<div dir="ltr">Also, by any chance, have you tried using the global catalog for AD? I have more than a few java apps using spring security and have always had to end up using the catalog.<div><br></div><div>So instead of <span style="color:rgb(80,0,80);font-size:12.8px">ldap://</span><a href="http://enad.trm.gov.tr:389/dc=trm,dc=gov,dc=tr" target="_blank" style="font-size:12.8px">enad.trm.gov.tr:<wbr>389/dc=trm,dc=gov,dc=tr</a></div><div><br></div><div>try <span style="color:rgb(80,0,80);font-size:12.8px">ldap://</span><a href="http://enad.trm.gov.tr:389/dc=trm,dc=gov,dc=tr" target="_blank" style="font-size:12.8px">enad.trm.gov.tr:3268/dc=trm,dc=gov,dc=tr</a></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">JASON</div></div></div>
<br><div class="gmail_quote">On Wed, Nov 9, 2016 at 7:41 AM, Katka Valalikova <span dir="ltr"><<a href="mailto:katka.valalikova@evolveum.com" target="_blank">katka.valalikova@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-family:times new roman,new york,times,serif;font-size:12pt;color:#000000"><div>Are you sure that you are using correct username/password? AFAIK, the error <b class="m_2603460919324751302gmail-box-title" style="font-family:Helvetica,Arial,sans-serif">Bad credentials </b>is thrown when username/password doesn't match (or user doesn't exist in AD). </div><div><br></div><div>Look also into midPoint log if there is no error.</div><span class=""><div><br></div><div><span name="x"></span>Best regards,<br><div><br></div>Katarina Valalikova<br>Java Developer<br><a href="http://evolveum.com" target="_blank">evolveum.com</a><span name="x"></span><br></div><div><br></div><hr id="m_2603460919324751302zwchr"></span><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><b>From: </b>"mceylan" <<a href="mailto:mrveceylan@gmail.com" target="_blank">mrveceylan@gmail.com</a>><br><b>To: </b>"midPoint General Discussion" <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>><br><b>Sent: </b>Wednesday, November 9, 2016 2:31:31 PM<div><div class="h5"><br><b>Subject: </b>Re: [midPoint] Active Directory Authentication<br><div><br></div><div dir="ltr">hi,<div><br></div><div>not working. my configuration file,</div><div><br></div><div><div><?xml version="1.0" encoding="UTF-8"?></div><div><!-- ~ Copyright (c) 2010-2016 Evolveum ~ ~ Licensed under the Apache License,</div><div> Version 2.0 (the "License"); ~ you may not use this file except in compliance</div><div> with the License. ~ You may obtain a copy of the License at ~ ~ <a href="http://www.apache.org/licenses/LICENSE-2.0" target="_blank">http://www.apache.org/<wbr>licenses/LICENSE-2.0</a></div><div> ~ ~ Unless required by applicable law or agreed to in writing, software ~</div><div> distributed under the License is distributed on an "AS IS" BASIS, ~ WITHOUT</div><div> WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ~ See the</div><div> License for the specific language governing permissions and ~ limitations</div><div> under the License. --></div><div><br></div><div><beans xmlns="<a href="http://www.springframework.org/schema/beans" target="_blank">http://www.<wbr>springframework.org/schema/<wbr>beans</a>"</div><div> xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/<wbr>2001/XMLSchema-instance</a>"</div><div> xsi:schemaLocation="<a href="http://www.springframework.org/schema/beans" target="_blank">http://<wbr>www.springframework.org/<wbr>schema/beans</a></div><div> <a href="http://www.springframework.org/schema/beans/spring-beans-4.1.xsd" target="_blank">http://www.springframework.<wbr>org/schema/beans/spring-beans-<wbr>4.1.xsd</a>"></div><div><br></div><div> <bean id="contextSource"</div><div> class="org.springframework.