Spring Security AD LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8

Jon Smith picture Jon Smith · Jun 7, 2013 · Viewed 53.6k times · Source

I am trying to connect Ldap from spring security, getting connection errors. Could some one suggest what is wrong with this configuration,

UsernamePasswordAuthenticationFilter - An internal error occurred while trying to authenticate the user. org.springframework.security.authentication.InternalAuthenticationServiceException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'ou=Users,dc=aaa,dc=bbb,dc=ccc,dc=dddd' at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:191)

config file has,

<sec:authentication-manager alias="myAuthenticationManager">
    <sec:authentication-provider ref="myAuthenticationProvider"/>
</sec:authentication-manager>

<bean id="myAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <constructor-arg ref="ldapBindAuthenticator"/>
    <constructor-arg ref="ldapAuthoritiesPopulator"/>
</bean>

<bean id="ldapBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
    <constructor-arg ref="contextSource" />
    <property name="userSearch" ref="userSearch"/>
</bean>

<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <constructor-arg index="0" value="ou=Users,dc=aaa,dc=bbb,dc=ccc,dc=dddd"/>
    <constructor-arg index="1" value="(sAMAccountName={0})"/>
    <constructor-arg index="2" ref="contextSource"/>
    <property name="searchSubtree" value="true"/>
</bean>

<bean id="ldapAuthoritiesPopulator" class="com.xxxx.MyLdapAuthoritiesPopulator">
    <property name="userDao" ref="userDao"/>
</bean>

<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <constructor-arg value="ldaps://aaa.com:123/DC=aa,DC=bb,DC=cc,DC=dd"/>
    <property name="base" value="DC=aa,DC=bb,DC=cc,DC=dd" />
    <!-- <property name="anonymousReadOnly" value="true"/> -->

</bean>

Answer

Pavel Horal picture Pavel Horal · Jun 9, 2013

Lets assume user is trying to login with username XXX and password YYY. Usually LDAP authentication works like this:

  1. Bind to the LDAP with technical account
  2. Search for the user with the username XXX => get his DN
  3. Try to bind to the LDAP using found DN and password YYY

Your error is suggesting that you didnt't do the first step (technical account binding) correctly.

Try adding userDn and password to your context source (this is from the official JavaDoc):

<bean id="contextSource"
        class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <constructor-arg value="ldap://monkeymachine:389/dc=springframework,dc=org"/>
    <property name="userDn" value="cn=manager,dc=springframework,dc=org"/>
    <property name="password" value="password"/>
</bean>