LDAP Authentication Problem

**r0bh** · Jan 8th, 2007, 06:16 AM

Hi all,

Please excuse me for posting this here as AFAIK this is not an Acegi problem as such but it's really puzzling me.

I am trying to configure LdapAuthenticationProvider using the BindAuthenticator. I have managed to get it working using a DN that includes the CN of the user being authenticated:

Code:

	<bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
		<constructor-arg value="ldap://my.ldap.server:389/o=psygrid,c=uk"/>
	</bean>

	<bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
		<constructor-arg>
			<bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
				<constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
				<property name="userDnPatterns">
					<list>
						<value>cn={0},ou=users</value>
					</list>
				</property>
			</bean>
		</constructor-arg>
		<constructor-arg>
			<bean class="org.psygrid.ldap.PsygridLdapAuthoritiesPopulator" />
		</constructor-arg>
	</bean>

However, what I really want to do is authenticate against the UID of the user, not the CN (so in the config above I just change cn={0} to uid={0}). But whenever I try this I get an AuthenticationException:

Code:

2007-01-08 12:12:11,325 [http-8080-Processor25] DEBUG org.acegisecurity.providers.ldap.authenticator.BindAuthenticator - Failed to bind as uid=myuser,ou=users,o=psygrid,c=uk: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

Anybody got any ideas? I've not got much experience with LDAP so am a bit stumped.

**Luke Taylor** · Jan 8th, 2007, 09:28 AM

In your case the DN uses the CN attribute, not the UID, so a user might be

cn=joe,ou=users,etc

but there is no user with DN

uid=joe,ou=users,etc

If you're using the bind authenticator, you are attempting to authenticate as the user with this DN, which obviously won't work, since they don't exist. Check your LDAP server log and debug through the Acegi code to verify what happens.

You'll probably need to configure a search bean to locate the user first, then do the bind.

**r0bh** · Jan 8th, 2007, 10:16 AM

Hi Luke,

Thanks for you reply. I now have it working as intended using FilterBasedLdapUserSearch:

Code:

	<bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
		<constructor-arg value="ldap://my.ldap.server:389/"/>
	</bean>

        <bean id="userSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
		<constructor-arg index="0">
			<value>ou=users,o=psygrid,c=uk</value>
		</constructor-arg>
		<constructor-arg index="1">
			<value>(uid={0})</value>
		</constructor-arg>
		<constructor-arg index="2">
			<ref local="initialDirContextFactory" />
		</constructor-arg>            
		<property name="searchSubtree">
		  	<value>true</value>
		</property>            
        </bean>            

	<bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
		<constructor-arg>
			<bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
				<constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
				<property name="userSearch">
					<ref local="userSearch" />
				</property>
			</bean>
		</constructor-arg>
		<constructor-arg>
			<bean class="org.psygrid.web.ldap.PsygridLdapAuthoritiesPopulator" />
		</constructor-arg>
	</bean>

Your help was much appreciated.

cheers, Rob

Thread: LDAP Authentication Problem

Thread Tools

Display

LDAP Authentication Problem

Posting Permissions