Announcement Announcement Module
Collapse
No announcement yet.
LDAP - url with space problem Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP - url with space problem

    Hi,

    I am using Spring Security 3.0.5.

    When I provide
    <ldap-server url="ldap://xyz.com:389/ou=Users,ou=Staff,ou=Some Company,dc=xyz,dc=com" />

    I get
    IllegalArgumentException("Root DNs must be the same when using multiple URLs")

    The problem is that there is a space in "...ou=Some Company...". unfortunately that is how my URL looks like. Any idea how can I escape the space? I've tried "\" and "%20". Didn't work.

    Thank you.
    Regards,
    Maciej Radochonski

  • #2
    I'm seeing the same problem. Changing the DN in any way is not an option unfortunately.

    Comment


    • #3
      LDAP URLs have to be encoded.

      Please don't just say "Didn't work". Explain how it didn't work and provide the log output and stacktrce.

      Comment


      • #4
        Apologies. Here are my security beans:

        Code:
        <?xml version="1.0" encoding="UTF-8"?>
        <beans:beans xmlns="http://www.springframework.org/schema/security"
               xmlns:beans="http://www.springframework.org/schema/beans"
               xmlns:context="http://www.springframework.org/schema/context"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                                   http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
                                   http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
                                   ">
        
            <http>
                <intercept-url pattern="/**" requires-channel="https"/>
                <x509 subject-principal-regex="(.*)"/>
            </http>
            
            <ldap-server id="localLdap" manager-dn="uid=admin,ou=system" manager-password="*******"
                         url="ldap://localhost:10389/o=U.S. Government,c=US"/>
        
            <authentication-manager>
                <authentication-provider>
                    <ldap-user-service id="userService" server-ref="localLdap" user-search-filter="(uid={0})"/>
                </authentication-provider>
            </authentication-manager>
            
        </beans:beans>
        A snippet of the error and stack trace:

        Code:
        2011-03-25 13:13:45,897 703  [Scanner-0] ERROR org.springframework.web.context.ContextLoader  - Context initialization failed
        org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.authentication.ProviderManager#0': Cannot create inner bean '(inner bean)' of type [org.springframework.security.config.authentication.AuthenticationManagerFactoryBean] while setting bean property 'parent'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)': FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.authenticationManager': Cannot resolve reference to bean 'org.springframework.security.authentication.dao.DaoAuthenticationProvider#0' while setting bean property 'providers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.authentication.dao.DaoAuthenticationProvider#0': Cannot resolve reference to bean 'userService' while setting bean property 'userDetailsService'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'userService': Cannot create inner bean '(inner bean)' of type [org.springframework.security.ldap.search.FilterBasedLdapUserSearch] while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#1': Cannot resolve reference to bean 'localLdap' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'localLdap': Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.security.ldap.DefaultSpringSecurityContextSource]: Constructor threw exception; nested exception is java.lang.IllegalArgumentException: Root DNs must be the same when using multiple URLs
        	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:281)
        	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:125)
        	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1325)
        	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1086)
        	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:517)
        	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
        	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
        	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
        	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288)
        	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190)
        	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:580)
        	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:895)
        	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:425)
        	at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276)
        	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:197)
        	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47)
        Thanks!

        Comment


        • #5
          I should also add that when I encode the URL thusly:

          Code:
              <ldap-server id="localLdap" manager-dn="uid=admin,ou=system" manager-password="secret"                url="ldap://localhost:10389/o=U.S.%20Government,c=US"/>
          the web app loads successfully, but upon receiving a mutually authenticated SSL request, the LDAP server reports

          Code:
          ERR_268 Cannot find a partition for o=U.S.%20Government,c=US]; remaining name ''
          I'm using a locally deployed Apache DS 1.5.7.

