LDAP error 49 (seems simple?)

[tharsch]

Hi all,
I have been wrestling with this for 2 days... I have an ApacheDS running on 10389 (default)
and the schema below. My authentication manager is wired to use LDAP, via the config below.
my server is configured to not allow anonymous binding (default). I've tried variations of
BindAuthenticator and PasswordComparisonAuthenticator, but no luck. I keep getting
"LDAP: error code 49 - Bind failed: null". I can confirm that I can bind the user via
Apache Studio (ie I know the correct passwords ). The passwords are plain text ( for now ).

It seems like there is not much that much that could go wrong here, but ...?


################################################## ################
<bean id="ldapAuthenticationProvider"
class="org.springframework.security.providers.ldap .LdapAuthenticationProvider">
<constructor-arg ref="authenticator" />
<constructor-arg ref="populator" />
</bean>
<bean id="initialDirContextFactory"
class="org.springframework.security.ldap.DefaultSp ringSecurityContextSource">
<constructor-arg value="ldap://localhost:10389/dc=example,dc=com" />
<property name="userDn" value="uid=admin,ou=system,dc=example,dc=com" />
<property name="password" value="***" />
</bean>
<bean id="authenticator"
class="org.springframework.security.providers.ldap .authenticator.BindAuthenticator">
<constructor-arg ref="initialDirContextFactory" />
<property name="userDnPatterns">
<!-- uid=dianne,ou=people,dc=example,dc=com -->
<list>
<value>uid={0},ou=people</value>
</list>
</property>
<!--
<property name="passwordEncoder">
<bean class="org.springframework.security.providers.enco ding.PlaintextPasswordEncoder" />
</property>
-->
</bean>
################################################## ################
################################################## ################
dn: dc=example,dc=com
objectClass: domain
objectClass: extensibleObject
objectClass: top
dc: example

dn: ou=asia,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: asia

dn: ou=americas,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: americas

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people

dn: uid=rod,ou=people,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: Rod Johnson
sn: Johnson
uid: rod
userPassword:: a29hbGE=

dn: uid=dianne,ou=people,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: Dianne Emu
sn: Emu
uid: dianne
userPassword:: ZW11

dn: uid=scott,ou=people,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: Scott
sn: Wombat
uid: scott
userPassword:: d29tYmF0

dn: cn=user,ou=groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: user
member: uid=rod,ou=people,dc=example,dc=com
member: uid=dianne,ou=people,dc=example,dc=com
member: uid=scott,ou=people,dc=example,dc=com

dn: cn=teller,ou=groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: teller
member: uid=rod,ou=people,dc=example,dc=com
member: dianne=rod,ou=people,dc=example,dc=com

dn: cn=supervisor,ou=groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: supervisor
member: uid=rod,ou=people,dc=example,dc=com

[greco]

I was having some of the issues you were, and this is the config that worked fo me. I tweaked it to fit your DS.

Code:

	<bean id="contextSource"
		class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
		<constructor-arg value="ldap://localhost:10389" />
		<property name="base" value="dc=example,dc=com" />
		<property name="userDn" value="uid=admin,ou=system" />
		<property name="password" value="xxxxxxx" />
	</bean>

	<bean id="ldapAuthenticationProvider"
		class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
		<constructor-arg>
			<bean
				class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
				<constructor-arg ref="contextSource" />
				<property name="userDnPatterns">
					<list>
						<value>uid={0},ou=people</value>
					</list>
				</property>
			</bean>
		</constructor-arg>
		<constructor-arg>
			<bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
				<constructor-arg ref="contextSource" />
				<constructor-arg value="" />
				<property name="groupRoleAttribute" value="cn" />
				<property name="searchSubtree" value="true" />
				<property name="rolePrefix" value="ROLE_" />
				<property name="groupSearchFilter" value="(&amp;(objectClass=groupOfNames)(member={0}))" />
			</bean>
		</constructor-arg>
		<sec:custom-authentication-provider />
	</bean>

[tharsch]

Thank you. That did it. The problem seems to be specifying the baseDN in the URL () ldap://localhost:10389/dc=example,dc=com and having it in the userDN as well "uid=admin,ou=system,dc=example,dc=com". Strange, I could swear I tried just removing the baseDN from the URL and trying that before posting, but now that seems to work as well. I think the moral of the story using the "base" property makes things much clearer. Thanks for taking the time to help!