Announcement Announcement Module
Collapse
No announcement yet.
Authentication Active Directory Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authentication Active Directory

    Hi,
    I have a problem when trying to authenticate a user in pentaho against active directory.
    The users must be authenticated against your domain following his referral.

    PREVIOUS NOTES

    - The property java.naming.referral = follow

    - The jar used in pentaho is acegi-security-1.0.6.jar

    - The error "[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]"
    means that the user doesn't exist.

    - The user exist and the ldap queries works fine in ldapBrowser, a windows tool.

    - the same query does not work in Apache Directory Studio because, or I think, is not able to search in depth by domain trees.
    The query log show this for each domain:

    ldapsearch -H ldap://myMSAD:389 -x -D "msadReader" -W -b "DC=val,DC=myent,DC=com" -s base ....

    I have conducted many tests, but none has worked. I describe below

    1. I try to use the FilterBasedLdapUserSearch with o without de searchBase

    Code:
    <bean id="authenticator" class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
        <constructor-arg>
            <ref local="initialDirContextFactory" />
        </constructor-arg>
        <property name="userSearch">
            <ref local="userSearch" />
        </property>
    </bean>
    Code:
    <bean id="userSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
        <constructor-arg index="0" value="DC=myent,DC=com" />
        <constructor-arg index="1" value="(sAMAccountName={0})" />
        <constructor-arg index="2">
            <ref local="initialDirContextFactory" />
        </constructor-arg>
        <property name="searchSubtree">
              <value>true</value>
        </property>
    </bean>
    Log trace is:

    [org.acegisecurity.ldap.DefaultInitialDirContextFac tory] Creating InitialDirContext with environment
    {java.naming.provider.url=ldap://myMSAD:389, java.naming.factory.initial=com.sun.jndi.ldap.Ldap CtxFactory,
    java.naming.security.principal=ldap://cur.myent.es:389/CN=testUser,OU=Vadis%20Duria,OU=myent,DC=cur,DC=my ent,DC=com,DC=myent,DC=com,
    java.naming.security.authentication=simple, java.naming.security.credentials=******, java.naming.referral=follow}
    [org.acegisecurity.providers.ldap.authenticator.Bin dAuthenticator] Failed to bind as
    ldap://cur.myent.es:389/CN=testUser,OU=Vadis%20Duria,OU=myent-ar,DC=cur,DC=myent,DC=com,DC=myent,DC=com:
    javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]


    You can see he writes twice 'DC=myent,DC=com' in bind url
    If I remove the search base <constructor-arg index="0" value="/" /> or <constructor-arg index="0" value="" /> doesn't work


    2. Following the wiki (http://wiki.pentaho.com/display/Serv...tive+Directory) I try it with userDnPatterns, but fails


    Code:
    <bean id="authenticator" class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
        <constructor-arg>
            <ref local="initialDirContextFactory" />
        </constructor-arg>
        <property name="userDnPatterns">
            <list>
                <value>sAMAccountName={0},OU=Vadis Duria,OU=myent-ar,DC=cur,DC=myent,DC=com</value>
            </list>
        </property>
    </bean>
    [org.acegisecurity.providers.ldap.authenticator.Bin dAuthenticator] Failed to bind as
    sAMAccountName=testUser,OU=Vadis Duria,OU=myent-ar,DC=cur,DC=myent,DC=com:
    javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]

    3. I try again with Kerberos notation and Windows domain notation. It fails!!

    Code:
    <bean id="authenticator" class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
        <constructor-arg>
            <ref local="initialDirContextFactory" />
        </constructor-arg>
        <property name="userDnPatterns">
            <list>
                <value>CUR\{0}</value>
            </list>
        </property>
    </bean>
    [org.acegisecurity.event.authentication.LoggerListe ner] Authentication event AuthenticationFailureServiceExceptionEvent:
    testUser; details: org.acegisecurity.ui.WebAuthenticationDetails@12af c: RemoteIpAddress: 172.30.12.72; SessionId: E19022EBFA2E30C843F837939880B433;
    exception: LdapCallback;CUR\testUser: [LDAP: error code 34 - 0000208F: LdapErr: DSID-0C090654, comment: Error processing name, data 0, vece ];
    nested exception is javax.naming.InvalidNameException: CUR\testUser: [LDAP: error code 34 - 0000208F: LdapErr: DSID-0C090654, comment:
    Error processing name, data 0, vece ]; remaining name 'CUR\testUser'; nested exception is org.acegisecurity.ldap.LdapDataAccessException:
    LdapCallback;CUR\testUser: [LDAP: error code 34 - 0000208F: LdapErr: DSID-0C090654, comment: Error processing name, data 0, vece ];
    nested exception is javax.naming.InvalidNameException: CUR\testUser: [LDAP: error code 34 - 0000208F: LdapErr: DSID-0C090654, comment:
    Error processing name, data 0, vece ]; remaining name 'CUR\testUser'

    Code:
    <bean id="authenticator" class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
        <constructor-arg>
            <ref local="initialDirContextFactory" />
        </constructor-arg>
        <property name="userDnPatterns">
            <list>
                <value>{0}@cur.myent.es</value>
            </list>
        </property>
    </bean>
    [org.acegisecurity.event.authentication.LoggerListe ner] Authentication event AuthenticationFailureServiceExceptionEvent:
    testUser; details: org.acegisecurity.ui.WebAuthenticationDetails@0: RemoteIpAddress: 172.30.12.72; SessionId: 991D786A3546847D61A3306A10C8887A;
    exception: LdapCallback;[email protected]: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA,
    problem 2006 (BAD_NAME), data 8350, best match of: '[email protected]']; nested exception is javax.naming.InvalidNameException:
    [email protected]: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8350, best match of:
    '[email protected]']; remaining name '[email protected]'; nested exception is org.acegisecurity.ldap.LdapDataAccessException:
    LdapCallback;[email protected]: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8350,
    best match of: '[email protected]']; nested exception is javax.naming.InvalidNameException: [email protected]:
    [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8350, best match of: '[email protected]'];
    remaining name '[email protected]'


    I change the initial context to append searh base in the url.

    Code:
    <bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
        <constructor-arg index="0" value="ldap://myMSAD:389/DC=myent,DC=com" />
        <property name="managerDn" value="msadReader" />
        <property name="managerPassword" value="*********" />
        <property name="extraEnvVars">
            <map>
                <entry key="java.naming.referral" value="follow"/>
            </map>
        </property>
    </bean>
    Code:
    <bean id="authenticator" class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
        <constructor-arg>
            <ref local="initialDirContextFactory" />
        </constructor-arg>
        <property name="userDnPatterns">
            <list>
                <value>{0}@cur.myent.es</value>
                <value>CUR\{0}</value>
            </list>
        </property>
    </bean>
    2009-09-29 10:45:16,535 DEBUG [org.acegisecurity.providers.ldap.authenticator.Bin dAuthenticator] Failed to bind as
    [email protected],DC=myent,DC=com: javax.naming.AuthenticationException:
    [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]
    2009-09-29 10:45:16,535 DEBUG [org.acegisecurity.providers.ldap.authenticator.Bin dAuthenticator] Failed to bind as
    CUR\testUser,DC=myent,DC=com: javax.naming.AuthenticationException:
    [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]

    Can you help me?

    Thanks
Working...
X