [org.springframework.web.context.support.XmlWebApplicationContext] - <Publishing event in context [[email protected]16be7ee]: org.springframework.security.event.authentication.AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.providers.UsernamePasswordAuthenticationToken@faecefe: Principal: 79927; Password: [PROTECTED]; Authenticated: false; Details: org.springframework.security.ui.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: 5E135069B0C2C3455D186723AE1E7DD6; Not granted any authorities]>
    2008-04-22 19:19:13,606 DEBUG [org.springframework.security.ui.webapp.AuthenticationProcessingFilter] - <Updated SecurityContextHolder to contain null Authentication>
    2008-04-22 19:19:13,606 DEBUG [org.springframework.security.ui.webapp.AuthenticationProcessingFilter] - <Authentication request failed: org.springframework.security.BadCredentialsException: Bad credentials>
    Any help on this is greatly apprectiated.

    Regards, Espen.

  • #2
    For problems like this, you are best to debug via a unit test. The code that does the compare is here:

    http://static.springframework.org/sp...cator.html#103

    So if you break it down from there (and the corresponding code in the SpringSecurityTemplate), you should be able to get closer to the problem.

    The default scope when searching is subtree and there isn't an option for altering that in the namespace configuration. You can use traditional beans though.

    Comment


    • #3
      I have followed your advice Luke and debugged the source.

      The error happens in:
      org.springframework.security.providers.ldap.authen ticator.LdapShaPasswordEncoder

      I thought that my configuration would perform a md5 hashing of the user supplied password and compare it to the md5 hashed password in the LDAP But this does not seem to happen, instead the code converts the user supplied password and converts it with SHA and then compare it with the password retrieved from the LDAP.
      Last edited by Espen Tjonneland; Apr 23rd, 2008, 06:33 AM.

      Comment


      • #4
        Hmm. Ok. Sounds like a bug in the Ldap namespace.

        It looks like the [<password-compare>] element supports both a hash attribute and a [<password-encoder>] child element. I can't remember if this was intentional or if the attribute was intended to be replaced by the full child element, but it looks like only the latter is supported by the parser and the attribute is ignored. So in the meantime you can use the [<password-encoder>] syntax and that should hopefully work. I'll open an issue for it. Thanks for reporting (and debugging) it!
        Last edited by Luke Taylor; Apr 23rd, 2008, 07:33 AM.

        Comment


        • #5
          Resolved

          I finally got it.
          Turns out I had it configured wrong.
          Correct config is

          Code:
          <security:ldap-authentication-provider 
                      server-ref="ok_ldap"
                      group-search-filter="cn={0}" 
                      group-search-base="(ou=Auth, dc=mydomain, dc=no)"
                      user-search-filter="(employeeNumber={0})"
                      user-search-base="ou=People, dc=mydomain, dc=no"
                      >
                   <security:password-compare hash="md5">
                      <security:password-encoder hash="md5"/>
                  </security:password-compare>
              </security:ldap-authentication-provider>

          Comment


          • #6
            It should work both ways now

            http://jira.springframework.org/browse/SEC-793



            Code:
            <security:password-compare hash="md5"/>
            and

            Code:
            <security:password-compare>
                <security:password-encoder hash="md5"/>
            </security:password-compare>
            should be equivalent. If you use both, you'll get a warning and the "hash" attribute on the password-compare element will be ignored.

            Comment


            • #7
              Hello guys,

              I am trying to configure Spring LDAP with Oracle Internet Directory. I am getting Exception Message : BAD CREDENTIALS

              In our application. I am trying to authenticate users with Oracle Internet Directory LDAP server. If the user is valid then he will enter into our application.

              I am using Namespace based security configuration.

              To check whether the username and password are valid, i have written a simple java client application which will do a JNDI lookup is authenticating successfully.

              Any suggestions, please.

              Thanks,
              Naresh

              Comment

              Working...
              X