I am trying to do LDAP authentication using spring security 2.0.3
Here is my configuration
<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://IP:3268"/>
<property name="base" value="dc=alliance",dc=com,OU=Users,OU=India"/>
<property name="userDn" value="sAMAccountName=username" />
<property name="password" value="password" />
</bean>
<bean id="ldapProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<sec:custom-authentication-provider/>
<constructor-arg>
<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg ref="contextSource"/>
<!--<property name="userSearch" ref="ldapSearchBean"/>-->
<property name="userDnPatterns">
<list><value>sAMAccountName={0}</value></list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource"/>
<constructor-arg value="ou=groups"/>
<property name="groupSearchFilter" value="member={0}"/>
<property name="groupRoleAttribute" value="ou"/>
<property name="rolePrefix" value="ROLE_"/>
<property name="searchSubtree" value="true"/>
<property name="convertToUpperCase" value="true"/>
</bean>
</constructor-arg>
</bean>
Maven entry set is as below
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>2.0.3</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap</artifactId>
<version>1.2.1</version>
</dependency>
Exception I am getting is
[BindAuthenticator,2329165@qtp-24103634-0] – Failed to bind as sAMAccountName=csepena: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 – 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
Where should i mention domain name?
If you search online for the error message, you will find something like this page of Active Directory errors, which lists your error at the top:
So according to AD, the user doesn’t exist. You’ve tried to use
sAMAccountNameattribute as part of a DN pattern, which won’t work as it is an LDAP attribute. You need to use a search to first locate a user by the value of this attribute. There are examples on how to do that elsewhere on this site and on the web. It looks like you already tried, since you commented out a search bean. If that didn’t work you should have explained what went wrong in your question.In fact, it seems likely that it failed because there are some things wrong with your context source. The value for the
userDnproperty is wrong. It needs to be a valid distinguished name in the directory, which “sAMAccountName=username” is not. The “base” property also looks incorrect. It should generally be a tree where the root (dc=mycompany,dc=comis at the end). So it should probably beou=mygroup,ou=mycountry,dc=mycompany,dc=com.Finally, you shouldn’t be using version 2.0.3. It has known security vulnerabilities. Always keep up to date with patches and new versions of libraries you are using – number 6 in the OWASP “top ten”. It also makes sense to check the latest version in case you’re encountering a bug which has been fixed.