Spring Security does not work with AD in WinServ2008

[Nebula]

I am trying to make Spring Security work with ActiveDirectory (in JasperServer WebApp). It won't work. Here is the configuration of my System.

-I have an Active Directory on Windows Server 2008 with the domain corp.ama-eve.dyndns.org
-I am able to bind to Active Directory on the machine where my WebApp is. For binding I use LDAP Administrator. The LDAP URL used in LDAP Administrator is ldap://192.168.5.101:389/DC=corp,DC=ama-eve,DC=dyndns,DC=org??one?(objectClass=*)
-Anonym browsing of AD is forbidden. For browsing ldap folders I can use different principals like: CN=Administrator,CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org (Administrator@corp.ama-eve.dyndns.org) or CN=service_acc,CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org (service_acc@corp.ama-eve.dyndns.org)

-> The Active Direcotry seems to work well <-

Now I try to bind to AD in Spring Security.

I have added the ldap provider in applicationContext-security.xml:

Code:

 <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
        <property name="providers">
            <list><ref local="ldapAuthenticationProvider"/>
                <ref bean="${bean.daoAuthenticationProvider}"/>
                <ref bean="anonymousAuthenticationProvider"/></list>
        </property>
    </bean>

I have entered the correct ldap url (Spring Security can connect to the ldap since it reacts on entering wrong ldap url):

Code:

   <bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
     <constructor-arg value="ldap://192.168.5.101:389/DC=corp,DC=ama-eve,DC=dyndns,DC=org"/>
   	 <property name="userDn"><value>CN=service_acc,CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org</value></property>
     <property name="password"><value>MyPassword</value></property>
   </bean>

I use userSearch for finding users:

Code:

   <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
     <constructor-arg>
       <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
          <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
		  <property name="userSearch" ref="userSearch"/>
       </bean>
     </constructor-arg>

Code:

   <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
     <constructor-arg index="0"><value>CN=Users</value></constructor-arg>     
	 <constructor-arg index="1"><value>(sAMAccountName={0})</value></constructor-arg>     
	 <constructor-arg index="2"><ref local="ldapContextSource"/></constructor-arg> 
	 <property name="searchSubtree"><value>true</value></property>            
   </bean>

Symptoms:
- When I try to connect using credentials from ldap I get this:

Code:

2011-05-04 16:07:30,160  WARN LoggerListener,http-8484-5:60 - Authentication event AuthenticationFailureBadCredentialsEvent: Administrator; details: com.jaspersoft.jasperserver.multipleTenancy.MTWebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: D5043C32241F76C089F3D182546C5239; exception: Bad credentials

- I've tried to change userDn for ldap bind to Administrator@corp.ama-eve.dyndns.org - nothing happens.

- Any changes to UserDN and Password in ldapContextSource have no effect. (logging in log4j.properties is set to log4j.logger.org.springframework.security.provider s.ldap=ALL, stdout, fileout)

- Adding userDnPatterns to BindAuthenticator:

Code:

<bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
     <constructor-arg>
       <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
          <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
          <property name="userDnPatterns">
		    <list>
		      <value>sAMAccountName={0}, CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org</value>
			  <value>sAMAccountName={0}, OU=Sales,DC=corp,DC=ama-eve,DC=dyndns,DC=org</value>
			  <value>sAMAccountName={0}, OU=accounts,DC=corp,DC=ama-eve,DC=dyndns,DC=org</value>
		   </list>
		  </property>
		  <property name="userSearch" ref="userSearch"/>
       </bean>
     </constructor-arg>
...

generate following log output:

Code:

2011-05-04 16:07:29,988 DEBUG BindAuthenticator,http-8484-5:117 

- Failed to bind as sAMAccountName=Administrator, CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]
2011-05-04 16:07:30,020 DEBUG BindAuthenticator,http-8484-5:117 - Failed to bind as sAMAccountName=Administrator, OU=Sales,DC=corp,DC=ama-eve,DC=dyndns,DC=org: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]
2011-05-04 16:07:30,051 DEBUG BindAuthenticator,http-8484-5:117 - Failed to bind as sAMAccountName=Administrator, OU=accounts,DC=corp,DC=ama-eve,DC=dyndns,DC=org: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771 ]

- I have tried to change

Code:

<value>sAMAccountName={0}, CN=Users,DC=corp,DC=ama-eve,DC=dyndns,DC=org</value>

to

Code:

<value>sAMAccountName={0}, CN=Users</value>

no effect.

-I have tried to change first constr argument in FilterBasedLdapUserSearch from

Code:

<constructor-arg index="0"><value>CN=Users</value></constructor-arg>

to

Code:

<constructor-arg index="0"><value></value></constructor-arg>

no effect.

- Changes in FilterBasedLdapUserSearch does not provide additional log output so I can't trace it.
-----------------------------------------------------------------
It seems, that the initial bind for browsing ldap folders does not work. Can somebody please give me a hint, which direction I should try?

With regards,

Friedirch