LDAP problem

Help
megan
2007-08-10
2013-04-22
  • megan

    megan - 2007-08-10

    I made the changes in applicationContext-acegi-security-ldap.xml and trying to connect to Microsoft  AD Server containing  NT account information.

    I am passing NT username and NT password.
    Using  uid instead of email:
    <constructor-arg index="1">
       <value>(uid={0})</value>
    </constructor-arg>

    But getting following error:
    I am not able to figure out if it is because of
    1) incorrect values in "ManagerDn"
    or
    2) incorrect values in  FilterBasedLdapUserSearch <constructor-arg index="0">

    I noticed that in JXplorer for given login the attribute uid is empty, I have cn, sAMAccountName.
    So tried changing uid={0}  to cn={0} or sAMAccountName={0} and entered corresponding values on login screen but still get the same error.

    Any help is appreciated.

    2007-08-10 10:20:08,016 DEBUG [org.acegisecurity.providers.ldap.LdapAuthenticationProvider] Retrieving user XXXX
    2007-08-10 10:20:08,016 DEBUG [org.acegisecurity.ldap.DefaultInitialDirContextFactory] Creating InitialDirContext with environment {java.naming.provider.url=ldap://XXXX:389/dc=XXXX,dc=XX,dc=net, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=uid=XXX ,ou=XXXX,dc=XXXX,dc=XX,dc=net, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.security.credentials=******}
    2007-08-10 10:20:08,086 DEBUG [org.springframework.web.context.support.XmlWebApplicationContext] Publishing event in context [Root WebApplicationContext]: org.acegisecurity.event.authentication.AuthenticationFailureBadCredentialsEvent[source=org.acegisecurity.providers.UsernamePasswordAuthenticationToken@490b5e18: Username: XXXX; Password: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities]
    2007-08-10 10:20:08,086 WARN  [org.acegisecurity.event.authentication.LoggerListener] Authentication event AuthenticationFailureBadCredentialsEvent: XXXX; details: null; exception: Bad credentials; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525,
    2007-08-10 10:20:08,086 INFO  [STDOUT] org.acegisecurity.BadCredentialsException: Bad credentials; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525,
    2007-08-10 10:20:08,086 INFO  [STDOUT] javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment:AcceptSecurityContext error, data 525
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at javax.naming.InitialContext.init(InitialContext.java:223)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at javax.naming.InitialContext.<init>(InitialContext.java:197)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at org.acegisecurity.ldap.DefaultInitialDirContextFactory.connect(DefaultInitialDirContextFactory.java:148)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at org.acegisecurity.ldap.DefaultInitialDirContextFactory.newInitialDirContext(DefaultInitialDirContextFactory.java:224)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at org.acegisecurity.ldap.DefaultInitialDirContextFactory.newInitialDirContext(DefaultInitialDirContextFactory.java:204)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at org.acegisecurity.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:109)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator.authenticate(BindAuthenticator.java:66)
    2007-08-10 10:20:08,096 INFO  [STDOUT]     at org.acegisecurity.providers.ldap.LdapAuthenticationProvider.retrieveUser(LdapAuthenticationProvider.java:198)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:115)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:183)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:45)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at com.sts.webmeet.server.util.Authenticator.authenticateImpl(Unknown Source)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at com.sts.webmeet.server.util.Authenticator.authenticate(Unknown Source)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at com.sts.webmeet.web.LogonAction.execute(Unknown Source)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at com.sts.webmeet.server.filters.HostPrependingFilter.doFilter(Unknown Source)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:186)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
    2007-08-10 10:20:08,106 INFO  [STDOUT]     at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:72)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.invoke(JBossSecurityMgrRealm.java:275)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    2007-08-10 10:20:08,116 INFO  [STDOUT]     at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
    2007-08-10 10:20:08,126 INFO  [STDOUT]     at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
    2007-08-10 10:20:08,126 INFO  [STDOUT]     at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
    2007-08-10 10:20:08,126 INFO  [STDOUT]     at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
    2007-08-10 10:20:08,126 INFO  [STDOUT]     at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
    2007-08-10 10:20:08,126 INFO  [STDOUT]     at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
    2007-08-10 10:20:08,126 INFO  [STDOUT]     at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
    2007-08-10 10:20:08,126 INFO  [STDOUT]     at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
    2007-08-10 10:20:08,126 INFO  [STDOUT]     at java.lang.Thread.run(Thread.java:595)
    2007-08-10 10:20:08,126 INFO  [org.jboss.web.localhost.Engine] StandardContext[]error authenticating XXXX

     
    • John McCaughey

      John McCaughey - 2007-08-11

      Not having access to an Active Directory server I haven't personally been able test this but I have heard from people that it can work.

      In the Acegi/Spring forums I think there are some good posts explaining how:

      http://forum.springframework.org/showthread.php?t=20969

      <bean
              id="initialDirContextFactory"
              class="org.acegisecurity.providers.ldap.DefaultInitialDirContextFactory">
              <constructor-arg value="ldap://myserver:389/dc=company,dc=com" />
              <property name="managerDn">
                  <value>cn=ldapuser,ou=paderborn,ou=germany,dc=company,dc=com></value>
              </property>
              <property name="managerPassword">
                  <value>some password</value>
              </property>
               <property name="extraEnvVars">
                  <map>
                      <entry>
                          <key>
                              <value>java.naming.referral</value>
                          </key>
                          <value>follow</value>
                      </entry>
                  </map>
              </property>
          </bean>

          <bean
              id="userSearch"
              class="org.acegisecurity.providers.ldap.search.FilterBasedLdapUserSearch">
              <property name="searchSubtree">
                  <value>true</value>
              </property>
              <property name="initialDirContextFactory">
                  <ref local="initialDirContextFactory" />
              </property>
              <property name="searchFilter">
                  <value>(sAMAccountName={0})</value>
              </property>
          </bean>

