Menu

Active Directory Authentication

Open Discussion
John Adams
2013-05-02
2014-04-30

  • John Adams

    John Adams - 2013-05-02

    We are having difficulty getting our AD authentication setup and working.
    I can't really find any docs on the WebKeePass.xml or AD setup recommendations.
    We are consistently getting this error in our catalina.out file
    javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]

    A typical config file we have is..

    <!-- LDAP   -->
  <LDAP_CONFIG>
<LDAP>true</LDAP>
<LDAP_Group>WebKeyPass</LDAP_Group>
<principalDNPrefix>uid=</principalDNPrefix>
<principalDNSuffix>,ou=Security,ou=Groups,ou="Home Office",dc=webco,dc=net</principalDNSuffix>
<java.naming.provider.url>ldap://192.168.100.100:389</java.naming.provider.url>
<java.naming.security.authentication>simple</java.naming.security.authentication>
<java.naming.factory.initial>com.sun.jndi.ldap.LdapCtxFactory</java.naming.factory.initial>

    We have tried with the "Home Office" not in quotes, no comma in the ",ou=Security" area, the line "<principaldnprefix>uid=</principaldnprefix>" removed, the portion ",ou=Security,ou=Groups,ou="Home Office" removed, tried logging in with "webco\username" and username@webco.net.
    We are not seeing anything in the AD logs.
    We tried updating the "simple" to "anonymous", that didn't even try to authenticate..

    Is there some docs or recommendations as far as what we need?
    I can put all the various incantations of what I have tried, but I am afraid it will be 10 pages. :-)
    thx,
    John

     

  • oliver zhang

    oliver zhang - 2013-05-03

    Hi John,

    I don't know much about web keepass. But I think this line needs to be changed
    "<principaldnsuffix>,ou=Security,ou=Groups,ou="Home Office",dc=webco,dc=net</principaldnsuffix>"

    It should be
    "<principaldnsuffix>@webco.net</principaldnsuffix>"

     

    Last edit: oliver zhang 2013-05-03

  • John Adams

    John Adams - 2013-05-03

    Thanks Oliver, but that didn't fix it..

    I tried logging in a "joeuser@webco.net" then password, and also webco.net\joeuser and webco\joeuser. All failed..

    Still receiving error..
    ==> jakarta-tomcat-5.5.7/logs/catalina.out <==
    javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]

    Current Config:

    <!-- LDAP   -->
   <LDAP_CONFIG>
<LDAP>true</LDAP>
<LDAP_Group>WebKeyPass</LDAP_Group>
<principalDNSuffix>@webco.net</principalDNSuffix>
<java.naming.provider.url>ldap://192.168.100.100:389</java.naming.provider.url>
<java.naming.security.authentication>simple</java.naming.security.authentication>
<java.naming.factory.initial>com.sun.jndi.ldap.LdapCtxFactory</java.naming.factory.initial>

    If you have any hints or a working config, I'll take them all. I tried checking our AD server, but the logs there are not really helping at all..

     

  • Erik Richter

    Erik Richter - 2014-01-06

    I had a heck of a time with AD authentication... Finally I got it to work with the following config:

    ~~~~~~

    <ldap_config>
    <ldap>true</ldap></ldap_config>

    <principaldnprefix></principaldnprefix>
    <principaldnsuffix></principaldnsuffix> -->
    <java.naming.provider.url>ldap://domain.us:389</java.naming.provider.url>
    <java.naming.security.authentication>simple</java.naming.security.authentication>
    <java.naming.factory.initial>com.sun.jndi.ldap.LdapCtxFactory</java.naming.factory.initial>

    ~~~~~~~~~~~

    Now this allows anyone in the domain to login and sharing doesn't seem to work... yet...

    we also have to login with domain/username

     

    Last edit: Erik Richter 2014-01-06

  • jlee161

    jlee161 - 2014-04-30

    This is misleading, this seems to actually toggle your access from groups stored in WebKeePass rather than AD/LDAP

    <LDAP_Group>Admins</LDAP_Group>
    or
    <LDAP_Group>Users</LDAP_Group>

    This section below is the DN of the user, not the samaccount/logon name (though they could be the same if you were conscious of it when the user was created). You can find this in attribute editor on the user in AD (Advanced features have to be checkd in ADUC)

    <principalDNPrefix>CN=</principalDNPrefix>
    <principalDNSuffix>,OU=where the users are,OU=ou above the user OU,DC=mydomain,DC=com</principalDNSuffix>

    If you set the two parameters above as
    <principalDNPrefix></principalDNPrefix>
    <principalDNSuffix></principalDNSuffix>

    You'd have to logon with CN=MyUser,OU=....,OU=...etc...,dc=mydomain,dc=com

    SSL if you've got it:
    <java.naming.provider.url>ldaps://mydomain.com:636</java.naming.provider.url>

    or you can do 389:
    <java.naming.provider.url>ldap://mydomain.com:389</java.naming.provider.url>

    This section below, I tried sasl_GSSAPI, but it seems this app only supports simple or anonymous. So, simple and LDAPS it is.
    <java.naming.security.authentication>simple</java.naming.security.authentication>

    <java.naming.factory.initial>com.sun.jndi.ldap.LdapCtxFactory</java.naming.factory.initial>
    </LDAP_CONFIG>

    The problem with this implementation of LDAP AuthN/AuthZ seems to be that you can't set an AD group as the source for AuthZ. You also seem to be limited to a particular ou. You can't search the whole AD for all CN's for AuthN, and then use a group for AuthZ.

     

    Last edit: jlee161 2014-04-30

  • jlee161

    jlee161 - 2014-04-30

    For authN, you can create user's with no password (or complex passwords) in webkeepass and add them to groups in webkeepass with the appropriate access. AuthN is handled by AD, authZ is done by webkeepass

     

Log in to post a comment.

MongoDB Logo MongoDB