0

I am trying to achieve LDAP authentication and DB authorization using spring security framework using the embedded spring LDAP server config. I am getting following error message when try to login : Result code : (INVALID_CREDENTIALS) invalidCredentials

Issue is : when I use config 1 then login issue comes but if I use config 2 then it works. Request to help :

Config 1:

<security:authentication-manager>       
   <security:authentication-provider ref="ldapActiveDirectoryAuthProvider" />
</security:authentication-manager>

<bean id="ldapActiveDirectoryAuthProvider"
   class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <constructor-arg>
        <bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
            <constructor-arg ref="appLdapServer" />
            <property name="userDnPatterns">
                <list>
                    <value>uid={0},ou=users</value>
                </list>
            </property>
        </bean>
    </constructor-arg>
    <constructor-arg>
        <bean class="com.smd.security.UserServiceBean" />
    </constructor-arg>
</bean>

<security:ldap-server id="appLdapServer" ldif="/WEB-INF/conf/mojo.ldif" root="o=mojo" port="007" />

Config 2:

<security:authentication-manager>

 <security:ldap-authentication-provider
    user-search-filter="(uid={0})" user-search-base="ou=users"
    group-search-filter="(uniqueMember={0})" group-search-base="ou=groups"
    group-role-attribute="cn" role-prefix="ROLE_">
 </security:ldap-authentication-provider>

</security:authentication-manager>

<security:ldap-server id="appLdapServer" ldif="/WEB-INF/conf/mojo.ldif" root="o=mojo" port="007" />

LDIF File Snippet:

dn: o=mojo
objectClass: organization
objectClass: extensibleObject
objectClass: top
o: mojo

dn: ou=users,o=mojo
objectClass: extensibleObject
objectClass: organizationalUnit
objectClass: top
ou: users

dn: cn=John Milton,ou=users,o=mojo
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: John Milton
sn: Milton
uid: jmilton
userPassword:: cGFzcw==

(Password is pass)

I can see in the LDAP server logs that correct password is being passed.

Thanks for reading this. Amit

Improve this question
1
  • In the user DN patterns, try providing the distinguished name, not just the relative distinguished name components. Commented Jun 17, 2012 at 10:31

1 Answer 1

Reset to default
1

In the first configuration, you are telling the BindAuthenticator to use the specific pattern uid={0} for the LDAP DN, when in fact it is not constructed from the uid attribute at all, but instead uses the common name (cn=John Milton).

This differs from the second configuration where you are using a search for users with a particular uid attribute.

You should remove the usedDnsPatterns from the BindAuthenticator configuration and instead configure a search bean, as described in the reference manual:

<bean 
  class="org.springframework.security.ldap.authentication.BindAuthenticator">
   <constructor-arg ref="appLdapServer"/>
   <property name="userSearch" ref="userSearch" />
</bean>

<bean id="userSearch"
  class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
   <constructor-arg index="0" value="ou=users"/>
   <constructor-arg index="1" value="(uid={0})"/>
   <constructor-arg index="2" ref="appLdapServer" />
</bean>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.