Authentication using LDAP against ADAM using spring security

南笙酒味 提交于 2019-12-04 06:11:49

OK so as I spent plenty of time solving this here's the answer.

Error code 2030 means that the DN of the user is invalid.

After some trial and error here is a config that works and does user search properly. (You can probably rewrite this using the security namespace but while I was working on this it was clearer to use the raw bean definitions).

  <bean id="contextSource"
        class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <constructor-arg value="ldap://localhost:389/cn=Sandbox,dc=ITOrg"/>
    <property name="userDn" value="cn=superuser,cn=People,cn=Sandbox,dc=ITOrg"/>
    <property name="password" value="xxxxxx"/>
  </bean>

  <bean id="ldapAuthProvider"
        class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <constructor-arg>
      <bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
        <constructor-arg ref="contextSource"/>
        <property name="userDnPatterns">
          <list>
            <value>cn={0},cn=People</value>
          </list>
        </property>
      </bean>
    </constructor-arg>
  </bean>

  <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <constructor-arg index="0" value="cn=People"/>
    <constructor-arg index="1" value="(cn={0})"/>
    <constructor-arg index="2" ref="contextSource"/>
  </bean>

The key things are

<property name="userDn" value="cn=superuser,cn=People,cn=Sandbox,dc=ITOrg"/>

When specifying the userDn in the context source it must be the FULL DN (it doesn't just append it do the base supplied in the url (constructor arg).

When using BindAuthentication

<value>cn={0},cn=People</value>

This value IS a suffix on top of the baseDn of the context source.

When configuring a UserSearch

    <constructor-arg index="0" value="cn=People"/>
    <constructor-arg index="1" value="(cn={0})"/>

I couldn't get it to work with cn=People being in the second arg but this seems to work fine. Note you can use attributes of the user e.g. (uid={0})

And here's some example code using the bean definitions...

    @Autowired
    private LdapUserSearch ldapUserSearch;

    @Autowired
    private AuthenticationProvider authenticationProvider;

    public void initialise()
    {
        DirContextOperations dirContextOperations = ldapUserSearch.searchForUser( "username" );

        Authentication authentication = authenticationProvider.authenticate( new UsernamePasswordAuthenticationToken( "username", "password" ) );    
    }

Some other random titbits...

Error 52b - Invalid password


[LDAP: error code 32 - 0000208D: NameErr: DSID-031521D2, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Sandbox,DC=ITOrg'
     - This means the user is not in the administrator role (probably)

Hope all this helps someone else.

I fixed this problem by adding the user you are trying to use as a member of the administrators role in the same Base DN. Hope that helps

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!