Problems binding against Active Directory

[naranja82]

Hello everyone,

first of all I'd like to apologize if this issue has been already solved in this forum, but I've been a while looking here for a solution and I didn't find it.

We`re trying to authenticate against AD using binding and we got it!!!

Obviously this is not the motivation of this thread so here comes the problem.

Everything was working fine if we looked for users on a predefined OU, but if we try to look for them in the whole AD it fails.

We can have two different problems:
- PartialResultExceptions (it appears as if the search returned more than 1 result)
- IncorrectResultSizeDataAccessException (it returns more than 1 result, what is imposible because i`m searching for sAMAccountName).

Here's my Spring Security Configuration:

Code:

    
<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    	<constructor-arg index="0">
    		<value>DC=xxxxxxx,DC=com</value>
    	</constructor-arg>
    	<constructor-arg index="1">
    		<value>sAMAccountName={0}</value>
    	</constructor-arg>
    	<constructor-arg index="2">
    		<ref local="initialDirContextFactory" />
    	</constructor-arg>
    	<property name="searchSubtree">
    		<value>true</value>
    	</property>
    	<property name="derefLinkFlag">
    		<value>true</value>
    	</property>
    </bean>

    <bean id="initialDirContextFactory" class="org.springframework.security.ldap.DefaultInitialDirContextFactory">
    	<constructor-arg value="ldap://host:port" />
    	<property name="managerDn" value="zzzzz"></property>
    	<property name="managerPassword" value="aaaaaa"></property>
    </bean>

    <bean id="ldapAuthProvider" class="com.globalia.licomedes.arq.seguridad.LDAPAuthenticationProviderLicomedes">
    	<constructor-arg ref="authenticator" />
    	<constructor-arg ref="servicioAutenticacion" />
    </bean>

    <bean id="authenticator" class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
    	<constructor-arg ref="initialDirContextFactory" />
    	<property name="userSearch"><ref bean="userSearch"/></property>
    </bean>

If I include OU=XXXXX,DC=xxxxxxx,DC=com instead of DC=xxxxxxx,DC=com it works OK.

Has anyone find this problem?

Thank you very much in advance!!!!

PS1: I`ve tried specifying ignorePartialResultException, but it doesn't work because I'm not searching over a custom template, Spring Security creates its own template so I can't configure it.
PS2: as you can see in configuration I've also tried to use the derefLinkFlag property

[naranja82]

Doesn't anyone have an idea about which could be the problem???

[kamorrissey]

Have you gotten anywhere on this problem, because I think I'm experiencing the same thing?

[havenn]

Overriding/Customising the DefaultLdapAuthoritiesPopulator and BindAuthenticator worked for me. Those classes encapsulate the ldapTemplate. Because I am using Spring LDAP 1.3.0 I set it to ignore the partial result exception by calling ldapTemplate.setIgnorePartialResultException(true) ;

[Developer Dude]

Overriding/Customising the DefaultLdapAuthoritiesPopulator and BindAuthenticator worked for me. Those classes encapsulate the ldapTemplate. Because I am using Spring LDAP 1.3.0 I set it to ignore the partial result exception by calling ldapTemplate.setIgnorePartialResultException(true) ;

Yes, I did this for use of the LDAPTemplate:

Code:

<bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
	<constructor-arg ref="contextSource" />
	<property name="ignorePartialResultException" value="true"/>
</bean>

But for simple authentication against AD you should not have to set that or even have that bean present. I don't use that bean for authentication - I use it for LDAP searches/lookups in my AD user management services layer (actually haven't used it for anything but testing yet) - the basic Spring Sec. setup I use without that template works for me (I am sure an LDAPTemplate is used somewhere under the covers but I use nothing but the Spring Security layer for authentication and no problems with partial results (debug log warnings aside) - IIRC there is something in various docs about this being the default?

But back to the original question:

The hardest problem I had was getting config to work with our AD instance. Once I did that I was fine - but then I don't think we have any 'referrals'?

Anyway, I had similar problems. What I did was start from the root:

Code:

<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
     		<constructor-arg index="0">
     			<value>DC=example,DC=com</value>	 <!-- Start at the root --> 
     			
     			<!-- <value>OU=WesternOrg,DC=example,DC=com</value> 
     				- previous value, we don't need to start there, we can start at the root instead and get everybody. Yahoo!
     			 -->
     			 
     		</constructor-arg>
     		<constructor-arg index="1">
     			<value>sAMAccountName={0}</value>
     		</constructor-arg>
     		<constructor-arg index="2">
     			<ref local="securityContextSource" />
     		</constructor-arg>
     		<property name="searchSubtree" value="true" />
     	</bean>

The other key part was the populator:

Code:

<bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
     		<constructor-arg index="0">
     			<ref local="securityContextSource" />
     		</constructor-arg>
     		<constructor-arg index="1">
     			<value>CN=TheCNWhereTheGroupsAreKept,DC=example,DC=com</value>
     		</constructor-arg>
     		<property name="searchSubtree" value="true"/>
     	</bean>

For us, the 'TheCNWhereTheGroupsAreKept' is "BuiltIn" off the root ("example.com"). I think "BuiltIn" may be a default AD entry where groups are kept? I am still learning - maybe that is obvious to AD people? Once I got those two settings correct everything kind of fell into place for me. Hope this helps.