Hi there everyoneI'm trying to create a PrincipalToResolver that can resolve from an AD user id to the owner's email address via an LDAP lookup.
We have an LDAP interface on our AD, and works just fine with LDAP Admin and openldap's ldapsearch. But it just won't allows jndi to authenticate.
I wrote about this on a jndi forum, to see if the wider user group there has some experience (see http://forums.sun.com/thread.jspa?messageID=11015291). But also thought it would be pertinent to mention it here. Below is a copy of my post. I'm interested in any tips you may have :-)
--- I have the following credentials, which work just fine in LDAP Admin: |Host: ad.megacorp.com Port: 3269 Use SSL: No Base: dc=megacorpeurope,dc=eu,dc=megacorp,dc=com Username: cn=System Account,ou=Production,ou=Service Accounts,ou=IT,dc=megacorpeurope,dc=eu,dc=megacorp,dc=com Password: MySecret Simple Auth: Yes |(I also tried using [email protected] here and it also works fine)
However, with these settings in my jndi config, I get the 'AuthenticationException' error:
|<property name="urls">
<list>
<value>ldap://ad.megacorp..com:3268/dc=megacorpeurope,dc=eu,dc=megacorp,dc=com</value>
</list>
</property>
<property name="anonymousReadOnly" value="false"/>
<property name="userDn" value="CN=System
Account,OU=Production,OU=Service Accounts,OU=IT"/>
<property name="password" value="MySecret"/>
<property name="baseEnvironmentProperties">
<map>
<entry>
<key>
<value>java.naming.security.authentication</value>
</key>
<value>simple</value>
</entry>
</map>
</property>
|
||Following tips on other threads in the sun JNDI forum I have tried
upper-casing
the domain components (e.g. "dc= MEGACORPEUROPE.." and
"DC=megacorpeurope.." and "DC=MEGACORPEAUROPE")
I have checked and the dn is correct. I also tried accessing using the
samaccountn...@domain (as above for LDAP ADMIN), but I still get the
same error.
I have tripple-checked the password, the DN, the CN.
If I modify the base (which is appended to the end of the ldap url), or
duplicate it in the userDn field, I of course see the
'NameNotFoundException' error. So it seems I don't have DN resolution
issues.
The exact error is:
|<org.springframework.ldap.AuthenticationException: [LDAP: error code 49 -
80090308: LdapErr: DSID-0C090334,
comment: AcceptSecurityContext error, data 525, vece]
|
... which based on the answers in the sun JNDI forum can be as a result of an
incorrect username or an incorrect password. But these credentials work
fine in LDAP Admin.
Incidentally LDAP Admin is running on my desktop, and jndi is running on
my server. But both are on the same network, and jndi appears to be
talking to the remote AD box. But just to make sure its nothing to do
with differing network settings, I also just tried using the openldap
client on the jndi server:
|ldapsearch -D"CN=System Account,OU=Production,OU=Service
Accounts,OU=IT,dc=megacorpeurope,dc=eu,dc=megacorp,dc=com"
-w MySecret -x -h ad.megacorp.com -p 3268 -b dc=megacorp,dc=com"cn=Fred
Basset"
|
.. which yielded good search results straight away.
LDAP Admin and openldap's ldapsearch just work out of the box. Yet jndi
seems to have problems.
What am I doing wrong? || || || -- Andy Cowling | UK Core IT Interactive Data Managed Solutions Ltd ------------------------------------------------------------------------------------------------------------------------------- Suite 1101, Eagle Tower | Montpellier Drive | Cheltenham GL50 1TA | UK Tel: +44 (0)1242 6941 15 | Fax: +44 (0)1242 6941 01 [email protected] http://www.interactivedata-ms.com <http://www.interactivedata-ms.com/>This message (including any files transmitted with it) may contain confidential and/or proprietary information, is the property of Interactive Data Corporation and/or its subsidiaries, and is directed only to the addressee(s). If you are not the designated recipient or have reason to believe you received this message in
error, please delete this message from your system and notify the senderimmediately. An unintended recipient's disclosure, copying, distribution, or
use of this message or any attachments is prohibited and may be unlawful.Interactive Data (Europe) Ltd Registered No. 949387 England Registered Office:
Fitzroy House 13-17 Epworth Street. London. EC2A 4DL
smime.p7s
Description: S/MIME Cryptographic Signature