          Comment


          • #6
            Try writing a test with some basic JNDI LDAP code (without Spring Security or Spring LDAP in the mix). Something like:

            Code:
                    Hashtable<String,String> env = new Hashtable<String,String>();
                    env.put(Context.SECURITY_AUTHENTICATION, "simple");
                    env.put(Context.SECURITY_PRINCIPAL, userDistinguishedName);
                    env.put(Context.PROVIDER_URL, theServerUrl);
                    env.put(Context.SECURITY_CREDENTIALS, thePassword);
                    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            
                    new InitialLdapContext(env, null);

            Comment


            • #7
              Thanks again. I was able to connect successfully using your suggested JNDI code. To be exact, here's the code:

              Code:
              public class LdapTest {
              
                  final Logger log = Logger.getLogger(this.getClass());
              
                  @Test
                  public void testLdapConnection() {
                      Hashtable<String,String> env = new Hashtable<String,String>();
                      env.put(Context.SECURITY_AUTHENTICATION, "simple");
                      env.put(Context.SECURITY_PRINCIPAL, "uid=admin,ou=system");
                      env.put(Context.PROVIDER_URL, "ldap://localhost:10389/o=U.S.%20Government,c=US");
                      env.put(Context.SECURITY_CREDENTIALS, "******");
                      env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
              
                      try {
                          InitialLdapContext ctx = new InitialLdapContext(env, null);
                          log.info("Obtained InitialLdapContext.");
                          log.info("ctx.getNameInNamespace() = " + ctx.getNameInNamespace());
                          log.info("Root Attributes = " + ctx.getAttributes(""));
                      } catch (NamingException e) {
                          log.error(e);
                      }
                  }
              
              }
              And here's the output:

              Code:
              2011-03-25 18:09:05,523 0    [main] INFO  LdapTest  - Obtained InitialLdapContext.
              2011-03-25 18:09:05,526 3    [main] INFO  LdapTest  - ctx.getNameInNamespace() = o=U.S. Government,c=US
              2011-03-25 18:09:05,530 7    [main] INFO  LdapTest  - Root Attributes = {description=description: My LDAP root, objectclass=objectClass: organization, top, o=o: U.S. Government}

              Comment


              • #8
                I've added some existing tests which use spaces in the URL without any problems, so we'll need to additional details as to what is going wrong. What does the error you report have to do with Spring Security, for example? Where does "mutually authenticated SSL" come into it? You aren't using an ldaps URL...

                Comment


                • #9
                  Sorry, I didn't give the full context. This configuration is for a Jetty web app which enforces mutual authentication. I'm simply trying to extract DNs from certificates and authenticate them against a LDAP.

                  It's still not working, but I think my problem is ultimately on the Spring LDAP side, not Spring Security. But thanks for your help nonetheless.

                  Comment


                  • #10
                    Hi, I got exactly the same problem. Any updates on this? Thanks a lot.

                    Comment


                    • #11
                      Originally posted by maeve08 View Post
                      Hi, I got exactly the same problem. Any updates on this? Thanks a lot.
                      What do you mean by "the same problem" ? If you are using an up-to-date versions, then there shouldn't be any problem with using spaces in URLs provided you encode the URL correctly.

                      Comment


                      • #12
                        What i mean is, i got the same IllegalArgumentException("Root DNs must be the same when using multiple URLs").

                        my code is:
                        <constructor-arg value="ldap://TEST-CORP.company.biz:389/OU=Company Users,OU=US-Users,DC=Test-Corp,DC=company,DC=biz" />

                        i've tried accessing my BIND DN through an LDAP browser tool and i was able to connect successfully.

                        i've also tried replacing the space with %20 and authenticaion failure occurs. im using 3.0.3 version.

                        thanks.

                        Comment


                        • #13
                          What do you mean by "authentication failure occurs"? What is the exception?

                          Make sure you are using the latest release (i.e. 3.0.5).

                          Comment


                          • #14
                            it's not really an exception. what i got is a login error.
                            aint there any problem migrating from 3.0.3 to 3.0.5? i have been developing the security framework since September last year, and our application is so huge so, i have a second thought of migrating it to the latest version. thanks a lot.. =)

                            Comment


                            • #15
                              You shouldn't really be using 3.0.3 since it is vulnerable to this issue.

                              Without some more information on what your "login error" is (the exception and debug log) then there's not much anyone will be able to do to help.

                              Comment

                              Working...
                              X