Authentication using LDAP against ADAM using spring security

Mike Q picture Mike Q · Sep 24, 2010 · Viewed 17.6k times · Source

I am trying to get a Java app using spring-security to talk to a local ADAM instance that I have setup.

I have successfully installed ADAM and setup as follows....

  • Instance running on localhost:389
  • Root is O=Company
    • A child called OU=Company Users (orgnizationalUnit)
      • A granchild called CN=Mike Q (user)
      • uid = mike and password = welcome

Then I have setup spring-security (version 3.0.3, spring-framework 3.0.4 and spring-ldap 1.3.0). Spring file

  <security:ldap-server id="contextSource" url="ldap://localhost:389/o=Company"/>

  <security:authentication-manager>
    <security:ldap-authentication-provider user-dn-pattern="uid={0},ou=Company Users"/>
  </security:authentication-manager>

  <bean class="com.xxx.test.TestAuthentication" lazy-init="false"/>

And TestAuthentication

public class TestAuthentication
{
    @Autowired
    private AuthenticationManager authenticationManager;

    public void initialise()
    {
        Authentication authentication = new UsernamePasswordAuthenticationToken( "mike", "welcome" );
        Authentication reponseAuthentication = authenticationManager.authenticate( authentication );
    }
}

Running this I get the following error

Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C090336, comment: AcceptSecurityContext error, data 2030, vece]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:43)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:254)

If someone could point out where I'm going wrong I'd be grateful. At this point I just want to authenticate an entered user/password using LDAP, nothing more complex than that.

I'm also interested in some general points as this is my first foray into LDAP world.

  • Is LDAP case sensitive?
  • Are spaces best avoided?
  • What are the general use-cases/best practices to avoid sending the password in clear-text in the LDAP query?

Answer

Mike Q picture Mike Q · Sep 28, 2010

OK so as I spent plenty of time solving this here's the answer.

Error code 2030 means that the DN of the user is invalid.

After some trial and error here is a config that works and does user search properly. (You can probably rewrite this using the security namespace but while I was working on this it was clearer to use the raw bean definitions).

  <bean id="contextSource"
        class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <constructor-arg value="ldap://localhost:389/cn=Sandbox,dc=ITOrg"/>
    <property name="userDn" value="cn=superuser,cn=People,cn=Sandbox,dc=ITOrg"/>
    <property name="password" value="xxxxxx"/>
  </bean>

  <bean id="ldapAuthProvider"
        class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <constructor-arg>
      <bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
        <constructor-arg ref="contextSource"/>
        <property name="userDnPatterns">
          <list>
            <value>cn={0},cn=People</value>
          </list>
        </property>
      </bean>
    </constructor-arg>
  </bean>

  <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <constructor-arg index="0" value="cn=People"/>
    <constructor-arg index="1" value="(cn={0})"/>
    <constructor-arg index="2" ref="contextSource"/>
  </bean>

The key things are

<property name="userDn" value="cn=superuser,cn=People,cn=Sandbox,dc=ITOrg"/>

When specifying the userDn in the context source it must be the FULL DN (it doesn't just append it do the base supplied in the url (constructor arg).

When using BindAuthentication

<value>cn={0},cn=People</value>

This value IS a suffix on top of the baseDn of the context source.

When configuring a UserSearch

    <constructor-arg index="0" value="cn=People"/>
    <constructor-arg index="1" value="(cn={0})"/>

I couldn't get it to work with cn=People being in the second arg but this seems to work fine. Note you can use attributes of the user e.g. (uid={0})

And here's some example code using the bean definitions...

    @Autowired
    private LdapUserSearch ldapUserSearch;

    @Autowired
    private AuthenticationProvider authenticationProvider;

    public void initialise()
    {
        DirContextOperations dirContextOperations = ldapUserSearch.searchForUser( "username" );

        Authentication authentication = authenticationProvider.authenticate( new UsernamePasswordAuthenticationToken( "username", "password" ) );    
    }

Some other random titbits...

Error 52b - Invalid password


[LDAP: error code 32 - 0000208D: NameErr: DSID-031521D2, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Sandbox,DC=ITOrg'
     - This means the user is not in the administrator role (probably)

Hope all this helps someone else.