Spring Active Directory LDAP Error 32 - No Object Found

[morrislgn]

I am trying to authenticate a user again AD LDS\ADAM using the Spring framework and Spring Security 3.0. I keep getting the following error and hopefully someone from here can explain where the problem lies.

Code:

[LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Users,DC=Domain,DC=local' ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Users,DC=Domain,DC=local' ]; remaining name 'cn=Mo Logan,cn=Users,dc=Domain,dc=local'

Can anyone explain what the best match of and remaining name bits mean - this is really confusing me? Is this type of search case sensitive? And would problems like time differences between the server and client make a difference?

From what I have read online error code 32 means that object cant be found - very helpful I'm sure you'll agree. Here is the configuration information which I am using:

Code:

<authentication-manager alias="ldapAuthenicationManager">   
    <ldap-authentication-provider
        user-search-base="cn=Users,dc=Domain,dc=local" 
        user-search-filter="(uid={0})" 
        role-prefix="Users"
    />
</authentication-manager>

<ldap-server url="ldap://server:50006/" manager-dn="CN=Admin,CN=Users,DC=Domain,DC=local" manager-password="Password" />

Changing this config slightly like this has no effect either:

Code:

<authentication-manager alias="ldapAuthenicationManager">    
    	<ldap-authentication-provider 
       	 	user-search-base="cn=Users"  
       	 	user-search-filter="(uid={0})"          
    	>    
 	</ldap-authentication-provider>     
</authentication-manager> 

<ldap-server url="ldap://server:50006/dc=Domain,dc=local" manager-dn="CN=Admin,CN=Users,DC=Domain,DC=local" manager-password="Password" />

I am searching by uid (no SAMAccountName in LDS) and when I search by the same criteria using ldap.exe on the server I can find the user correctly e.g:

Code:

ldap_search_s(ld, "CN=Users,DC=Domain,DC=local", 2, "(uid=mologan)", attrList,  0, &msg)

***Searching...

ldap_search_s(ld, "CN=Users,DC=Domain,DC=local", 2, "(uid=mologan)", attrList,  0, &msg)

Getting 1 entries:

Dn: CN=Mo Logan,CN=Users,DC=Domain,DC=local

badPasswordTime: 9/20/2011 1:19:51 PM GMT Standard Time; 

badPwdCount: 0; 

cn: Mo Logan; 

distinguishedName: CN=Mo Logan,CN=Users,DC=Domain,DC=local; 

dSCorePropagationData: 0x0 = (  ); 

instanceType: 0x4 = ( WRITE ); 

lastLogonTimestamp: 9/20/2011 9:10:32 AM GMT Standard Time; 

lockoutTime: 0; 

memberOf (2): CN=DMSUsers,CN=Users,DC=Domain,DC=local; CN=Users,CN=Roles,CN=Users,DC=Domain,DC=local; 

msDS-UserAccountDisabled: FALSE; 

name: Mo Logan; 

objectCategory: CN=Person,CN=Schema,CN=Configuration,CN={BD500A33-CE7C-492F-9007-BF1B17F972EE}; 

objectClass (4): top; person; organizationalPerson; user; 

objectGUID: 40f74ed4-6cf3-495e-a28c-6aa080a0333b; 

objectSid: S-1-514506224-2209559093-2723712157-1234827279-3369888698-2052446679; 

pwdLastSet: 9/20/2011 8:19:06 AM GMT Standard Time; 

uid: mologan; 

uSNChanged: 13994; 

uSNCreated: 13985; 

whenChanged: 9/20/2011 9:10:32 AM GMT Standard Time; 

whenCreated: 9/20/2011 8:16:54 AM GMT Standard Time;

I am binding to AD LDS as an administrator account which belongs to the reader group under roles. This user sits at the same level as the username I am trying to verify.

