Hi Andy, Your admin account seems for me correctly spelt, but your search criteria should have sAMAccountName instead of cn. For example : "sAMAccountName=Fred Basset" instead of "cn=Fred Basset".
Stéphane 2010/7/6 Andy Cowling <[email protected]> > Hi there everyone > > I'm trying to create a PrincipalToResolver that can resolve from an AD user > id to the owner's email address via an LDAP lookup. > > We have an LDAP interface on our AD, and works just fine with LDAP Admin > and openldap's ldapsearch. But it just won't allows jndi to authenticate. > > I wrote about this on a jndi forum, to see if the wider user group there > has some experience (see > http://forums.sun.com/thread.jspa?messageID=11015291). But also thought it > would be pertinent to mention it here. Below is a copy of my post. I'm > interested in any tips you may have :-) > > > --- > > I have the following credentials, which work just fine in LDAP Admin: > > Host: ad.megacorp.com > Port: 3269 > Use SSL: No > Base: dc=megacorpeurope,dc=eu,dc=megacorp,dc=com > Username: cn=System Account,ou=Production,ou=Service > Accounts,ou=IT,dc=megacorpeurope,dc=eu,dc=megacorp,dc=com > Password: MySecret > Simple Auth: Yes > > > (I also tried using [email protected] here and > it also works fine) > > However, with these settings in my jndi config, I get the > 'AuthenticationException' error: > > <property name="urls"> > <list> > > <value>ldap://ad.megacorp..com:3268/dc=megacorpeurope,dc=eu,dc=megacorp,dc=com</value> > </list> > </property> > <property name="anonymousReadOnly" value="false"/> > <property name="userDn" value="CN=System > Account,OU=Production,OU=Service Accounts,OU=IT"/> > <property name="password" value="MySecret"/> > <property name="baseEnvironmentProperties"> > <map> > <entry> > <key> > > <value>java.naming.security.authentication</value> > </key> > <value>simple</value> > </entry> > </map> > </property> > > > Following tips on other threads in the sun JNDI forum I have tried > upper-casing > the domain components (e.g. "dc= MEGACORPEUROPE.." and > "DC=megacorpeurope.." and "DC=MEGACORPEAUROPE") > > I have checked and the dn is correct. I also tried accessing using the > samaccountn...@domain (as above for LDAP ADMIN), but I still get the > same error. > > I have tripple-checked the password, the DN, the CN. > > If I modify the base (which is appended to the end of the ldap url), or > duplicate it in the userDn field, I of course see the > 'NameNotFoundException' error. So it seems I don't have DN resolution > issues. > > The exact error is: > > > <org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - > 80090308: LdapErr: DSID-0C090334, > comment: AcceptSecurityContext error, data 525, vece] > > ... which based on the answers in the sun JNDI forum can be as a result of an > incorrect username or an incorrect password. But these credentials work > fine in LDAP Admin. > > Incidentally LDAP Admin is running on my desktop, and jndi is running on > my server. But both are on the same network, and jndi appears to be > talking to the remote AD box. But just to make sure its nothing to do > with differing network settings, I also just tried using the openldap > client on the jndi server: > > > ldapsearch -D "CN=System Account,OU=Production,OU=Service > Accounts,OU=IT,dc=megacorpeurope,dc=eu,dc=megacorp,dc=com" > -w MySecret -x -h ad.megacorp.com -p 3268 -b dc=megacorp,dc=com "cn=Fred > Basset" > > > .. which yielded good search results straight away. > > LDAP Admin and openldap's ldapsearch just work out of the box. Yet jndi > seems to have problems. > > What am I doing wrong? > > > > -- > > Andy Cowling | UK Core IT > Interactive Data Managed Solutions Ltd > > ------------------------------------------------------------------------------------------------------------------------------- > Suite 1101, Eagle Tower | Montpellier Drive | Cheltenham GL50 1TA | UK > Tel: +44 (0)1242 6941 15 | Fax: +44 (0)1242 6941 01 > [email protected] > http://www.interactivedata-ms.com > > This message (including any files transmitted with it) may contain > confidential > and/or proprietary information, is the property of Interactive Data > Corporation > and/or its subsidiaries, and is directed only to the addressee(s). If you > are not > the designated recipient or have reason to believe you received this > message in > error, please delete this message from your system and notify the sender > immediately. An unintended recipient's disclosure, copying, distribution, > or > use of this message or any attachments is prohibited and may be unlawful. > Interactive Data (Europe) Ltd Registered No. 949387 England Registered > Office: > Fitzroy House 13-17 Epworth Street. London. EC2A 4DL > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
