[midPoint] Active Directory Authentication

Katka Valalikova katka.valalikova at evolveum.com
Wed Nov 9 14:10:50 CET 2016 

Hi, 

remove this part : 
<property name="userDnPatterns"> 
<list> 
<value>sAMAccountName={0},cn=Users</value> 
</list> 
</property> 


from your configuration. In your case, it is sufficient to leave just search filter enabled (using this property): 

<property name="userSearch" ref="userSearch" /> 

Configuration for userSearch seems OK to me. 

This is the resulting configuration which should work for you: 

<bean id="contextSource" 
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> 
<constructor-arg value=" ldap:// enad.trm.gov.tr:389/dc=trm,dc=gov,dc=tr " /> 
<property name="userDn" value="cn=administrator,cn=Users,dc=trm,dc=gov,dc=tr" /> 
<property name="password" value="1234qQQ" /> 
<property name="referral" value="follow" /> 
</bean> 

<bean id="midPointAuthenticationProvider" 
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> 
<constructor-arg> 
<bean 
class="org.springframework.security.ldap.authentication.BindAuthenticator"> 
<constructor-arg ref="contextSource" /> 
<property name="userSearch" ref="userSearch" /> 
</bean> 
</constructor-arg> 
<property name="userDetailsContextMapper" ref="userDetailsService" /> 
</bean> 

<bean id="userSearch" 
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> 
<constructor-arg index="0" value="" /> 
<constructor-arg index="1" value="(sAMAccountName={0})" /> 
<constructor-arg index="2" ref="contextSource" /> 
<property name="searchSubtree" value="true" /> 

</bean> 



Best regards, 

Katarina Valalikova 
Java Developer 
evolveum.com 

----- Original Message -----

From: "Ivan Noris" <ivan.noris at evolveum.com> 
To: midpoint at lists.evolveum.com 
Sent: Wednesday, November 9, 2016 2:01:09 PM 
Subject: Re: [midPoint] Active Directory Authentication 



Hi, 

I don't have experience with this, but for me this seems to be suspicious: 
<property name="userDnPatterns"> 
<list> 
<value>sAMAccountName={0},cn=Users</value> 
</list> 
</property> 

Because if this is used for any filtering, such DNs probably don't exist... (AD accounts DNs are cn=Firstname Lastname,...) And probably also the container will be different from cn=Users. 

I hope someone else can help. 
Ivan 

On 11/08/2016 03:33 PM, mceylan wrote: 



hi, 

the problem is I' m unable to connect with Active Directory using valid credentials. 

catalina.sh file add -Dauth.method.type=ldap 

this is my ctx-web-security-ldap.xml file 

<bean id="contextSource" 
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> 
<constructor-arg value=" ldap:// enad.trm.gov.tr:389/dc=trm,dc=gov,dc=tr " /> 
<property name="userDn" value="cn=administrator,cn=Users,dc=trm,dc=gov,dc=tr" /> 
<property name="password" value="1234qQQ" /> 
<property name="referral" value="follow" /> 
</bean> 

<bean id="midPointAuthenticationProvider" 
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> 
<constructor-arg> 
<bean 
class="org.springframework.security.ldap.authentication.BindAuthenticator"> 
<constructor-arg ref="contextSource" /> 
<property name="userDnPatterns"> 
<list> 
<value>sAMAccountName={0},cn=Users</value> 
</list> 
</property> 
<!-- OPTIONAL --> 
<property name="userSearch" ref="userSearch" /> 
</bean> 
</constructor-arg> 
<property name="userDetailsContextMapper" ref="userDetailsService" /> 
</bean> 

<bean id="userSearch" 
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> 
<constructor-arg index="0" value="" /> 
<constructor-arg index="1" value="(sAMAccountName={0})" /> 
<constructor-arg index="2" ref="contextSource" /> 
<property name="searchSubtree" value="true" /> 

</bean> 

output: [Warning: Property for 'Bad credentials' not found] 

Thanks. 
-- 
Merve CEYLAN 


_______________________________________________
midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint 



-- 
Ivan Noris
Senior Identity Engineer
evolveum.com 

_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161109/6b15f428/attachment.htm>

More information about the midPoint mailing list