As you can probably tell I am flat out of ideas as to why I am getting this error and hopefully someone will be able to help me out or point me in the right direction,

Cheers & thanks in advance

[morrislgn]

Trying to shed more light on the problem:

If I use the following code I am able to connect to AD, search for the user and retrieve details such as groups:

LdapContext ctx = null;
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "Simple");
env.put(Context.SECURITY_PRINCIPAL, "CN=Admin,CN=Users,DC=Domain,DC=local");
env.put(Context.SECURITY_CREDENTIALS, "Password");

env.put(Context.PROVIDER_URL, "ldap://server:50006");
ctx = new InitialLdapContext(env, null);
System.out.println("Connection Successful.");

SearchControls searchCtls = new SearchControls();
String returnedAtts[]={"distinguishedName", "memberOf"};
searchCtls.setReturningAttributes(returnedAtts);

searchCtls.setSearchScope(SearchControls.SUBTREE_S COPE);

String searchFilter = "(&(uid=mologan)(memberof=CN=MyGroup,CN=Users,DC=D omain,DC=local))";

String searchBase = "CN=Users,DC=Domain,DC=local";

NamingEnumeration answer = lc.search(searchBase, searchFilter, searchCtls);

SearchResult result = (SearchResult)answer.next();
System.out.println("Name in namespace: " + result.getNameInNamespace());
System.out.println("Name: " + result.getName());
System.out.println("Groups: " + result.getAttributes().get("memberOf"));
List groups = new ArrayList(); Attribute memberOf = result.getAttributes().get("memberOf");

Hopefully this will help shed more light on the issue I dont see what is different between this and what Spring is trying to do - any ideas what I am missing?

[stimpy]

Hi Mo

If possible could you post the DEBUG output of of your spring login attempt ?

I remember getting that error but I can't quite remember what I did to solve it . I think this was more AD strangeness.

Also what is the full version of Spring security you are using ? 3.0.7 ?

[stimpy]

Mo

I think we might have the same problem .

My AD/LDS server is a 2008 R2 and not a 2003 ( which returns vastly different results FYI ) ..

I put a break point in SpringSecurityLdapTemplate.searchForSingleValues at line 173 ( search(base, formattedFilter, ctls, roleMapper)

I get my crash here everytime.

At this point I "think" the problem is that the criteria for a successful search and the criteria required to retrieve the attributes ( memberOf for groups) are not the same .

troubleshooting this I have also seen LDAP errors 49 ( bad credential ) and "Unprocessed Continuation Reference; remaining name '' errors as I mess with the values possible on my ldap-user-service.

for the record using ldp.exe the following criteria are required for a successful attributes retrieval

BaseDN:CN:Users,DC=my,DC=serv,DC=local
Filter : (cn=test_user)
scope : subtree
Attributes : memberOf

I will check more and let you know what I find but if you code throws the exception at the same point then its the same problem (or the inverse the problem lies in the search ) .

[morrislgn]

Hi Stimpy,

Here is the DEBUG log - hopefully it will help with this out:

