Junior Member
Problem in LDAP-setup
Friends is there any way to authenticate users using LDAP ,i am working on luntbuild(a build automation tool) which is build using spring framework,i need help in resolving how to configure the authentication properties as i need to authenticate users from luntbuild,any help would be appreciated
Thanks
Senior Member
Acegi Security System TeamSpring Team
Hi,
I've recently been working on an updated LDAP authentication provider which we're looking for feedback on prior to the next release. The code is in CVS (in the package org.acegisecurity.providers.ldap) and there is an LDAP version of the contacts sample application which you can take a look at. It's lacking an LDAP server at the moment, but that will be included later. It should give you an idea of how to set up the configuration.
The relevant code packages are:
http://acegisecurity.sourceforge.net...e-summary.html
http://acegisecurity.sourceforge.net...e-summary.html
http://acegisecurity.sourceforge.net...e-summary.html
http://acegisecurity.sourceforge.net...e-summary.html
Let us know how you get on.
Luke.
Member
Great work!
Hello Luke,
I managed to authenticate my users to our Lotus Domino servers. The configuration is much easier than in previous versions.
I'll try Active Directory and Oracle Internet Directory, too.
Senior Member
Acegi Security System TeamSpring Team
Great. Please let us know how you get on as we'd like to iron out any potential problems in advance. I think we may require an extra configuration parameter for Active Directory login using Windows domain-style usernames.
Thanks for the feedback.
Luke.
Member
Configuration for Lotus Domino 6.5.4 and AcegiSecurity 1.0 RC1
The groups have the formCode:<bean id="initialDirContextFactory" class="org.acegisecurity.providers.ldap.DefaultInitialDirContextFactory"> <constructor-arg value="ldap://myserver:389" /> </bean> <bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="userDnPatterns"> <list> <value>cn={0}</value> </list> </property> </bean> </constructor-arg> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg> <ref local="initialDirContextFactory" /> </constructor-arg> <constructor-arg> <value>o=groups</value> </constructor-arg> <property name="convertToUpperCase"> <value>true</value> </property> <property name="rolePrefix"> <value></value> </property> </bean> </constructor-arg> </bean>
APPNAME_ROLE/Groups
where APPNAME is the name off the application (obviously) and ROLE is something like ADMIN, EDITOR or READER. This makes rolePrefix unneccessary.
Web user names are NOT hierarchical (Flat names unlike Notes names.) but it'd be easy to add something like /USERS in userDnPatterns.
Next will be Oracle Internet Directory (OID).
Member
Configuration for Oracle Internet Directory 10g (OID)
The DN of a group is like cn=APPNAME_ROLE,cn=GROUPS,dc=company,dc=com.Code:<bean id="initialDirContextFactory" class="org.acegisecurity.providers.ldap.DefaultInitialDirContextFactory"> <constructor-arg value="ldap://myoracle.server:389/dc=company,dc=com" /> </bean> <bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="userDnPatterns"> <list> <value>cn={0},cn=Users</value> </list> </property> </bean> </constructor-arg> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg> <ref local="initialDirContextFactory" /> </constructor-arg> <constructor-arg> <value>cn=groups</value> </constructor-arg> <property name="convertToUpperCase"> <value>true</value> </property> <property name="groupSearchFilter"> <value>(uniquemember={0})</value> </property> <property name="groupRoleAttribute"> <value>cn</value> </property> <property name="rolePrefix"> <value></value> </property> </bean> </constructor-arg> </bean>
Again rolePrefix is unneccessary in this context.
You can refine the groupSearchFilter e.g. (&(objectclass=groupOfUniqueNames)(uniqueMember={0 }))
Again configuration was easy and works flawlessly.
Junior Member
Configuration for Lotus Domino 6.5.4 and AcegiSecurity 1.0 RC1 in detail
Hello,
Sorry to be so clueless and too green but, I've tried on setting "Configuration for Lotus Domino 6.5.4 and AcegiSecurity 1.0 RC1 " above like million times and it did not work. I need help. The setting I prepared is exactly the same as the above setting except for ldap server. And I think that at login it's already working and failing at getting ROLE. The thing I can not get correctly from above is the setting on Lotus Domino in detail. I know this is Spring forum and this question goes a bit far from it but, Could I ask the setting on Lotus Domino for Spring LDAP a little bit?
Here are several questions.
>>The groups have the form
>>APPNAME_ROLE/Groups
Does the "form" above mean Lotus Domino's "Internet Certifier" or "Organization" or literally "Form" or what?