<wbr>security.ldap.<wbr>DefaultSpringSecurityContextSo<wbr>urce"></div><div> <constructor-arg value="ldap://<a href="http://enad.trm.gov.tr:389/dc=trm,dc=gov,dc=tr" target="_blank">enad.trm.gov.tr:<wbr>389/dc=trm,dc=gov,dc=tr</a>" /></div><div> <property name="userDn" value="cn=administrator,cn=<wbr>Users,dc=trm,dc=gov,dc=tr" /></div><div> <property name="password" value="1234qQQ" /></div><div> </bean></div><div><br></div><div> <bean id="<wbr>midPointAuthenticationProvider<wbr>"</div><div> class="org.springframework.<wbr>security.ldap.authentication.<wbr>LdapAuthenticationProvider"></div><div> <constructor-arg></div><div> <bean</div><div> class="org.springframework.<wbr>security.ldap.authentication.<wbr>BindAuthenticator"></div><div> <constructor-arg ref="contextSource" /></div><div> <property name="userSearch" ref="userSearch" /></div><div> </bean></div><div> </constructor-arg></div><div> <property name="<wbr>userDetailsContextMapper" ref="userDetailsService" /></div><div> </bean></div><div><br></div><div> <bean id="userSearch"</div><div> class="org.springframework.<wbr>security.ldap.search.<wbr>FilterBasedLdapUserSearch"></div><div> <constructor-arg index="0" value="" /></div><div> <constructor-arg index="1" value="(sAMAccountName={0})" /></div><div> <constructor-arg index="2" ref="contextSource" /></div><div> <property name="searchSubtree" value="true" /></div><div><br></div><div> </bean></div><div><br></div><div></beans></div></div><div><br></div><div>output: <b class="m_2603460919324751302gmail-box-title">[Warning: Property for 'Bad credentials' not found] :S</b></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-11-09 15:10 GMT+02:00 Katka Valalikova <span dir="ltr"><<a href="mailto:katka.valalikova@evolveum.com" target="_blank">katka.valalikova@evolveum.com</a><wbr>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-family:times new roman,new york,times,serif;font-size:12pt;color:#000000"><div>Hi,<br></div><div><br></div><div>remove this part :<span><br><div style="font-family:Helvetica,Arial,sans-serif"> <property name="userDnPatterns"></div><div style="font-family:Helvetica,Arial,sans-serif"> <list></div><div style="font-family:Helvetica,Arial,sans-serif"> <value>sAMAccountName={0},cn=<wbr>Users</value></div><div style="font-family:Helvetica,Arial,sans-serif"> </list></div><div style="font-family:Helvetica,Arial,sans-serif"> </property></div><br></span></div><div><br></div><div>from your configuration. In your case, it is sufficient to leave just search filter enabled (using this property):</div><span><div><span style="font-family:Helvetica,Arial,sans-serif"><br></span></div><div><span style="font-family:Helvetica,Arial,sans-serif"> <property name="userSearch" ref="userSearch" /></span></div><div><br></div></span><div>Configuration for userSearch seems OK to me. </div><div><br></div><div>This is the resulting configuration which should work for you:</div><div><br></div><div><span><div style="font-family:Helvetica,Arial,sans-serif"><bean id="contextSource"</div><div style="font-family:Helvetica,Arial,sans-serif"> class="org.springframework.<wbr>security.ldap.<wbr>DefaultSpringSecurityContextSo<wbr>urce"></div><div style="font-family:Helvetica,Arial,sans-serif"> <constructor-arg value="<a class="m_2603460919324751302m_1207575036554626090moz-txt-link-freetext">ldap://</a><a href="http://enad.trm.gov.tr:389/dc=trm,dc=gov,dc=tr" target="_blank">enad.trm.gov.tr:<wbr>389/dc=trm,dc=gov,dc=tr</a>" /></div><div style="font-family:Helvetica,Arial,sans-serif"> <property name="userDn" value="cn=administrator,cn=<wbr>Users,dc=trm,dc=gov,dc=tr" /></div><div style="font-family:Helvetica,Arial,sans-serif"> <property name="password" value="1234qQQ" /></div><div style="font-family:Helvetica,Arial,sans-serif"> <property name="referral" value="follow" /></div><div style="font-family:Helvetica,Arial,sans-serif"> </bean></div><div style="font-family:Helvetica,Arial,sans-serif"><br></div><div style="font-family:Helvetica,Arial,sans-serif"> <bean id="<wbr>midPointAuthenticationProvider<wbr>"</div><div style="font-family:Helvetica,Arial,sans-serif"> class="org.springframework.