The account that you use to fetch the LDAP data needs to have sufficient
privilege to get user account passwords... so it would be an "admin"
account of some sort. Here is the relevant portion of a security.xml
file of an AppFuse 1.9.4 app we got working with AD.
<!-- ========== LDAP START ========= -->
<bean id="initialDirContextFactory"
class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
<constructor-arg
value="ldap://contoller.domain.tld:389/dc=domain,dc=tld"/><!-- this
assumes your domain is something like "domain.tld" -->
<property
name="managerDn"><value>cn=admin,cn=users,dc=domain,dc=tld</value></property><!--
"admin" is the name of the account used to fetch the LDAP data -->
<property name="managerPassword"><value>secret</value></property>
</bean>
<bean id="userSearch"
class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0">
<value>cn=users</value>
</constructor-arg>
<constructor-arg index="1">
<value>(sAMAccountName={0})</value> <!-- this allows users to
log in with their network username -->
</constructor-arg>
<constructor-arg index="2">
<ref local="initialDirContextFactory" />
</constructor-arg>
<property name="searchSubtree">
<value>true</value>
</property>
</bean>
<bean id="ldapAuthProvider"
class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
<constructor-arg>
<bean
class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg><ref
local="initialDirContextFactory"/></constructor-arg>
<property name="userSearch" ref="userSearch"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg><ref
local="initialDirContextFactory"/></constructor-arg>
<constructor-arg><value>cn=users</value></constructor-arg>
<property name="groupRoleAttribute"><value>cn</value></property>
</bean>
</constructor-arg>
</bean>
<!-- ========== LDAP END ========= -->
To limit access to the app to a specific AD group, you can do something
like the following. This allows the "MANAGERS" group in AD access to
this app.
<bean id="filterInvocationInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="objectDefinitionSource">
<value>
PATTERN_TYPE_APACHE_ANT
/clickstreams.jsp*=admin
/flushCache.*=admin
/passwordHint.html*=ROLE_ANONYMOUS,admin,user
/reload.*=admin
/signup.html*=ROLE_ANONYMOUS,admin,user
/users.html*=admin
/**/*.html*=ROLE_MANAGERS
</value>
</property>
</bean>
Hope that helps,
Nathan
reddeagle9 wrote:
Cheers Matt,
Your correct i am following the one from the website
(http://appfuse.org/display/APF/LDAP+Authentication) but the code in my
example below is from debugging the acegic classes. I think i have over
analyzed the problem. went thru the log files and found
LDAP: error code 49 - 80090308: LdapErr: DSID-0C09033
which according to : http://www.directory-info.com/LDAP/LDAPErrorCodes.html
LDAP_INVALID_CREDENTIALS: Indicates that during a bind operation one of the
following occurred:
* The client passed either an incorrect DN or password.
* The password is incorrect because it has expired, intruder detection
has locked the account, or some other similar reason.
So given that my password is correct as it is my own, would this have
anything to do with the fact i cannot see userPassword in my ldap schema
using a regular ldap browser?
mraible wrote:
What tutorial are you talking about? The one on the wiki doesn't
require any code AFAIK. Attached is an LDAP version of AppFuse I
created a while back. It doesn't fully work, but it might have what
you're looking for. It uses Spring LDAP to do most of the heavy
lifting.
Matt
On 4/17/07, reddeagle9 <[EMAIL PROTECTED]> wrote:
Hi Guys,
Appufse 1.9.4 spring mvc, with acegi
Today i have swapped out dao authentication for ldap (active directory)
and
i am almost there. I followed the tutorial posted and can connect to ldap
and find the user.
In the LdapTemplate class
public Object searchForSingleEntry(final String base, final String
filter,
final Object[] params,
final LdapEntryMapper mapper) {
return execute(new LdapCallback() {
public Object doInDirContext(DirContext ctx)
throws NamingException {
NamingEnumeration results = ctx.search(base, filter,
params, searchControls);
if (!results.hasMore()) {
throw new
IncorrectResultSizeDataAccessException(1,
0);
}
SearchResult searchResult = (SearchResult)
results.next();
if (results.hasMore()) {
// We don't know how many results but set to 2
which
is good enough
throw new
IncorrectResultSizeDataAccessException(1,
2);
}
I get an exception at if (results.hasMore()) {
The searchResult object contains my details as retrieved from ldap.
and i have the following exception
org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;Unprocessed
Continuation Reference(s); nested exception is
javax.naming.PartialResultException: Unprocessed Continuation
Reference(s);
remaining name 'DC=example,DC=com'
Anyone shed any light on this, has be baffeled.
When i use an ldap broswer and search for a user, i do not see the
attribute
userPassword as an attribute.?
Cheers guys
--
View this message in context:
http://www.nabble.com/Authenticating-with-ldap-almost-there-tf3591637s2369.html#a10037977
Sent from the AppFuse - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
http://raibledesigns.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
