[midPoint] Active Directory Authentication
Jason Everling
jeverling at bshp.edu
Wed Nov 9 15:25:21 CET 2016
Also, by any chance, have you tried using the global catalog for AD? I have
more than a few java apps using spring security and have always had to end
up using the catalog.
So instead of ldap://enad.trm.gov.tr:389/dc=trm,dc=gov,dc=tr
try ldap://enad.trm.gov.tr:3268/dc=trm,dc=gov,dc=tr
<http://enad.trm.gov.tr:389/dc=trm,dc=gov,dc=tr>
JASON
On Wed, Nov 9, 2016 at 7:41 AM, Katka Valalikova <
katka.valalikova at evolveum.com> wrote:
> Are you sure that you are using correct username/password? AFAIK, the
> error *Bad credentials *is thrown when username/password doesn't match
> (or user doesn't exist in AD).
>
> Look also into midPoint log if there is no error.
>
> Best regards,
>
> Katarina Valalikova
> Java Developer
> evolveum.com
>
> ------------------------------
> *From: *"mceylan" <mrveceylan at gmail.com>
> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
> *Sent: *Wednesday, November 9, 2016 2:31:31 PM
>
> *Subject: *Re: [midPoint] Active Directory Authentication
>
> hi,
>
> not working. my configuration file,
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!-- ~ Copyright (c) 2010-2016 Evolveum ~ ~ Licensed under the Apache
> License,
> Version 2.0 (the "License"); ~ you may not use this file except in
> compliance
> with the License. ~ You may obtain a copy of the License at ~ ~
> http://www.apache.org/licenses/LICENSE-2.0
> ~ ~ Unless required by applicable law or agreed to in writing,
> software ~
> distributed under the License is distributed on an "AS IS" BASIS,
> ~ WITHOUT
> WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ~
> See the
> License for the specific language governing permissions and ~
> limitations
> under the License. -->
>
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-
> 4.1.xsd">
>
> <bean id="contextSource"
> class="org.springframework.security.ldap.
> DefaultSpringSecurityContextSource">
> <constructor-arg value="ldap://enad.trm.gov.tr:
> 389/dc=trm,dc=gov,dc=tr" />
> <property name="userDn" value="cn=administrator,cn=Users,dc=trm,dc=gov,dc=tr"
> />
> <property name="password" value="1234qQQ" />
> </bean>
>
> <bean id="midPointAuthenticationProvider"
> class="org.springframework.security.ldap.authentication.
> LdapAuthenticationProvider">
> <constructor-arg>
> <bean
> class="org.springframework.
> security.ldap.authentication.BindAuthenticator">
> <constructor-arg ref="contextSource" />
> <property name="userSearch"
> ref="userSearch" />
> </bean>
> </constructor-arg>
> <property name="userDetailsContextMapper"
> ref="userDetailsService" />
> </bean>
>
> <bean id="userSearch"
> class="org.springframework.security.ldap.search.
> FilterBasedLdapUserSearch">
> <constructor-arg index="0" value="" />
> <constructor-arg index="1" value="(sAMAccountName={0})" />
> <constructor-arg index="2" ref="contextSource" />
> <property name="searchSubtree" value="true" />
>
> </bean>
>
> </beans>
>
> output: *[Warning: Property for 'Bad credentials' not found] :S*
>
>
>
>
>
>
> 2016-11-09 15:10 GMT+02:00 Katka Valalikova <katka.valalikova at evolveum.com
> >:
>
>> Hi,
>>
>> remove this part :
>> <property name="userDnPatterns">
>> <list>
>>
>> <value>sAMAccountName={0},cn=Users</value>
>> </list>
>> </property>
>>
>>
>> from your configuration. In your case, it is sufficient to leave just
>> search filter enabled (using this property):
>>
>> <property name="userSearch" ref="userSearch" />
>>
>> Configuration for userSearch seems OK to me.
>>
>> This is the resulting configuration which should work for you:
>>
>> <bean id="contextSource"
>> class="org.springframework.security.ldap.
>> DefaultSpringSecurityContextSource">
>> <constructor-arg value="ldap://enad.trm.gov.tr:
>> 389/dc=trm,dc=gov,dc=tr" />
>> <property name="userDn" value="cn=administrator,cn=Users,dc=trm,dc=gov,dc=tr"
>> />
>> <property name="password" value="1234qQQ" />
>> <property name="referral" value="follow" />
>> </bean>
>>
>> <bean id="midPointAuthenticationProvider"
>> class="org.springframework.security.ldap.authentication.
