I am trying to get a Java app using spring-security to talk to a local ADAM instance that I have setup.
I have successfully installed ADAM and setup as follows....
O=Company
OU=Company Users
(orgnizationalUnit)
CN=Mike Q
(user)uid = mike
and password = welcome
Then I have setup spring-security (version 3.0.3, spring-framework 3.0.4 and spring-ldap 1.3.0). Spring file
<security:ldap-server id="contextSource" url="ldap://localhost:389/o=Company"/>
<security:authentication-manager>
<security:ldap-authentication-provider user-dn-pattern="uid={0},ou=Company Users"/>
</security:authentication-manager>
<bean class="com.xxx.test.TestAuthentication" lazy-init="false"/>
And TestAuthentication
public class TestAuthentication
{
@Autowired
private AuthenticationManager authenticationManager;
public void initialise()
{
Authentication authentication = new UsernamePasswordAuthenticationToken( "mike", "welcome" );
Authentication reponseAuthentication = authenticationManager.authenticate( authentication );
}
}
Running this I get the following error
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C090336, comment: AcceptSecurityContext error, data 2030, vece]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:43)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:254)
If someone could point out where I'm going wrong I'd be grateful. At this point I just want to authenticate an entered user/password using LDAP, nothing more complex than that.
I'm also interested in some general points as this is my first foray into LDAP world.
Spring Security's LDAP based authentication is used by Spring Security when it is configured to accept a username/password for authentication.
In order to authenticate a user with an LDAP directory you first need to obtain their DN as well as their password. With a login form, people typically enter a simple identifier such as their username or email address. You don't expect them to memorise the DN of their directory entry.
LDAP v3 supports three types of authentication: anonymous, simple and SASL authentication.
OK so as I spent plenty of time solving this here's the answer.
Error code 2030 means that the DN of the user is invalid.
After some trial and error here is a config that works and does user search properly. (You can probably rewrite this using the security namespace but while I was working on this it was clearer to use the raw bean definitions).
<bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://localhost:389/cn=Sandbox,dc=ITOrg"/>
<property name="userDn" value="cn=superuser,cn=People,cn=Sandbox,dc=ITOrg"/>
<property name="password" value="xxxxxx"/>
</bean>
<bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource"/>
<property name="userDnPatterns">
<list>
<value>cn={0},cn=People</value>
</list>
</property>
</bean>
</constructor-arg>
</bean>
<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" value="cn=People"/>
<constructor-arg index="1" value="(cn={0})"/>
<constructor-arg index="2" ref="contextSource"/>
</bean>
The key things are
<property name="userDn" value="cn=superuser,cn=People,cn=Sandbox,dc=ITOrg"/>
When specifying the userDn in the context source it must be the FULL DN (it doesn't just append it do the base supplied in the url (constructor arg).
When using BindAuthentication
<value>cn={0},cn=People</value>
This value IS a suffix on top of the baseDn of the context source.
When configuring a UserSearch
<constructor-arg index="0" value="cn=People"/>
<constructor-arg index="1" value="(cn={0})"/>
I couldn't get it to work with cn=People
being in the second arg but this seems to work fine. Note you can use attributes of the user e.g. (uid={0})
And here's some example code using the bean definitions...
@Autowired
private LdapUserSearch ldapUserSearch;
@Autowired
private AuthenticationProvider authenticationProvider;
public void initialise()
{
DirContextOperations dirContextOperations = ldapUserSearch.searchForUser( "username" );
Authentication authentication = authenticationProvider.authenticate( new UsernamePasswordAuthenticationToken( "username", "password" ) );
}
Some other random titbits...
Error 52b - Invalid password
[LDAP: error code 32 - 0000208D: NameErr: DSID-031521D2, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Sandbox,DC=ITOrg'
- This means the user is not in the administrator role (probably)
Hope all this helps someone else.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With