Spring Security 2.0.0 LDAP Authentication problems - "Bad Credentials"

[Espen Tjonneland]

I am having problems getting a SpringMVC application with a Schema based configuration of a "ldap-authentication-provider" to work. The credentials given in the login screen fails.
I have manually verified the password with a md5 tool and it matches the object in the LDAP catalog(OpenLDAP).
I am aiming for a password compare, the user should not BIND with the LDAP(unless I am wrong about the BIND concept). All queries to the LDAP catalog are anonymous.

Additional question:
1. Is it possible to limit the search to oneLevel? I cannot find any documentation on how to do this with the schema based configuration


Here is my xml config:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
 
    <security:http auto-config="false">
        <security:intercept-url pattern="/**" access="ROLE_KOEADMIN" />
        <security:form-login />
        <security:anonymous />
        <security:logout />
    </security:http>
    
    <security:ldap-server id="ok_ldap" url="ldap://ldap.mydomain.no:389/"/>
    <security:ldap-authentication-provider 
            server-ref="ok_ldap"
            group-search-filter="cn={0}" 
            group-search-base="(ou=Auth, dc=mydomain, dc=no)"
            user-search-filter="(employeeNumber={0})"
            user-search-base="ou=People, dc=mydomain, dc=no"
            >
        <security:password-compare hash="md5"/>
    </security:ldap-authentication-provider>

This is the LDAP entry(anonymized):


This is the resulting log:

Code:

2008-04-22 19:19:13,110 DEBUG [org.springframework.security.ui.webapp.AuthenticationProcessingFilter] - <Request is to process authentication>
2008-04-22 19:19:13,111 DEBUG [org.springframework.security.providers.ProviderManager] - <Authentication attempt using org.springframework.security.providers.ldap.LdapAuthenticationProvider>
2008-04-22 19:19:13,112 DEBUG [org.springframework.security.ldap.search.FilterBasedLdapUserSearch] - <Searching for user '79927', with user search [ searchFilter: '(employeeNumber={0})', searchBase: 'ou=People, dc=mydomain, dc=no', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]>
2008-04-22 19:19:13,114 DEBUG [org.springframework.ldap.core.support.AbstractContextSource] - <Principal: ''>
2008-04-22 19:19:13,157 DEBUG [org.springframework.ldap.core.support.AbstractContextSource] - <Got Ldap context on server 'ldap://ldap.mydomain.no:389/'>
2008-04-22 19:19:13,592 DEBUG [org.springframework.security.providers.ldap.authenticator.PasswordComparisonAuthenticator] - <Performing LDAP compare of password attribute 'userPassword' for user 'uid=espen.tjonneland 79927@uke, ou=People, dc=mydomain, dc=no'>
2008-04-22 19:19:13,596 DEBUG [org.springframework.ldap.core.support.AbstractContextSource] - <Principal: ''>
2008-04-22 19:19:13,596 DEBUG [org.springframework.ldap.core.support.AbstractContextSource] - <Got Ldap context on server 'ldap://ldap.mydomain.no:389/'>
2008-04-22 19:19:13,606 DEBUG [org.springframework.web.context.support.XmlWebApplicationContext] - <Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@16be7ee]: org.springframework.security.event.authentication.AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.providers.UsernamePasswordAuthenticationToken@faecefe: Principal: 79927; Password: [PROTECTED]; Authenticated: false; Details: org.springframework.security.ui.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: 5E135069B0C2C3455D186723AE1E7DD6; Not granted any authorities]>
2008-04-22 19:19:13,606 DEBUG [org.springframework.security.ui.webapp.AuthenticationProcessingFilter] - <Updated SecurityContextHolder to contain null Authentication>
2008-04-22 19:19:13,606 DEBUG [org.springframework.security.ui.webapp.AuthenticationProcessingFilter] - <Authentication request failed: org.springframework.security.BadCredentialsException: Bad credentials>

Any help on this is greatly apprectiated.

Regards, Espen.

[Luke Taylor]

For problems like this, you are best to debug via a unit test. The code that does the compare is here:

http://static.springframework.org/sp...cator.html#103

So if you break it down from there (and the corresponding code in the SpringSecurityTemplate), you should be able to get closer to the problem.

The default scope when searching is subtree and there isn't an option for altering that in the namespace configuration. You can use traditional beans though.

[Espen Tjonneland]

I have followed your advice Luke and debugged the source.

The error happens in:
org.springframework.security.providers.ldap.authen ticator.LdapShaPasswordEncoder

I thought that my configuration would perform a md5 hashing of the user supplied password and compare it to the md5 hashed password in the LDAP But this does not seem to happen, instead the code converts the user supplied password and converts it with SHA and then compare it with the password retrieved from the LDAP.

[Luke Taylor]

Hmm. Ok. Sounds like a bug in the Ldap namespace.

It looks like the [<password-compare>] element supports both a hash attribute and a [<password-encoder>] child element. I can't remember if this was intentional or if the attribute was intended to be replaced by the full child element, but it looks like only the latter is supported by the parser and the attribute is ignored. So in the meantime you can use the [<password-encoder>] syntax and that should hopefully work. I'll open an issue for it. Thanks for reporting (and debugging) it!

[Espen Tjonneland]

I finally got it.
Turns out I had it configured wrong.
Correct config is

Code:

<security:ldap-authentication-provider 
            server-ref="ok_ldap"
            group-search-filter="cn={0}" 
            group-search-base="(ou=Auth, dc=mydomain, dc=no)"
            user-search-filter="(employeeNumber={0})"
            user-search-base="ou=People, dc=mydomain, dc=no"
            >
         <security:password-compare hash="md5">
            <security:password-encoder hash="md5"/>
        </security:password-compare>
    </security:ldap-authentication-provider>

[Luke Taylor]

It should work both ways now

http://jira.springframework.org/browse/SEC-793

Code:

<security:password-compare hash="md5"/>

and

Code:

<security:password-compare>
    <security:password-encoder hash="md5"/>
</security:password-compare>

should be equivalent. If you use both, you'll get a warning and the "hash" attribute on the password-compare element will be ignored.

[venkynary]

Hello guys,

I am trying to configure Spring LDAP with Oracle Internet Directory. I am getting Exception Message : BAD CREDENTIALS

In our application. I am trying to authenticate users with Oracle Internet Directory LDAP server. If the user is valid then he will enter into our application.

I am using Namespace based security configuration.

To check whether the username and password are valid, i have written a simple java client application which will do a JNDI lookup is authenticating successfully.

Any suggestions, please.

Thanks,
Naresh