5 Replies Latest reply on Mar 22, 2013 12:54 PM by Stephen Masters

    ldap-identity-store with Active Directory

    Charlie B Newbie

      Hi,


      I am trying to use ldap-identity-store with active directory.
      I have come across a problem which seems to be very common with active directory.
      I cannot authenticate users with using the sAMAccountName attribute, as the user-DN-prefix, which holds the users usernames.


      I get the following error:


      javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece


      If I try to authenticate using 'cn' and provide the users full first and last name, then that works correctly.


      How do I configure ldap-identity-store to work using sAMAccountName in Active Directory?


        • 1. Re: ldap-identity-store with Active Directory
          Tamas Malatinszki Newbie

          Hi Charlie,


          I'm using sAMAccountName based AD authentication also, here's my configuration in components.xml:


          <security:ldap-identity-store name="ldapIdentityStore"
            server-address="server.ad.myworld.com"
            server-port="389"
            first-name-attribute="givenName"
            last-name-attribute="sn"
            bind-DN="CN=SERVICEUSER,OU=Users,DC=server,DC=ad,DC=myworld,DC=com"
            bind-credentials="SERVICEUSERPASSWORD"
            user-DN-prefix="sAMAccountName="
            user-name-attribute="sAMAccountName"
            user-DN-suffix=",OU=Users,DC=server,DC=ad,DC=myworld,DC=com"
            user-context-DN="OU=Users,DC=server,DC=ad,DC=myworld,DC=com"
            role-DN-prefix="distinguishedName="
            role-name-attribute="distinguishedName"
            role-object-classes="group"
            role-DN-suffix=",OU=Groups,DC=server,DC=ad,DC=myworld,DC=com"
            role-context-DN="OU=Groups,DC=server,DC=ad,DC=myworld,DC=com"
            user-role-attribute="memberOf"
            user-object-classes="user" 
            role-attribute-is-DN="false"/>
          
          <security:identity-manager name="identityManager" identity-store="#{ldapIdentityStore}"/>



          Regards,


          Tamas


          • 2. Re: ldap-identity-store with Active Directory
            Charlie B Newbie

            Hi Tamas,


            Thanks for your help.
            But sadly even your config doesn't work for me.
            Not sure what the problem is...not sure where to look anymore.


            Could it be a Active Directoy setting? Is there a setting which prevents binding with a users sAMAccountName?


            • 3. Re: ldap-identity-store with Active Directory
              Tamas Malatinszki Newbie

              I don't think that's depending on any kind of AD settings (as You said it works fine with cn). According to the error message (525 means user not found) there are a few things You should check:



              • Is sAMAccountName set in the AD entry at Your user correctly?

              • How it looks like, username, or DOMAIN\username?

              • The user that You are typing in You login screen is the same that You can see in AD (I don't know, but maybe it's case sensitive also)



              Anyway, could You show the related part of components.xml and the authentication bean?


              Regards,


              Tamas




              • 4. Re: ldap-identity-store with Active Directory
                Charlie B Newbie

                Im not quite sure what you mean by your second point?





                • How it looks like, username, or DOMAIN\username?



                Here is my components.xml. I dont use an authentication bean...just the identity manager.





                   <security:identity />
                
                   <security:identity-manager identity-store="#{ldapIdentityStore}"/>
                        
                   <security:ldap-identity-store name="ldapIdentityStore"
                     server-address="ac3adc01.StateWater.local"
                     server-port="389"
                     first-name-attribute="givenName"
                     last-name-attribute="sn"
                     bind-DN="cn=LDAPReadAccount,cn=Users,dc=StateWater,dc=local"
                     bind-credentials="LDAP09SW!"
                     user-DN-prefix="sAMAccountName="
                     user-name-attribute="sAMAccountName"
                     user-DN-suffix=",OU=Parramatta,OU=Offices,OU=Sites,DC=StateWater,DC=local"
                     user-context-DN="OU=Parramatta,OU=Offices,OU=Sites,DC=StateWater,DC=local"
                     role-DN-prefix="distinguishedName="
                     role-name-attribute="distinguishedName"
                     role-object-classes="group"
                     role-DN-suffix=",OU=Groups,OU=Sites,DC=StateWater,DC=local"
                     role-context-DN="OU=Groups,OU=Sites,DC=StateWater,DC=local"
                     user-role-attribute="memberOf"
                     user-object-classes="user" 
                     role-attribute-is-DN="false"/>




                         

                • 5. Re: ldap-identity-store with Active Directory
                  Stephen Masters Newbie

                  FWIW, being a few years too late to be useful to the original poster, my own solution to the out-of-the-box LDAP identity store not working for Active Directory was to write my own AD Identity Store. Anybody who comes across this thread, whilst facing a similar issue can find it here.

                   

                  https://gist.github.com/gratiartis/4545962