I first thought "/Groups" above was Lotus Domino's "Organization" so, what I did was below.
1. ADD "Groups" as a "Organization" via Doimono Administrator's Registration of Tools.
2. Use "ADD Group" button to add a Group named "APPNAME_ADMIN/Groups" on "Groups" of "People & Groups".
(you replace APPNAME with your application's name)
3. Then Domino shows "APPNAME_ADMIN/Groups" as the name of the group
and categorize the group as "Groups".
4. Add users that you'd like to let have Administrator permission (in this case)to "Members" on the groups.
I think may be these are far from the correct setting.
Any help would be appreciated.
Thanks
Junior Member
Thank you for the information on Active Directory setup using LDAP. I have it mostly working, but for some reason, I am getting a PartialResultException. I believe this is because the Active Directory is returning referral information. I have looked at the traffic with Ethereal and I can see the user information getting returned up to the referrals. I did set java.naming.referral=forward as recommended (I also set it in the jndi.properties file in JBoss just in case).
Any thoughts on why Acegi is not handling the referrals? I am so close....
Thanks!
John Westerkamp
Junior Member
To ganierjm:
I have found that that response is almost always due to the manager credentials. To get it to work for me with Active Directory, I had to use the principal name, ie., manager@example.com (no cn's or dc's). That fixed mine right up.
Hope this helps!
John Westerkamp
Junior Member
Hi Again,
Ok, I have figured out how to work Active Directory with Acegi LDAP. The reason I was getting the PartialResultException was that Active Directory was returning referrals when Acegi started its authentication bind for the user logging into the application. Apparently, Active Directory disregards the Manage Referrals code sent by the client as part of LDAP v3. In my case, I was setting the search base to the top of the directory, i.e., dc=example,dc=com. In addition to the Users ou in the ldap tree, there are several other system ou's and these cause Active Directory to return referrals which causes the PartialResultException. Try it with something like
ldapsearch -x -b dc=example,dc=com -D manager@example.com sAMAccountName=username -W
and you will see the referrals since the -b argument is set to the top of the directory.
Now, to get Acegi to work, you must specify the ou containing your user accounts in the userSearch bean as per the previous example. Since the search is limited to that ou, no referrals are obtained and Acegi works! Again, try it with an ldapsearch like
ldapsearch -x -b ou=Users,dc=example,dc=com -D manager@example.com sAMAccountName=username -W
Note the addition of the ou=Users to the search base. The result will not contain the referrals.
Since some of the setup is different than the previous example for RC2, I am including my setup beans for Acegi LDAP authentication against Active Directory. Thanks for all the help!
<bean id="initialDirContextFactory" class="org.acegisecurity.providers.ldap.DefaultIni tialDirContextFactory">
<constructor-arg value="ldap://ad.example.com:389/dc=example,dc=com"/>
<property name="managerDn"><value>manager@example.com</value></property>
<property name="managerPassword"><value>password</value></property>
<property name="extraEnvVars">
<map>
<entry key="java.naming.referral">
<value>follow</value>
</entry>
</map>
</property>
</bean>
<bean id="userSearch" class="org.acegisecurity.providers.ldap.search.Fil terBasedLdapUserSearch">
<constructor-arg index="0">
<value>ou=Users</value>
</constructor-arg>
<constructor-arg index="1">
<value>(sAMAccountName={0})</value>
</constructor-arg>
<constructor-arg index="2">
<ref local="initialDirContextFactory" />
</constructor-arg>
<property name="searchSubtree">
<value>true</value>
</property>
</bean>
<bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthen ticationProvider">
<constructor-arg>
<bean class="org.acegisecurity.providers.ldap.authentica tor.BindAuthenticator">
<constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
<property name="userSearch">
<ref local="userSearch" />
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="org.acegisecurity.providers.ldap.populator. DefaultLdapAuthoritiesPopulator">
<constructor-arg>
<ref local="initialDirContextFactory" />
</constructor-arg>
<constructor-arg>
<value>ou=Roles</value>
</constructor-arg>
<property name="convertToUpperCase">
<value>true</value>
</property>
<property name="rolePrefix">
<value></value>
</property>
<property name="searchSubtree">
<value>true</value>
</property>
<property name="groupSearchFilter">
<value>member={0}</value>
</property>
<property name="groupRoleAttribute">
<value>cn</value>
</property>
</bean>
</constructor-arg>
</bean>
Posting Permissions
