I am trying to do LDAP authentication using spring security 2.0.3
Here is my configuration
<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://IP:3268"/>
<property name="base" value="dc=alliance",dc=com,OU=Users,OU=India"/>
<property name="userDn" value="sAMAccountName=username" />
<property name="password" value="password" />
</bean>
<bean id="ldapProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<sec:custom-authentication-provider/>
<constructor-arg>
<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg ref="contextSource"/>
<!--<property name="userSearch" ref="ldapSearchBean"/>-->
<property name="userDnPatterns">
<list><value>sAMAccountName={0}</value></list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource"/>
<constructor-arg value="ou=groups"/>
<property name="groupSearchFilter" value="member={0}"/>
<property name="groupRoleAttribute" value="ou"/>
<property name="rolePrefix" value="ROLE_"/>
<property name="searchSubtree" value="true"/>
<property name="convertToUpperCase" value="true"/>
</bean>
</constructor-arg>
</bean>
Maven entry set is as below
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>2.0.3</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap</artifactId>
<version>1.2.1</version>
</dependency>
Exception I am getting is
[BindAuthenticator,2329165@qtp-24103634-0] - Failed to bind as sAMAccountName=csepena: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
Where should i mention domain name?
If you search online for the error message, you will find something like this page of Active Directory errors, which lists your error at the top:
Common Active Directory LDAP bind errors:
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
HEX: 0×525 – user not found
DEC: 1317 – ERROR_NO_SUCH_USER (The specified account does not exist.)
NOTE: Returns when username is invalid.
So according to AD, the user doesn't exist. You've tried to use sAMAccountName
attribute as part of a DN pattern, which won't work as it is an LDAP attribute. You need to use a search to first locate a user by the value of this attribute. There are examples on how to do that elsewhere on this site and on the web. It looks like you already tried, since you commented out a search bean. If that didn't work you should have explained what went wrong in your question.
In fact, it seems likely that it failed because there are some things wrong with your context source. The value for the userDn
property is wrong. It needs to be a valid distinguished name in the directory, which "sAMAccountName=username" is not. The "base" property also looks incorrect. It should generally be a tree where the root (dc=mycompany,dc=com
is at the end). So it should probably be ou=mygroup,ou=mycountry,dc=mycompany,dc=com
.
Finally, you shouldn't be using version 2.0.3. It has known security vulnerabilities. Always keep up to date with patches and new versions of libraries you are using - number 6 in the OWASP "top ten". It also makes sense to check the latest version in case you're encountering a bug which has been fixed.