Feb 18th, 2013, 03:21 PM
Active Directory authentication in Spring 3.1
I'm fairly new to Spring and setting up active directory authentication as described here in section 19.5.
I have the authentication provider and associated bean set up in the security file:
<beans:bean id="adAuthenticationProvider" class="org.springframework.security.ldap.authentic ation.ad.ActiveDirectoryLdapAuthenticationProvider ">
<beans:constructor-arg value="my.domain" />
<beans:constructor-arg value="ldap://my.ldap.server/" />
<!-- Convert AD errors. -->
<beansroperty name="convertSubErrorCodesToExceptions" value="true" />
When supplying an invalid password I see the following error, which looks correct:
org.springframework.security.ldap.authentication.a d.ActiveDirectoryLdapAuthenticationProvider handleBindException
INFO: Active Directory authentication failed: Supplied password was invalid
Every time a valid user/password is provided I get this exception:
org.springframework.security.ldap.SpringSecurityLd apTemplate searchForSingleEntryInternal
INFO: Ignoring PartialResultException
I've tried adding the base to the LDAP URL like this:
<beans:constructor-arg value="ldap://my.ldap.server/dc=comp1,dc=comp1" />
This gives a different error:
org.springframework.security.ldap.authentication.a d.ActiveDirectoryLdapAuthenticationProvider doAuthentication
SEVERE: Failed to locate directory entry for authenticated user: user1
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
]; remaining name 'dc=comp1,dc=comp2'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
How do I get past this error? There seems to be very little documentation out there for AD and Spring 3.1 security.
Feb 20th, 2013, 08:11 AM
Working with our Active Directory expert we've determined the source of the problem but still have no solution.
The authentication is successful but there is a problem binding to the object. This throws the PartialResultException. As a test we moved one AD user to the root and the authentication worked (PartialResultException was thrown on successful login). It is quite uncommon to have all user nodes at the root level so this is not a feasible workaround. This problem was alleviated in prior security implementations by setting the "referral" property to "follow" but this property is not available in the ActiveDirectoryLdapAuthenticationProvider class. Why?!
The question remains - how do I implement active directory authentication with Spring Security 3.1? I read something about creating a custom login filter. Is that the only way to get past this problem?
Feb 20th, 2013, 04:23 PM
We've pinpointed the source of the problem and it appears to be a bug in Spring. It was not a matter of the AD user being located in the root as originally suspected. It is a problem with how Spring searches AD.
The problem is that the account name (sAMAccountName) is being used for authentication but the 1st part of the user name (userPrincipalName) is being used for the search. That causes the PartialResultException. Once each user was updated by putting the sAMAccountName in to the 1st part of the userPrincipalName then the authentication worked.
How/where can a bug be filed to get this fixed?
Tags for this Thread