>> LdapAuthenticationProvider">
>> <constructor-arg>
>> <bean
>> class="org.springframework.
>> security.ldap.authentication.BindAuthenticator">
>> <constructor-arg ref="contextSource" />
>> <property name="userSearch"
>> ref="userSearch" />
>> </bean>
>> </constructor-arg>
>> <property name="userDetailsContextMapper"
>> ref="userDetailsService" />
>> </bean>
>>
>> <bean id="userSearch"
>> class="org.springframework.security.ldap.search.
>> FilterBasedLdapUserSearch">
>> <constructor-arg index="0" value="" />
>> <constructor-arg index="1" value="(sAMAccountName={0})" />
>> <constructor-arg index="2" ref="contextSource" />
>> <property name="searchSubtree" value="true" />
>>
>> </bean>
>>
>>
>>
>> Best regards,
>>
>> Katarina Valalikova
>> Java Developer
>> evolveum.com
>>
>> ------------------------------
>> *From: *"Ivan Noris" <ivan.noris at evolveum.com>
>> *To: *midpoint at lists.evolveum.com
>> *Sent: *Wednesday, November 9, 2016 2:01:09 PM
>> *Subject: *Re: [midPoint] Active Directory Authentication
>>
>>
>> Hi,
>>
>> I don't have experience with this, but for me this seems to be suspicious:
>> <property name="userDnPatterns">
>> <list>
>>
>> <value>sAMAccountName={0},cn=Users</value>
>> </list>
>> </property>
>>
>> Because if this is used for any filtering, such DNs probably don't
>> exist... (AD accounts DNs are cn=Firstname Lastname,...) And probably also
>> the container will be different from cn=Users.
>>
>> I hope someone else can help.
>> Ivan
>>
>> On 11/08/2016 03:33 PM, mceylan wrote:
>>
>> hi,
>>
>> the problem is I' m unable to connect with Active Directory using valid
>> credentials.
>>
>> catalina.sh file add -Dauth.method.type=ldap
>>
>> this is my ctx-web-security-ldap.xml file
>>
>> <bean id="contextSource"
>> class="org.springframework.security.ldap.
>> DefaultSpringSecurityContextSource">
>> <constructor-arg value="ldap://enad.trm.gov.tr:
>> 389/dc=trm,dc=gov,dc=tr" />
>> <property name="userDn" value="cn=administrator,cn=Users,dc=trm,dc=gov,dc=tr"
>> />
>> <property name="password" value="1234qQQ" />
>> <property name="referral" value="follow" />
>> </bean>
>>
>> <bean id="midPointAuthenticationProvider"
>> class="org.springframework.security.ldap.authentication.
>> LdapAuthenticationProvider">
>> <constructor-arg>
>> <bean
>> class="org.springframework.
>> security.ldap.authentication.BindAuthenticator">
>> <constructor-arg ref="contextSource" />
>> <property name="userDnPatterns">
>> <list>
>>
>> <value>sAMAccountName={0},cn=Users</value>
>> </list>
>> </property>
>> <!-- OPTIONAL -->
>> <property name="userSearch"
>> ref="userSearch" />
>> </bean>
>> </constructor-arg>
>> <property name="userDetailsContextMapper"
>> ref="userDetailsService" />
>> </bean>
>>
>> <bean id="userSearch"
>> class="org.springframework.security.ldap.search.
>> FilterBasedLdapUserSearch">
>> <constructor-arg index="0" value="" />
>> <constructor-arg index="1" value="(sAMAccountName={0})" />
>> <constructor-arg index="2" ref="contextSource" />
>> <property name="searchSubtree" value="true" />
>>
>> </bean>
>>
>> output: *[Warning: Property for 'Bad credentials' not found]*
>>
>>
>> *Thanks. *--
>> Merve CEYLAN
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>> Ivan Noris
>> Senior Identity Engineerevolveum.com
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> --
> Merve CEYLAN
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
--
CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential;
intended for only the recipient(s) named above and may contain information
that is privileged. You should not retain, copy or use this e-mail or any
attachments for any purpose, or disclose all or any part of the contents to
any person. Any views or opinions expressed in this e-mail are those of the
author and do not represent those of the Baptist School of Health
Professions. If you have received this e-mail in error, or are not the
named recipient(s), you are hereby notified that any review, dissemination,
distribution or copying of this communication is prohibited by the sender
and to do so might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161109/d299d07b/attachment.htm>
More information about the midPoint
mailing list