Your browser was unable to load all of the resources. They may have been blocked by your firewall, proxy or browser configuration.
Press Ctrl+F5 or Ctrl+Shift+R to have your browser try again.

QuickBuild

How do you set up LDAP Auth against Active Directory? #249

#1
kevinrtucker ·
I'd like to authenticate using our Active Directory server, however, I keep getting these error messages in the log.

2007-08-06 16:02:04,765 [http-28080-Processor24] DEBUG com.pmease.quickbuild.security.QuickBuildAuthenticationProcessingFilter - Updated SecurityContextHolder to contain null Authentication
2007-08-06 16:02:04,765 [http-28080-Processor24] DEBUG com.pmease.quickbuild.security.QuickBuildAuthenticationProcessingFilter - Authentication request failed: org.acegisecurity.BadCredentialsException: User not found or password incorrect.
2007-08-06 16:02:37,499 [http-28080-Processor23] DEBUG com.pmease.quickbuild.security.QuickBuildAuthenticationProcessingFilter - Request is to process authentication
2007-08-06 16:02:37,499 [http-28080-Processor23] DEBUG com.pmease.quickbuild.security.QuickBuildAuthenticationProcessingFilter - Authentication success: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@c3461ac1: Username: admin; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@43458: RemoteIpAddress: 192.168.60.107; SessionId: 4F5B57B23453F245D4B6477A5B1D555E; Granted Authorities: ROLE_ANONYMOUS, ROLE_SITE_ADMIN
2007-08-06 16:02:37,499 [http-28080-Processor23] DEBUG com.pmease.quickbuild.security.QuickBuildAuthenticationProcessingFilter - Updated SecurityContextHolder to contain the following Authentication: 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@c3461ac1: Username: admin; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@43458: RemoteIpAddress: 192.168.60.107; SessionId: 4F5B57B23453F245D4B6477A5B1D555E; Granted Authorities: ROLE_ANONYMOUS, ROLE_SITE_ADMIN'
2007-08-06 16:02:37,499 [http-28080-Processor23] DEBUG com.pmease.quickbuild.security.QuickBuildAuthenticationProcessingFilter - Redirecting to target URL from HTTP Session (or default): /app.do?service=page/Home
2007-08-06 16:03:10,015 [http-28080-Processor24] DEBUG com.pmease.quickbuild.security.QuickBuildAuthenticationProcessingFilter - Request is to process authentication
2007-08-06 16:03:10,030 [http-28080-Processor24] DEBUG com.pmease.quickbuild.security.ApplicationAuthenticationProvider - Authenticating new user "kevint" against "Active Directory"...
2007-08-06 16:03:10,030 [http-28080-Processor24] DEBUG com.pmease.quickbuild.authenticationprovider.LdapAuthenticationProvider - Evaluated user search filter: (&(uid=kevint)(objectclass=person)).
2007-08-06 16:03:10,030 [http-28080-Processor24] DEBUG com.pmease.quickbuild.authenticationprovider.LdapAuthenticationProvider - Binding to ldap url "ldap://mainsrv.seattlead.bstep.us:389" as "kevint"...
2007-08-06 16:03:10,030 [http-28080-Processor24] ERROR com.pmease.quickbuild.authenticationprovider.LdapAuthenticationProvider - LDAP exception occurred.
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at com.pmease.quickbuild.authenticationprovider.LdapAuthenticationProvider.authenticate(LdapAuthenticationProvider.java:107)
at com.pmease.quickbuild.security.ApplicationAuthenticationProvider.retrieveUser(ApplicationAuthenticationProvider.java:102)
at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:115)
at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:183)
at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:45)
at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:71)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:199)
at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:191)
at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
at org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148)
at org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:90)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:186)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
at java.lang.Thread.run(Thread.java:595)

How do I get this to work? Are there any tools that can help me figure out the correct communication settings for my network?

Kevin
  • replies 4
  • views 3520
  • stars 0
#2
robinshen ADMIN ·
Hi Kevin,

It seems that the "bind user" property is not set correctly. It should be a user DN instead of login name, for example:

uid={0},ou=users,dc=foobar,dc=com

QuickBuild will replace {0} with current login name when authenticate to AD.

Also please make sure that the "bind password" property is set as:
{0}

Regards.
Robin
#3
kevinrtucker ·
Got a little further with this by making the Bind user setting be {0}@seattlead.bstep.us instead of just {0}. But then I started getting these error messages:

error message is:

2007-08-06 16:35:34,421 [http-28080-Processor23] DEBUG com.pmease.quickbuild.security.QuickBuildAuthenticationProcessingFilter - Request is to process authentication
2007-08-06 16:35:34,436 [http-28080-Processor23] DEBUG com.pmease.quickbuild.security.ApplicationAuthenticationProvider - Authenticating new user "kevint" against "Active Directory"...
2007-08-06 16:35:34,436 [http-28080-Processor23] DEBUG com.pmease.quickbuild.authenticationprovider.LdapAuthenticationProvider - Evaluated user search filter: (&(uid=kevint)(objectclass=person)).
2007-08-06 16:35:34,436 [http-28080-Processor23] DEBUG com.pmease.quickbuild.authenticationprovider.LdapAuthenticationProvider - Binding to ldap url "ldap://mainsrv.seattlead.bstep.us:389" as "kevint@seattlead.bstep.us"...
2007-08-06 16:35:34,452 [http-28080-Processor23] WARN com.pmease.quickbuild.authenticationprovider.LdapAuthenticationProvider - User entry not found in LDAP "ldap://mainsrv.seattlead.bstep.us:389".
2007-08-06 16:35:34,452 [http-28080-Processor23] DEBUG com.pmease.quickbuild.security.QuickBuildAuthenticationProcessingFilter - Updated SecurityContextHolder to contain null Authentication
2007-08-06 16:35:34,452 [http-28080-Processor23] DEBUG com.pmease.quickbuild.security.QuickBuildAuthenticationProcessingFilter - Authentication request failed: org.acegisecurity.BadCredentialsException: User not found or password incorrect.

But then I got it to recognize my account properly by putting:

(&(sAMAccountName={0})(objectclass=person)).

into the User search filter instead of the example on the page:

(&(uid={0})(objectclass=person))

As an aside, I was able to figure out the proper attribute names, and OU and DN settings by using the Active Directory Explorer, downloaded from Microsoft TechNet:

http://www.microsoft.com/technet/sysint ... lorer.mspx

Kevin
#4
robinshen ADMIN ·
Hi Kevin,

Thanks for sharing your experience on getting this through.

Regards.
Robin

PS:

The AD example in the user manual (http://www.pmease.com/public/docs/guide ... #id2759323) did mentioned the correct user search filter:

(&(sAMAccountName={0})(objectclass=person))
#5
kevinrtucker ·
That's good to know. I'll try looking into the documentation a little closer from now on. <!-- s:D --><img src="{SMILIES_PATH}/icon_biggrin.gif" alt=":D" title="Very Happy" /><!-- s:D --> It might be good to get the docs on the web page fixed up soon though as I assumed that information would be more up to date than the manual. And I'm guessing that most people would work that way as well.

I appreciate you having that information on the web page. It made the process more approachable.

Thanks,
Kevin
Log in to reply