DEBUG o.s.s.web.FilterChainProxy - /j_spring_security_check at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession:
Session Object Internals:
id : rmOHU38p6q6itI9AR1whiHy
hashCode : 1816161344
create time : Fri Sep 23 16:30:27 BST 2011
last access : Fri Sep 23 16:45:16 BST 2011
max inactive interval : 1800
user name : anonymous
valid session : true
new session : false
overflowed : false
app name : default_host/applicationname
non-serializable app specific session data : null
serializable app specific session data : {SPRING_SECURITY_LAST_USERNAME=mologan, SPRING_SECURITY_LAST_EXCEPTION=org.springframework .security.authentication.AuthenticationServiceExce ption: [LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Users,DC=Domain,DC=local'
]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Users,DC=Domain,DC=local'
]; remaining name 'cn=Mo Logan,cn=Users'}
. A new one will be created.
DEBUG o.s.s.web.FilterChainProxy - /j_spring_security_check at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG o.s.s.web.FilterChainProxy - /j_spring_security_check at position 3 of 9 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Request is to process authentication
DEBUG o.s.s.a.ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.L dapAuthenticationProvider
DEBUG o.s.s.l.a.LdapAuthenticationProvider - Processing authentication request for user: mologan
DEBUG o.s.s.l.s.FilterBasedLdapUserSearch - Searching for user 'mologan', with user search [ searchFilter: '(uid={0})', searchBase: 'cn=Users', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
DEBUG o.s.s.l.SpringSecurityLdapTemplate - Searching for entry in under DN 'dc=Domain,dc=local', base = 'cn=Users', filter = '(uid={0})'
DEBUG o.s.s.l.SpringSecurityLdapTemplate - Found DN: cn=Mo Logan,cn=Users
DEBUG o.s.s.l.a.BindAuthenticator - Attempting to bind as cn=Mo Logan,cn=Users,dc=Domain,dc=local
DEBUG o.s.s.l.DefaultSpringSecurityContextSource - Removing pooling flag for user cn=Mo Logan,cn=Users,dc=Domain,dc=local
DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.Authen ticationServiceException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Users,DC=Domain,DC=local'
]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Users,DC=Domain,DC=local'
]; remaining name 'cn=Mo Logan,cn=Users'

Hopefully that helps somewhat,

[morrislgn]

Hi Stimpy,

Hopefully that debug log makes sense.

To Answer your other questions:

I am using Spring Security 3.0.4 at the moment.

When I debug the code the error seems to happen line 1260 of the DirContextAdapter:

Code:

	/*
	 * (non-Javadoc)
	 * 
	 * @see org.springframework.ldap.support.DirContextOperations#getDn()
	 */
	public Name getDn() {
		return new DistinguishedName(dn);
	}
	
	/**
	 * Construct a new <code>DistinguishedName</code> from the supplied
	 * {@link Name}. The parts of the supplied {@link Name} must be
	 * syntactically correct {@link LdapRdn}s.
	 * 
	 * @param name the {@link Name} to construct a new
	 * <code>DistinguishedName</code> from.
	 */
	public DistinguishedName(Name name) {
		Assert.notNull(name, "name cannot be null");
		if (name instanceof CompositeName) {
			parse(LdapUtils.convertCompositeNameToString((CompositeName) name));
			return;
		}
		names = new LinkedList();
		for (int i = 0; i < name.size(); i++) {
			names.add(new LdapRdn(name.get(i)));
		}
	}

So I am guessing that it is to do with the format of the info being retrieved by the query. I'll need to find out more about LdapRdn values.

Hope that is of use

[stimpy]

Hi mo


I would suggest that you upgrade to 3.0.7 just to rule our an issues.

The way I read your debug log is that the string used to bind for authentication is not a match.

I am not at my workstation right now but i will post the my setup monday.

[morrislgn]

Hi, Ill try to upgrade to 3.0.7 and you know how I get on

The thing is when I try to bind using ldp.exe with the name username I am able to bind without problems.

Do you know of a way to log AD activity on the server - I have tried two tools without seeing anything thing useful. Does LDS log anything do you know?

[morrislgn]

Stimpy, you started me thinking and I took a quick look at the security event log on the server I am using:

The domain controller attempted to validate the credentials for an account.

Event Id: 4776
Task Category: Credential Validation
Keywords: Audit Success

Authentication Package: ADAM_LDSTestInstance
Logon Account: CN=Mo Logan,CN=Users,DC=Domain,DC=local
Source Workstation: My Ip Number:55072
Error Code: 0x0

From this I guess the validation is working correctly - this is so confusing!!

[stimpy]

Mo

I agree that configuring spring security to work with a AD LDS is troublesome.

In part this seems to be due to the fact that getting successful results from the search,bind and authorities steps seems to require very different configuration of base,dn/cn etc.

take a look at the docs here http://static.springsource.org/sprin...namespace.html in the section under LDAP namespace options

I think what you need to do is configure an LDAP provider element and ref that .

I had to tweak all the elements (group-search-filter, group-search-base, group-role-attribute,etc) to get it to work .