LDAP, Active Directory, and Jasper Reports Server 4.5 CE

[constar1]

Before simply telling me to look in the forums for similar posts, let me state that I have read over 100 posts, tried everything they suggest, and have spent 4-5 days on this with no success. I am new to Java, JasperReports Server, and Spring.

Some facts:

The latest JasperReports Server uses Spring Security 2.0 (I think), which is not the newest version.
I think we use AD 2003.
I have successfully used LDAP Browser, and the Drupal LDAP module using the same info.

I have added a couple of lines to Jasper's default log4j.properties file thus:

log4j.category.org.springframework.security=DEBUG, MISC, ERROR, INFO
log4j.category.org.springframework.security.ldap=D EBUG, MISC, ERROR, INFO

I don't know what else I can do to 'see' what is happening during the log in process. These don't seem to help much as you'll see below.

My Active Directory info is this:

root.myserver.org
-Facility1
--Users
---Admins
--Groups
-Facility2
--Users
---Admins
--Groups
etc.

A service account which can query the server and is used on other systems:

User: CN=ldapuser,OU=Users,OU=Facility1,DC=root,DC=myser ver,DC=org
Password: password

Error messages in jasperserver.log:

2012-05-09 14:49:17,982 INFO DefaultSpringSecurityContextSource,Thread-1:56 - URL 'ldap://root.myserver.org:389/dc=root,dc=myserver,dc=org', root DN is 'dc=root,dc=myserver,dc=org'
2012-05-09 14:49:31,443 DEBUG ProviderManager,http-8080-2:183 - Authentication attempt using org.springframework.security.providers.ldap.LdapAu thenticationProvider
2012-05-09 14:49:31,446 DEBUG FilterBasedLdapUserSearch,http-8080-2:109 - Searching for user 'constar1', with user search [ searchFilter: 'sAMAccountName={0}', searchBase: 'DC=root,DC=myserver,DC=org', scope: subtree, searchTimeLimit: 0, derefLinkFlag: true ]
2012-05-09 14:49:31,502 DEBUG ProviderManager,http-8080-2:183 - Authentication attempt using org.springframework.security.providers.dao.DaoAuth enticationProvider
2012-05-09 14:49:31,534 WARN LoggerListener,http-8080-2:60 - Authentication event AuthenticationFailureBadCredentialsEvent: constar1; details: org.springframework.security.ui.WebAuthenticationD etails@0: RemoteIpAddress: 10.145.156.100; SessionId: D07A60737C086D8FB4AD14BE703F87DC; exception: Bad credentials

I only put in those which seem related. You can see that LDAP is unsuccessful and so DAO is used next which, of course, fails to find the user.

My applicationContext-security.xml file contains the following LDAP settings:

Code:

<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref local="ldapAuthenticationProvider"/>
                <ref bean="${bean.daoAuthenticationProvider}"/>
                <ref bean="anonymousAuthenticationProvider"/>
                <!--ref local="jaasAuthenticationProvider"/-->
            </list>
        </property>
    </bean>

Code:

<bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
     <constructor-arg value="ldap://root.myserver.org:389/dc=root,dc=myserver,dc=org"/>
     <property name="userDn"><value>CN=ldapuser,OU=Users,OU=Facility1,DC=root,DC=myserver,DC=org</value></property>
     <property name="password"><value>password</value></property>
   </bean>

Code:

<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
     <constructor-arg index="0">
       <value>DC=root,DC=myserver,DC=org</value>
     </constructor-arg>
     <constructor-arg index="1">
       <value>sAMAccountName={0}</value>
     </constructor-arg>
     <constructor-arg index="2">
       <ref local="ldapContextSource" />
     </constructor-arg>            
     <property name="searchSubtree">
       <value>true</value>
     </property>      
     <property name="derefLinkFlag">
       <value>true</value>
     </property>	 
   </bean>

Code:

<bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
     <constructor-arg>
       <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
          <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
          <!-- <property name="userDnPatterns"><list><value>uid={0}</value></list></property> -->
          <property name="userSearch" ref="userSearch"/>
       </bean>
     </constructor-arg>
     <constructor-arg>
       <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
          <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
          <constructor-arg index="1"><value>OU=Groups,OU=Facility2,DC=root,DC=myserver,DC=org</value></constructor-arg>
          <!--<property name="groupRoleAttribute"><value>cn</value></property>-->
          <!--<property name="groupSearchFilter"><value>(&amp;(uniqueMember={0})(objectclass=groupofuniquenames))</value></property>-->
		  <!--<property name="groupSearchFilter"><value>(member={0})</value></property>-->
          <property name="searchSubtree"><value>true</value></property> 
</bean>
     </constructor-arg>
   </bean>

My questions are:

1. What can I do to see better what is going on behind the scenes?
2. Given my directory structure, what settings are wrong on my xml file? Should this be working as-is?
3. Are there settings elsewhere I didn't address or are missing (here or on other files)?
4. Why does this forum introduce spaces in some words?

Thanks in advance for any help.

[constar1]

As it turns out, I'm a huge idiot. I found a typo in the credentials for the LDAP query user.

Still, for those who want another working example, here you go:

Code:

<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
  <property name="providers">
    <list>
      <ref local="ldapAuthenticationProvider"/>
      <ref bean="${bean.daoAuthenticationProvider}"/>
      <ref bean="anonymousAuthenticationProvider"/>
      <!--ref local="jaasAuthenticationProvider"/-->
    </list>
  </property>
</bean>

<bean id="ldapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <constructor-arg value="ldap://root.myserver.org:389/dc=root,dc=myserver,dc=org"/>
  <property name="userDn"><value>CN=ldapuser,OU=Service Accounts,OU=Users,OU=Facility1,DC=root,DC=myserver,DC=org</value></property>
  <property name="password"><value>password</value></property>
  <property name="referral" value="follow" />
</bean>

<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <constructor-arg index="0">
    <value></value>
  </constructor-arg>
  <constructor-arg index="1">
    <value>(sAMAccountName={0})</value>
  </constructor-arg>
  <constructor-arg index="2">
    <ref local="ldapContextSource" />
  </constructor-arg>            
  <property name="searchSubtree">
    <value>true</value>
  </property>      
  <property name="derefLinkFlag">
    <value>true</value>
  </property>	
</bean> 

<bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
  <constructor-arg>
    <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
       <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
       <property name="userSearch" ref="userSearch"/>
    </bean>
  </constructor-arg>
  <constructor-arg>
    <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
      <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
      <constructor-arg index="1"><value></value></constructor-arg>
      <property name="convertToUpperCase"><value>true</value></property>
      <property name="groupRoleAttribute"><value>cn</value></property>
      <property name="rolePrefix"><value></value></property>
      <property name="groupSearchFilter"><value>(member={0})</value></property>
      <property name="searchSubtree"><value>true</value></property>   
      <!--<property name="defaultRole"><value>ROLE_USER</value></property>-->
    </bean>
  </constructor-arg>
</bean>

Now all I need to figure out is whether I can check AD groups against Jasper roles WITHOUT importing the rest of the groups as roles.

[briansey]

I used that example code and still can not get LDAP to work. Can anyone help? I get this in the error log:

2012-09-12 09:38:28,317 ERROR ContextLoader,main:307 - Context initialization failed
org.springframework.beans.factory.xml.XmlBeanDefin itionStoreException: Line 856 in XML document from ServletContext resource [/WEB-INF/applicationContext-security.xml] is invalid; nested exception i
s org.xml.sax.SAXParseException: cvc-complex-type.2.3: Element 'beans' cannot have character [children], because the type's content type is element-only.