<wbr>security.ldap.authentication.<wbr>LdapAuthenticationProvider"></div><div style="font-family:Helvetica,Arial,sans-serif"> <constructor-arg></div><div style="font-family:Helvetica,Arial,sans-serif"> <bean</div><div style="font-family:Helvetica,Arial,sans-serif"> class="org.springframework.<wbr>security.ldap.authentication.<wbr>BindAuthenticator"></div><div style="font-family:Helvetica,Arial,sans-serif"> <constructor-arg ref="contextSource" /></div></span><span><div style="font-family:Helvetica,Arial,sans-serif"> <property name="userSearch" ref="userSearch" /></div><div style="font-family:Helvetica,Arial,sans-serif"> </bean></div><div style="font-family:Helvetica,Arial,sans-serif"> </constructor-arg></div><div style="font-family:Helvetica,Arial,sans-serif"> <property name="<wbr>userDetailsContextMapper" ref="userDetailsService" /></div><div style="font-family:Helvetica,Arial,sans-serif"> </bean></div><div style="font-family:Helvetica,Arial,sans-serif"><br></div><div style="font-family:Helvetica,Arial,sans-serif"> <bean id="userSearch"</div><div style="font-family:Helvetica,Arial,sans-serif"> class="org.springframework.<wbr>security.ldap.search.<wbr>FilterBasedLdapUserSearch"></div><div style="font-family:Helvetica,Arial,sans-serif"> <constructor-arg index="0" value="" /></div><div style="font-family:Helvetica,Arial,sans-serif"> <constructor-arg index="1" value="(sAMAccountName={0})" /></div><div style="font-family:Helvetica,Arial,sans-serif"> <constructor-arg index="2" ref="contextSource" /></div><div style="font-family:Helvetica,Arial,sans-serif"> <property name="searchSubtree" value="true" /></div><div style="font-family:Helvetica,Arial,sans-serif"><br></div><div style="font-family:Helvetica,Arial,sans-serif"> </bean></div></span></div><div><div style="font-family:Helvetica,Arial,sans-serif"><div><br></div></div><br></div><div><br></div><div><span></span>Best regards,<br><div><br></div>Katarina Valalikova<br>Java Developer<br><a href="http://evolveum.com" target="_blank">evolveum.com</a><span></span><br></div><div><br></div><hr id="m_2603460919324751302m_1207575036554626090zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><b>From: </b>"Ivan Noris" <<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>><br><b>To: </b><a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a><br><b>Sent: </b>Wednesday, November 9, 2016 2:01:09 PM<br><b>Subject: </b>Re: [midPoint] Active Directory Authentication<div><div class="m_2603460919324751302h5"><br><div><br></div>
<p>Hi,</p>
<p>I don't have experience with this, but for me this seems to be
suspicious:</p>
<div> <property
name="userDnPatterns"></div>
<div> <list></div>
<div>
<value>sAMAccountName={0},cn=<wbr>Users</value></div>
<div> </list></div>
<div> </property></div>
<br>
Because if this is used for any filtering, such DNs probably don't
exist... (AD accounts DNs are cn=Firstname Lastname,...) And
probably also the container will be different from cn=Users.<br>
<br>
I hope someone else can help.<br>
Ivan<br>
<br>
<div class="m_2603460919324751302m_1207575036554626090moz-cite-prefix">On 11/08/2016 03:33 PM, mceylan wrote:<br>
</div>
<blockquote>
<div dir="ltr">hi,
<div><br>
</div>