          <bean
              id="ldapAuthenticationProvider"
              class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
              <constructor-arg>
                  <bean
                      class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
                      <constructor-arg>
                          <ref local="initialDirContextFactory" />
                      </constructor-arg>
                      <property name="userSearch">
                          <ref local="userSearch" />
                      </property>
                  </bean>
              </constructor-arg>
              <constructor-arg>
                  <bean
                      class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
                      <constructor-arg>
                          <ref local="initialDirContextFactory" />
                      </constructor-arg>
                      <constructor-arg>
                          <value>ou=germany</value>
                      </constructor-arg>
                      <property name="convertToUpperCase">
                          <value>true</value>
                      </property>
                      <property name="rolePrefix">
                          <value></value>
                      </property>
                      <property name="searchSubtree">
                          <value>true</value>
                      </property>
                      <property name="groupSearchFilter">
                          <value>member={0}</value>
                      </property>
                      <property name="groupRoleAttribute">
                          <value>cn</value>
                      </property>
                  </bean>
              </constructor-arg>
          </bean>

       
    • westofsa

      westofsa - 2007-11-23

      Was [Madalvi] able to get this configured.. or has any other user been able to get the WebHuddle configured with Windows 2003 AD, and if so is anyone willing to share the steps and files that they used to get this working, including Server configurations.

      I have spent a good deal of time with this now. I can get to a point where I believe the .ldap.xml file is being correctly read, but I am unable to Login using the Username or the full email address.

      Any help would be appreciated

      Thanks.

       
    • John McCaughey

      John McCaughey - 2007-12-05

      Hi sorry for the delay.  WebHuddle relies on the Acegi security framework, so I suggest looking in the the spring-acegi forum for details on getting ldap to work with active directory.  It's tricky but possible, from what I read. 

      http://forum.springframework.org/forumdisplay.php?f=33

       
    • SteveT

      SteveT - 2008-01-22

      I've managed to get Active Directory authentication working (windows 2000 mode, not sure about win2k3-only). I noticed, by the way, that it only works for users where the "e-mail" field is defined (on the General tab of the user object properties in AD Users and Computers). If the "e-mail" field is blank, that user can't login to webhuddle.

      To enable Win2K Active Directory authentication, follow the same LDAP authentication steps described in the webhuddle pdf document (at time of writing, this was section 8.1.2 on page 34 for WebHuddle version 0.4.9) but additional modifications are needed for the applicationContext-acegi-security-ldap.xml file.

      Oh, and you need to define a generic user in Active Directory that will serve as the account to logon with when running ldap user searches. Any user with no rights and a strong password will do.

      Here's a working applicationContext-acegi-security-ldap.xml file with domains masked to protect the innocent...

      <!-- this file uses the server "adserver.domain.com" as the AD server, and the account "LDAP Authentication" defined in AD in the default Users folder, with password "adpw123" -->

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">

      <beans>

         <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
            <property name="providers">
               <list>
                  <ref local="ldapAuthenticationProvider"/>
               </list>
            </property>
         </bean>

         <bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
           <!--<constructor-arg value="ldap://localhost:389/dc=mycompany,dc=com"/>-->
           <!--constructor-arg value="ldap://localhost:389/dc=localdomain"/-->
           <constructor-arg value="ldap://adserver.domain.com:389"/>
           <property name="managerDn"><value>CN=LDAP Authentication,CN=Users,DC=domain,DC=com</value></property>
           <property name="managerPassword"><value>adpw123</value></property>
         </bean>

         <bean id="tokenLdapAuthoritiesPopulator" class="com.sts.webmeet.server.acegi.ldap.TokenLdapAuthoritiesPopulator"/>

         <bean id="userSearch"
                  class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
            <constructor-arg index="0">
      <!--    <value>cn=Organization,cn=Company Employees,o=company.com</value>  -->
              <value>CN=Users,DC=domain,DC=com</value>
            </constructor-arg>
            <constructor-arg index="1">
      <!--    <value>(uid={0})</value> -->
              <value>(sAMAccountName={0})</value>
            </constructor-arg>
            <constructor-arg index="2">
              <ref local="initialDirContextFactory" />
            </constructor-arg>
            <property name="searchSubtree">
              <value>true</value>
            </property>
         </bean>

         <bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
           <constructor-arg>
             <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
                <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
                <property name="userSearch"><ref local="userSearch"/></property>
             </bean>
           </constructor-arg>
           <constructor-arg>
               <ref local="tokenLdapAuthoritiesPopulator"/>
           </constructor-arg>
         </bean>

         <!-- Automatically receives AuthenticationEvent messages -->
         <bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>

      </beans>

      Hope this helps

      -SteveT

       
      • John McCaughey

        John McCaughey - 2008-02-13

        Thanks a lot for sharing this info -- integration with AD is tricky but your post should help a ton!

         
    • sirsquishy

      sirsquishy - 2008-03-19

      The XML file does not work for me. My 2003 domain is in 2000 Compatible mode, but when i goto Login I always get logon failed.

      What am I missing?

       
    • Ickthwart

      Ickthwart - 2008-11-12

      Hello

      I managed to get the LDAP login to work using the above xml.

      However, I need the LDAP search root to be at the top of my AD domain because user accounts are stored in multiple OUs, ie using the following:

      class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
      <constructor-arg index="0">
      <value>DC=domain,DC=com</value>

      However, as soon as I remove the "CN=Users," it does not work and all logins fail.

      Please help.

       
    • Marco Rojas

      Marco Rojas - 2009-06-26

      Is this a dead project?

       

Log in to post a comment.