Authentication Active Directory
Hi,
I have a problem when trying to authenticate a user in pentaho against active directory.
The users must be authenticated against your domain following his referral.
PREVIOUS NOTES
- The property java.naming.referral = follow
- The jar used in pentaho is acegi-security-1.0.6.jar
- The error "[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]"
means that the user doesn't exist.
- The user exist and the ldap queries works fine in ldapBrowser, a windows tool.
- the same query does not work in Apache Directory Studio because, or I think, is not able to search in depth by domain trees.
The query log show this for each domain:
ldapsearch -H ldap://myMSAD:389 -x -D "msadReader" -W -b "DC=val,DC=myent,DC=com" -s base ....
I have conducted many tests, but none has worked. I describe below
1. I try to use the FilterBasedLdapUserSearch with o without de searchBase
Code:<bean id="authenticator" class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="userSearch"> <ref local="userSearch" /> </property> </bean>Log trace is:Code:<bean id="userSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch"> <constructor-arg index="0" value="DC=myent,DC=com" /> <constructor-arg index="1" value="(sAMAccountName={0})" /> <constructor-arg index="2"> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="searchSubtree"> <value>true</value> </property> </bean>
[org.acegisecurity.ldap.DefaultInitialDirContextFac tory] Creating InitialDirContext with environment
{java.naming.provider.url=ldap://myMSAD:389, java.naming.factory.initial=com.sun.jndi.ldap.Ldap CtxFactory,
java.naming.security.principal=ldap://cur.myent.es:389/CN=testUser,OU=Vadis%20Duria,OU=myent,DC=cur,DC=my ent,DC=com,DC=myent,DC=com,
java.naming.security.authentication=simple, java.naming.security.credentials=******, java.naming.referral=follow}
[org.acegisecurity.providers.ldap.authenticator.Bin dAuthenticator] Failed to bind as
ldap://cur.myent.es:389/CN=testUser,OU=Vadis%20Duria,OU=myent-ar,DC=cur,DC=myent,DC=com,DC=myent,DC=com:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]
You can see he writes twice 'DC=myent,DC=com' in bind url
If I remove the search base <constructor-arg index="0" value="/" /> or <constructor-arg index="0" value="" /> doesn't work
2. Following the wiki (http://wiki.pentaho.com/display/Serv...tive+Directory) I try it with userDnPatterns, but fails
[org.acegisecurity.providers.ldap.authenticator.Bin dAuthenticator] Failed to bind asCode:<bean id="authenticator" class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="userDnPatterns"> <list> <value>sAMAccountName={0},OU=Vadis Duria,OU=myent-ar,DC=cur,DC=myent,DC=com</value> </list> </property> </bean>
sAMAccountName=testUser,OU=Vadis Duria,OU=myent-ar,DC=cur,DC=myent,DC=com:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]
3. I try again with Kerberos notation and Windows domain notation. It fails!!
[org.acegisecurity.event.authentication.LoggerListe ner] Authentication event AuthenticationFailureServiceExceptionEvent:Code:<bean id="authenticator" class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="userDnPatterns"> <list> <value>CUR\{0}</value> </list> </property> </bean>
testUser; details: org.acegisecurity.ui.WebAuthenticationDetails@12af c: RemoteIpAddress: 172.30.12.72; SessionId: E19022EBFA2E30C843F837939880B433;
exception: LdapCallback;CUR\testUser: [LDAP: error code 34 - 0000208F: LdapErr: DSID-0C090654, comment: Error processing name, data 0, vece ];
nested exception is javax.naming.InvalidNameException: CUR\testUser: [LDAP: error code 34 - 0000208F: LdapErr: DSID-0C090654, comment:
Error processing name, data 0, vece ]; remaining name 'CUR\testUser'; nested exception is org.acegisecurity.ldap.LdapDataAccessException:
LdapCallback;CUR\testUser: [LDAP: error code 34 - 0000208F: LdapErr: DSID-0C090654, comment: Error processing name, data 0, vece ];
nested exception is javax.naming.InvalidNameException: CUR\testUser: [LDAP: error code 34 - 0000208F: LdapErr: DSID-0C090654, comment:
Error processing name, data 0, vece ]; remaining name 'CUR\testUser'
[org.acegisecurity.event.authentication.LoggerListe ner] Authentication event AuthenticationFailureServiceExceptionEvent:Code:<bean id="authenticator" class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="userDnPatterns"> <list> <value>{0}@cur.myent.es</value> </list> </property> </bean>
testUser; details: org.acegisecurity.ui.WebAuthenticationDetails@0: RemoteIpAddress: 172.30.12.72; SessionId: 991D786A3546847D61A3306A10C8887A;
exception: LdapCallback;testUser@cur.myent.es: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA,
problem 2006 (BAD_NAME), data 8350, best match of: 'testUser@cur.myent.es']; nested exception is javax.naming.InvalidNameException:
testUser@cur.myent.es: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8350, best match of:
'testUser@cur.myent.es']; remaining name 'testUser@cur.myent.es'; nested exception is org.acegisecurity.ldap.LdapDataAccessException:
LdapCallback;testUser@cur.myent.es: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8350,
best match of: 'testUser@cur.myent.es']; nested exception is javax.naming.InvalidNameException: testUser@cur.myent.es:
[LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8350, best match of: 'testUser@cur.myent.es'];
remaining name 'testUser@cur.myent.es'
I change the initial context to append searh base in the url.
Code:<bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> <constructor-arg index="0" value="ldap://myMSAD:389/DC=myent,DC=com" /> <property name="managerDn" value="msadReader" /> <property name="managerPassword" value="*********" /> <property name="extraEnvVars"> <map> <entry key="java.naming.referral" value="follow"/> </map> </property> </bean>2009-09-29 10:45:16,535 DEBUG [org.acegisecurity.providers.ldap.authenticator.Bin dAuthenticator] Failed to bind asCode:<bean id="authenticator" class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="userDnPatterns"> <list> <value>{0}@cur.myent.es</value> <value>CUR\{0}</value> </list> </property> </bean>
testUser@cur.myent.es,DC=myent,DC=com: javax.naming.AuthenticationException:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]
2009-09-29 10:45:16,535 DEBUG [org.acegisecurity.providers.ldap.authenticator.Bin dAuthenticator] Failed to bind as
CUR\testUser,DC=myent,DC=com: javax.naming.AuthenticationException:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]
Can you help me?
Thanks
