Problem with Authentication with Active Directory

[warer]

Hi

I am having some problems connecting to my AD server. The server does not have anonymous read-only access.

My spring context config:

Code:

	<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
      <property name="url" value="ldap://10.1.2.31:389" />
      <property name="base" value="OU=Brukere,DC=company,DC=com" />
      <property name="userName" value=">CN=USERWITHHFULLACCESS,OU=System,OU=Brukere,OU=Admin,DC=company,DC=com" />
      <property name="password" value="Password" />
   </bean>

   <bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
      <constructor-arg ref="contextSource" />
   </bean>

   <bean id="userInformationDao" class="com.company.dao.ldap.UserInformationDaoLdap">
      <property name="ldapTemplate" ref="ldapTemplate" />
   </bean>

Is this the correct way to connect, i want to search for stuff under the base value. The user is specified with complete path.

My class:

Code:

public class UserInformationDaoLdap implements UserInformationDao{
	private LdapTemplate ldapTemplate;

	public void setLdapTemplate(LdapTemplate ldapTemplate) {
		this.ldapTemplate = ldapTemplate;
	}
	private class UserAttributesMapper implements AttributesMapper{
		public Object mapFromAttributes(Attributes attrs) throws NamingException {
			User user = new User();
			user.setFirstName((String)attrs.get("cn").get());
			user.setLastName((String)attrs.get("sn").get());
			return user;
		}
		
	}
	
	public List<User> getAllUsers() {
		return ldapTemplate.search("", "(objectclass=person)", new UserAttributesMapper());
	}
}

Exception:

Code:

Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 2.079 sec <<< FAILURE!
testGetAllUsers(com.company.dao.UserInformationDaoTest)  Time elapsed: 2.061 sec  <<< ERROR!
org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@]
        at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:88)
        at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:235)
        at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:107)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:266)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:234)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:548)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:532)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:383)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:406)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:424)
        at com.company.dao.ldap.UserInformationDaoLdap.getAllUsers(UserInformationDaoLdap.java:31)
        at com.company.dao.UserInformationDaoTest.testGetAllUsers(UserInformationDaoTest.java:20)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at junit.framework.TestCase.runTest(TestCase.java:168)
        at junit.framework.TestCase.runBare(TestCase.java:134)
        at org.springframework.test.ConditionalTestCase.runBare(ConditionalTestCase.java:76)
        at junit.framework.TestResult$1.protect(TestResult.java:110)
        at junit.framework.TestResult.runProtected(TestResult.java:128)
        at junit.framework.TestResult.run(TestResult.java:113)
        at junit.framework.TestCase.run(TestCase.java:124)
        at junit.framework.TestSuite.runTest(TestSuite.java:232)
        at junit.framework.TestSuite.run(TestSuite.java:227)
        at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
        at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
        at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:138)
        at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:125)
        at org.apache.maven.surefire.Surefire.run(Surefire.java:132)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:290)
        at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:818)
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3005)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2753)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2667)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)

Anyone out there that can help me?

[rasky]

Could it be that the server does not allow unencrypted connections? Try connecting using ldaps instead (usually port 636).

[warer]

I have another application that connects without ssl. It uses some other ldap library, which is not quite as convenient as Spring-ldap. I think i found out that ssl was desabled, but i will try to connect with ssl tomorrow.

[warer]

I have now created a new function to test better:

Code:

LdapContextSource contextSource = new LdapContextSource();
		contextSource.setAnonymousReadOnly(false);

		contextSource.setBase("dc=company,dc=com");
		contextSource.setUserDn("user@company.com");
		contextSource.setPassword("password");
		contextSource.setUrl("ldap://dc01.company.com:389");
		contextSource.setPooled(false);

		contextSource.setDirObjectFactory(DefaultDirObjectFactory.class);
		contextSource.setBaseEnvironmentProperties(new HashMap());
		contextSource.afterPropertiesSet();

		LdapTemplate ldapTemplate = new LdapTemplate(contextSource);
		ldapTemplate.setIgnorePartialResultException(true) ;
		ldapTemplate.afterPropertiesSet();

		SearchControls controls = new SearchControls();
		controls.setTimeLimit(0);
		controls.setCountLimit(0);
		controls.setSearchScope(SearchControls.SUBTREE_SCOPE);

		List returnList = ldapTemplate.search("",
		"(cn=*)", controls, new AttributesMapper()
		{
		public Object mapFromAttributes(Attributes attrs)
		throws NamingException {
		System.out.println(attrs.get("cn").get());
		return attrs.get("cn").get();
		}
		});
		}
		catch (Exception e)
		{
		e.printStackTrace();
		}
		System.out.println("done");

And i have the old config file like this:

Code:

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
      <property name="url" value="ldap://dc01.company.com:389" />
      <property name="base" value="dc=company,dc=com" />
      <property name="userDn" value="user@company.com"/>
      <property name="password" value="password" />
      <property name="pooled" value="false" />
   </bean>

   <bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
      <constructor-arg ref="contextSource" />
      <property name="ignorePartialResultException" value="true" />
   </bean>

Anyone know why my test code works and the code that uses the applicationcontext gives me an Authentication error?

[gehel]

Error 525 seems to be an invalid username. I know I had quite a few problem finding the right way to connect to our ActiveDirectory, but I cant remember what was the solution ... Maybe you need a full DN (something like "uid=userName,ou=Information Technology Team,ou=New Jersey,dc=ost,dc=srcorp,dc=com") ...

Did you try to connect to your LDAP server with a client that is known to be working, eg LDAP Explorer (http://ldaptool.sourceforge.net/) ?

[warer]

Thanks for the help but i made a little mistake. My first problem was that the account was locked (too many failed attempts).
The second was my build system, changes to application context didn't come through.
Bouth the two last examples works.