I'm trying to use Active Directory via the ldap-authentication-provider for
authentication only and then use roles that are in my application synched by
user id for authorisation.
Looking into the code for the LdapAuthenticationProvider authenticate method
the loadUserAuthorities calls the getGrantedAuthorities to get the roles
after authenticating. My security.xml (ldap part) file is as below:
[CODE]
<ldap-server url="ldap://akl-fs03:389";
manager-dn="CN=Ben
Nice,OU=NZNTEL,OU=NZN,OU=FROSYN,OU=FSG,DC=synergyint,DC=net"
manager-password="password"
/>
<ldap-authentication-provider user-search-filter="sAMAccountName={0}"
user-search-base="OU=NZNTEL,OU=NZN,OU=FROSYN,OU=FSG,DC=synergyint,DC=net"
group-role-attribute="CN"
role-prefix="none"
/>
[/CODE]
Authentication with Active Directory works but it is failing to get the
roles back:
[CODE]
[myproject] DEBUG [http-8090-Processor25]
AuthenticationProcessingFilter.doFilterHttp(242) | Request is to process
authentication
[myproject] DEBUG [http-8090-Processor25]
ProviderManager.doAuthentication(190) | Authentication attempt using
org.springframework.security.providers.dao.DaoAuthenticationProvider
[myproject] DEBUG [http-8090-Processor25]
ProviderManager.doAuthentication(190) | Authentication attempt using
org.springframework.security.providers.ldap.LdapAuthenticationProvider
[myproject] DEBUG [http-8090-Processor25]
FilterBasedLdapUserSearch.searchForUser(109) | Searching for user 'niceb',
with user search [ searchFilter: 'sAMAccountName={0}', searchBase:
'OU=NZNTEL,OU=NZN,OU=FROSYN,OU=FSG,DC=synergyint,DC=net', scope: subtree,
searchTimeLimit: 0, derefLinkFlag: false ]
[myproject] DEBUG [http-8090-Processor25]
DefaultSpringSecurityContextSource.getReadWriteContext(76) | Creating
context with principal: 'cn=Ben Nice, ou=NZNTEL, ou=NZN, ou=FROSYN, ou=FSG,
dc=synergyint, dc=net'
[myproject] DEBUG [http-8090-Processor25]
DefaultLdapAuthoritiesPopulator.getGrantedAuthorities(176) | Getting
authorities for user cn=Ben Nice, ou=NZNTEL, ou=NZN, ou=FROSYN, ou=FSG,
dc=synergyint, dc=net
[myproject] DEBUG [http-8090-Processor25]
DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(202) | Searching for
roles for user 'niceb', DN = 'cn=Ben Nice, ou=NZNTEL, ou=NZN, ou=FROSYN,
ou=FSG, dc=synergyint, dc=net', with filter (uniqueMember={0}) in search
base 'ou=groups'
[myproject] INFO [http-8090-Processor25]
LdapTemplate.assureReturnObjFlagSet(1254) | The returnObjFlag of supplied
SearchControls is not set but a ContextMapper is used - setting flag to true
[myproject] DEBUG [http-8090-Processor25]
AuthenticationProcessingFilter.unsuccessfulAuthentication(396) | Updated
SecurityContextHolder to contain null Authentication
[myproject] DEBUG [http-8090-Processor25]
AuthenticationProcessingFilter.unsuccessfulAuthentication(402) |
Authentication request failed:
org.springframework.security.AuthenticationServiceException: Uncategorized
exception occured during LDAP processing; nested exception is
javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr:
DSID-031006CC, problem 5012 (DIR_ERROR), data 0
[/CODE]
I have read in the authorisation section that I may need to implement an
AccessDecisionManager is this correct? Is there a simpler configuration for
splitting the authorisation part and doing it in the application. BTW using
appfuse for the application.
Thanks
David
--
View this message in context:
http://www.nabble.com/Active-Directory-authentication-and-using-appfuse-for-authorisation-via-roles-tp18475673s2369p18475673.html
Sent from the AppFuse - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
