[midPoint] Active Directory Authentication

Katka Valalikova katka.valalikova at evolveum.com
Wed Nov 9 14:41:19 CET 2016 

Are you sure that you are using correct username/password? AFAIK, the error Bad credentials is thrown when username/password doesn't match (or user doesn't exist in AD). 

Look also into midPoint log if there is no error. 

Best regards, 

Katarina Valalikova 
Java Developer 
evolveum.com 

----- Original Message -----

From: "mceylan" <mrveceylan at gmail.com> 
To: "midPoint General Discussion" <midpoint at lists.evolveum.com> 
Sent: Wednesday, November 9, 2016 2:31:31 PM 
Subject: Re: [midPoint] Active Directory Authentication 

hi, 

not working. my configuration file, 

<?xml version="1.0" encoding="UTF-8"?> 
<!-- ~ Copyright (c) 2010-2016 Evolveum ~ ~ Licensed under the Apache License, 
Version 2.0 (the "License"); ~ you may not use this file except in compliance 
with the License. ~ You may obtain a copy of the License at ~ ~ http://www.apache.org/licenses/LICENSE-2.0 
~ ~ Unless required by applicable law or agreed to in writing, software ~ 
distributed under the License is distributed on an "AS IS" BASIS, ~ WITHOUT 
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ~ See the 
License for the specific language governing permissions and ~ limitations 
under the License. --> 

<beans xmlns=" http://www.springframework.org/schema/beans " 
xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance " 
xsi:schemaLocation=" http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd "> 

<bean id="contextSource" 
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> 
<constructor-arg value="ldap:// enad.trm.gov.tr:389/dc=trm,dc=gov,dc=tr " /> 
<property name="userDn" value="cn=administrator,cn=Users,dc=trm,dc=gov,dc=tr" /> 
<property name="password" value="1234qQQ" /> 
</bean> 

<bean id="midPointAuthenticationProvider" 
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> 
<constructor-arg> 
<bean 
class="org.springframework.security.ldap.authentication.BindAuthenticator"> 
<constructor-arg ref="contextSource" /> 
<property name="userSearch" ref="userSearch" /> 
</bean> 
</constructor-arg> 
<property name="userDetailsContextMapper" ref="userDetailsService" /> 
</bean> 

<bean id="userSearch" 
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> 
<constructor-arg index="0" value="" /> 
<constructor-arg index="1" value="(sAMAccountName={0})" /> 
<constructor-arg index="2" ref="contextSource" /> 
<property name="searchSubtree" value="true" /> 

</bean> 

</beans> 

output: [Warning: Property for 'Bad credentials' not found] :S 






2016-11-09 15:10 GMT+02:00 Katka Valalikova < katka.valalikova at evolveum.com > : 



Hi, 

remove this part : 
<property name="userDnPatterns"> 
<list> 
<value>sAMAccountName={0},cn=Users</value> 
</list> 
</property> 


from your configuration. In your case, it is sufficient to leave just search filter enabled (using this property): 

<property name="userSearch" ref="userSearch" /> 

Configuration for userSearch seems OK to me. 

This is the resulting configuration which should work for you: 

<bean id="contextSource" 
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> 
<constructor-arg value=" ldap:// enad.trm.gov.tr:389/dc=trm,dc=gov,dc=tr " /> 
<property name="userDn" value="cn=administrator,cn=Users,dc=trm,dc=gov,dc=tr" /> 
<property name="password" value="1234qQQ" /> 
<property name="referral" value="follow" /> 
</bean> 

<bean id="midPointAuthenticationProvider" 
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> 
<constructor-arg> 
<bean 
class="org.springframework.security.ldap.authentication.BindAuthenticator"> 
<constructor-arg ref="contextSource" /> 
<property name="userSearch" ref="userSearch" /> 
</bean> 
</constructor-arg> 
<property name="userDetailsContextMapper" ref="userDetailsService" /> 
</bean> 

<bean id="userSearch" 
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> 
<constructor-arg index="0" value="" /> 
<constructor-arg index="1" value="(sAMAccountName={0})" /> 
<constructor-arg index="2" ref="contextSource" /> 
<property name="searchSubtree" value="true" /> 

</bean> 



Best regards, 

Katarina Valalikova 
Java Developer 
evolveum.com 


From: "Ivan Noris" < ivan.noris at evolveum.com > 
To: midpoint at lists.evolveum.com 
Sent: Wednesday, November 9, 2016 2:01:09 PM 
Subject: Re: [midPoint] Active Directory Authentication 




Hi, 

I don't have experience with this, but for me this seems to be suspicious: 
<property name="userDnPatterns"> 
<list> 
<value>sAMAccountName={0},cn=Users</value> 
</list> 
</property> 

Because if this is used for any filtering, such DNs probably don't exist... (AD accounts DNs are cn=Firstname Lastname,...) And probably also the container will be different from cn=Users. 

I hope someone else can help. 
Ivan 

On 11/08/2016 03:33 PM, mceylan wrote: 

<blockquote>

hi, 

the problem is I' m unable to connect with Active Directory using valid credentials. 

catalina.sh file add -Dauth.method.type=ldap 

this is my ctx-web-security-ldap.xml file 

<bean id="contextSource" 
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> 
<constructor-arg value=" ldap:// enad.trm.gov.tr:389/dc=trm,dc=gov,dc=tr " /> 
<property name="userDn" value="cn=administrator,cn=Users,dc=trm,dc=gov,dc=tr" /> 
<property name="password" value="1234qQQ" /> 
<property name="referral" value="follow" /> 
</bean> 

<bean id="midPointAuthenticationProvider" 
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> 
<constructor-arg> 
<bean 
class="org.springframework.security.ldap.authentication.BindAuthenticator"> 
<constructor-arg ref="contextSource" /> 
<property name="userDnPatterns"> 
<list> 
<value>sAMAccountName={0},cn=Users</value> 
</list> 
</property> 
<!-- OPTIONAL --> 
<property name="userSearch" ref="userSearch" /> 
</bean> 
</constructor-arg> 
<property name="userDetailsContextMapper" ref="userDetailsService" /> 
</bean> 

<bean id="userSearch" 
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> 
<constructor-arg index="0" value="" /> 
<constructor-arg index="1" value="(sAMAccountName={0})" /> 
<constructor-arg index="2" ref="contextSource" /> 
<property name="searchSubtree" value="true" /> 

</bean> 

output: [Warning: Property for 'Bad credentials' not found] 

Thanks. 
-- 
Merve CEYLAN 


_______________________________________________
midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint 



-- 
Ivan Noris
Senior Identity Engineer evolveum.com 

_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 


_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 


</blockquote>




-- 
Merve CEYLAN 

_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161109/b1f35d9f/attachment.htm>

More information about the midPoint mailing list