<div>the problem is I' m unable to connect with Active Directory
using valid credentials.<br clear="all">
<div><br>
</div>
<div>catalina.sh file add -Dauth.method.type=ldap</div>
<div><br>
</div>
<div>this is my ctx-web-security-ldap.xml file <br>
</div>
<div><br>
</div>
<div>
<div><bean id="contextSource"</div>
<div>
class="org.springframework.<wbr>security.ldap.<wbr>DefaultSpringSecurityContextSo<wbr>urce"></div>
<div> <constructor-arg value="<a class="m_2603460919324751302m_1207575036554626090moz-txt-link-freetext">ldap://</a><a href="http://enad.trm.gov.tr:389/dc=trm,dc=gov,dc=tr" target="_blank">enad.trm.gov.tr:<wbr>389/dc=trm,dc=gov,dc=tr</a>"
/></div>
<div> <property name="userDn"
value="cn=administrator,cn=<wbr>Users,dc=trm,dc=gov,dc=tr"
/></div>
<div> <property name="password"
value="1234qQQ" /></div>
<div> <property name="referral"
value="follow" /></div>
<div> </bean></div>
<div><br>
</div>
<div> <bean id="<wbr>midPointAuthenticationProvider<wbr>"</div>
<div>
class="org.springframework.<wbr>security.ldap.authentication.<wbr>LdapAuthenticationProvider"></div>
<div> <constructor-arg></div>
<div> <bean</div>
<div>
class="org.springframework.<wbr>security.ldap.authentication.<wbr>BindAuthenticator"></div>
<div> <constructor-arg
ref="contextSource" /></div>
<div> <property
name="userDnPatterns"></div>
<div> <list></div>
<div>
<value>sAMAccountName={0},cn=<wbr>Users</value></div>
<div> </list></div>
<div> </property></div>
<div> <!-- OPTIONAL
--></div>
<div> <property
name="userSearch" ref="userSearch" /></div>
<div> </bean></div>
<div> </constructor-arg></div>
<div> <property
name="<wbr>userDetailsContextMapper" ref="userDetailsService"
/></div>
<div> </bean></div>
<div><br>
</div>
<div> <bean id="userSearch"</div>
<div>
class="org.springframework.<wbr>security.ldap.search.<wbr>FilterBasedLdapUserSearch"></div>
<div> <constructor-arg index="0" value=""
/></div>
<div> <constructor-arg index="1"
value="(sAMAccountName={0})" /></div>
<div> <constructor-arg index="2"
ref="contextSource" /></div>
<div> <property name="searchSubtree"
value="true" /></div>
<div><br>
</div>
<div> </bean></div>
</div>
<div><br>
</div>
<div>output: <b class="m_2603460919324751302m_1207575036554626090gmail-box-title">[Warning: Property
for 'Bad credentials' not found]</b></div>
<div><b class="m_2603460919324751302m_1207575036554626090gmail-box-title"><br>
</b></div>
<div><b class="m_2603460919324751302m_1207575036554626090gmail-box-title">Thanks.<br>
</b>-- </div>
<div class="m_2603460919324751302m_1207575036554626090gmail_signature">
<div dir="ltr">Merve CEYLAN</div>
</div>
</div>
</div>
<br>
<fieldset class="m_2603460919324751302m_1207575036554626090mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_2603460919324751302m_1207575036554626090moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_2603460919324751302m_1207575036554626090moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="m_2603460919324751302m_1207575036554626090moz-signature">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<br>______________________________<wbr>_________________<br>midPoint mailing list<br><a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br><a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br></div></div></div><div><br></div></div></div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_2603460919324751302gmail_signature"><div dir="ltr">Merve CEYLAN</div></div>
</div>
<br>______________________________<wbr>_________________<br>midPoint mailing list<br><a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br><a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br></div></div></div><div><br></div></div></div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>