-
1. Re: ldap-identity-store with Active Directory
tmalatinszki Nov 12, 2009 10:26 AM (in response to charliebarjel)Hi Charlie,
I'm using sAMAccountName based AD authentication also, here's my configuration in components.xml:
<security:ldap-identity-store name="ldapIdentityStore" server-address="server.ad.myworld.com" server-port="389" first-name-attribute="givenName" last-name-attribute="sn" bind-DN="CN=SERVICEUSER,OU=Users,DC=server,DC=ad,DC=myworld,DC=com" bind-credentials="SERVICEUSERPASSWORD" user-DN-prefix="sAMAccountName=" user-name-attribute="sAMAccountName" user-DN-suffix=",OU=Users,DC=server,DC=ad,DC=myworld,DC=com" user-context-DN="OU=Users,DC=server,DC=ad,DC=myworld,DC=com" role-DN-prefix="distinguishedName=" role-name-attribute="distinguishedName" role-object-classes="group" role-DN-suffix=",OU=Groups,DC=server,DC=ad,DC=myworld,DC=com" role-context-DN="OU=Groups,DC=server,DC=ad,DC=myworld,DC=com" user-role-attribute="memberOf" user-object-classes="user" role-attribute-is-DN="false"/> <security:identity-manager name="identityManager" identity-store="#{ldapIdentityStore}"/>
Regards,
Tamas
-
2. Re: ldap-identity-store with Active Directory
charliebarjel Nov 13, 2009 2:20 AM (in response to charliebarjel)Hi Tamas,
Thanks for your help.
But sadly even your config doesn't work for me.
Not sure what the problem is...not sure where to look anymore.Could it be a Active Directoy setting? Is there a setting which prevents binding with a users sAMAccountName?
-
3. Re: ldap-identity-store with Active Directory
tmalatinszki Nov 13, 2009 9:55 AM (in response to charliebarjel)I don't think that's depending on any kind of AD settings (as You said it works fine with cn). According to the error message (525 means user not found) there are a few things You should check:
- Is sAMAccountName set in the AD entry at Your user correctly?
- How it looks like, username, or DOMAIN\username?
- The user that You are typing in You login screen is the same that You can see in AD (I don't know, but maybe it's case sensitive also)
Anyway, could You show the related part of components.xml and the authentication bean?
Regards,
Tamas
-
4. Re: ldap-identity-store with Active Directory
charliebarjel Nov 16, 2009 12:48 AM (in response to charliebarjel)Im not quite sure what you mean by your second point?
- How it looks like, username, or DOMAIN\username?
Here is my components.xml. I dont use an authentication bean...just the identity manager.
<security:identity /> <security:identity-manager identity-store="#{ldapIdentityStore}"/> <security:ldap-identity-store name="ldapIdentityStore" server-address="ac3adc01.StateWater.local" server-port="389" first-name-attribute="givenName" last-name-attribute="sn" bind-DN="cn=LDAPReadAccount,cn=Users,dc=StateWater,dc=local" bind-credentials="LDAP09SW!" user-DN-prefix="sAMAccountName=" user-name-attribute="sAMAccountName" user-DN-suffix=",OU=Parramatta,OU=Offices,OU=Sites,DC=StateWater,DC=local" user-context-DN="OU=Parramatta,OU=Offices,OU=Sites,DC=StateWater,DC=local" role-DN-prefix="distinguishedName=" role-name-attribute="distinguishedName" role-object-classes="group" role-DN-suffix=",OU=Groups,OU=Sites,DC=StateWater,DC=local" role-context-DN="OU=Groups,OU=Sites,DC=StateWater,DC=local" user-role-attribute="memberOf" user-object-classes="user" role-attribute-is-DN="false"/>
-
5. Re: ldap-identity-store with Active Directory
stephen.masters Mar 22, 2013 12:54 PM (in response to charliebarjel)FWIW, being a few years too late to be useful to the original poster, my own solution to the out-of-the-box LDAP identity store not working for Active Directory was to write my own AD Identity Store. Anybody who comes across this thread, whilst facing a similar issue can find it here.