I am trying to get a Java app using spring-security to talk to a local ADAM instance that I have setup.
I have successfully installed ADAM and setup as follows….
- Instance running on localhost:389
- Root is
O=Company- A child called
OU=Company Users(orgnizationalUnit)- A granchild called
CN=Mike Q(user) uid = mikeandpassword = welcome
- A granchild called
- A child called
Then I have setup spring-security (version 3.0.3, spring-framework 3.0.4 and spring-ldap 1.3.0). Spring file
<security:ldap-server id="contextSource" url="ldap://localhost:389/o=Company"/>
<security:authentication-manager>
<security:ldap-authentication-provider user-dn-pattern="uid={0},ou=Company Users"/>
</security:authentication-manager>
<bean class="com.xxx.test.TestAuthentication" lazy-init="false"/>
And TestAuthentication
public class TestAuthentication
{
@Autowired
private AuthenticationManager authenticationManager;
public void initialise()
{
Authentication authentication = new UsernamePasswordAuthenticationToken( "mike", "welcome" );
Authentication reponseAuthentication = authenticationManager.authenticate( authentication );
}
}
Running this I get the following error
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C090336, comment: AcceptSecurityContext error, data 2030, vece]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:43)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:254)
If someone could point out where I’m going wrong I’d be grateful. At this point I just want to authenticate an entered user/password using LDAP, nothing more complex than that.
I’m also interested in some general points as this is my first foray into LDAP world.
- Is LDAP case sensitive?
- Are spaces best avoided?
- What are the general use-cases/best practices to avoid sending the password in clear-text in the LDAP query?
OK so as I spent plenty of time solving this here’s the answer.
Error code 2030 means that the DN of the user is invalid.
After some trial and error here is a config that works and does user search properly. (You can probably rewrite this using the security namespace but while I was working on this it was clearer to use the raw bean definitions).
The key things are
When specifying the userDn in the context source it must be the FULL DN (it doesn’t just append it do the base supplied in the url (constructor arg).
When using BindAuthentication
This value IS a suffix on top of the baseDn of the context source.
When configuring a UserSearch
I couldn’t get it to work with
cn=Peoplebeing in the second arg but this seems to work fine. Note you can use attributes of the user e.g.(uid={0})And here’s some example code using the bean definitions…
Some other random titbits…
Hope all this helps someone else.