5 Replies Latest reply on Mar 22, 2013 12:54 PM by stephen.masters

    ldap-identity-store with Active Directory

    charliebarjel Nov 12, 2009 3:09 AM

      Hi,


      I am trying to use ldap-identity-store with active directory.
      I have come across a problem which seems to be very common with active directory.
      I cannot authenticate users with using the sAMAccountName attribute, as the user-DN-prefix, which holds the users usernames.


      I get the following error:


      javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece


      If I try to authenticate using 'cn' and provide the users full first and last name, then that works correctly.


      How do I configure ldap-identity-store to work using sAMAccountName in Active Directory?


      • 1775 Views
      • Tags:
        • 1. Re: ldap-identity-store with Active Directory
          tmalatinszki
          tmalatinszki Nov 12, 2009 10:26 AM (in response to charliebarjel)

          Hi Charlie,


          I'm using sAMAccountName based AD authentication also, here's my configuration in components.xml:


          <security:ldap-identity-store name="ldapIdentityStore"
  server-address="server.ad.myworld.com"
  server-port="389"
  first-name-attribute="givenName"
  last-name-attribute="sn"
  bind-DN="CN=SERVICEUSER,OU=Users,DC=server,DC=ad,DC=myworld,DC=com"
  bind-credentials="SERVICEUSERPASSWORD"
  user-DN-prefix="sAMAccountName="
  user-name-attribute="sAMAccountName"
  user-DN-suffix=",OU=Users,DC=server,DC=ad,DC=myworld,DC=com"
  user-context-DN="OU=Users,DC=server,DC=ad,DC=myworld,DC=com"
  role-DN-prefix="distinguishedName="
  role-name-attribute="distinguishedName"
  role-object-classes="group"
  role-DN-suffix=",OU=Groups,DC=server,DC=ad,DC=myworld,DC=com"
  role-context-DN="OU=Groups,DC=server,DC=ad,DC=myworld,DC=com"
  user-role-attribute="memberOf"
  user-object-classes="user" 
  role-attribute-is-DN="false"/>

<security:identity-manager name="identityManager" identity-store="#{ldapIdentityStore}"/>



          Regards,


          Tamas


            • Actions
          • 2. Re: ldap-identity-store with Active Directory
            charliebarjel Nov 13, 2009 2:20 AM (in response to charliebarjel)

            Hi Tamas,


            Thanks for your help.
            But sadly even your config doesn't work for me.
            Not sure what the problem is...not sure where to look anymore.


            Could it be a Active Directoy setting? Is there a setting which prevents binding with a users sAMAccountName?


              • Actions
            • 3. Re: ldap-identity-store with Active Directory
              tmalatinszki
              tmalatinszki Nov 13, 2009 9:55 AM (in response to charliebarjel)

              I don't think that's depending on any kind of AD settings (as You said it works fine with cn). According to the error message (525 means user not found) there are a few things You should check:



              • Is sAMAccountName set in the AD entry at Your user correctly?

              • How it looks like, username, or DOMAIN\username?

              • The user that You are typing in You login screen is the same that You can see in AD (I don't know, but maybe it's case sensitive also)



              Anyway, could You show the related part of components.xml and the authentication bean?


              Regards,


              Tamas




                • Actions
              • 4. Re: ldap-identity-store with Active Directory
                charliebarjel Nov 16, 2009 12:48 AM (in response to charliebarjel)

                Im not quite sure what you mean by your second point?





                • How it looks like, username, or DOMAIN\username?



                Here is my components.xml. I dont use an authentication bean...just the identity manager.





                   <security:identity />

   <security:identity-manager identity-store="#{ldapIdentityStore}"/>
        
   <security:ldap-identity-store name="ldapIdentityStore"
     server-address="ac3adc01.StateWater.local"
     server-port="389"
     first-name-attribute="givenName"
     last-name-attribute="sn"
     bind-DN="cn=LDAPReadAccount,cn=Users,dc=StateWater,dc=local"
     bind-credentials="LDAP09SW!"
     user-DN-prefix="sAMAccountName="
     user-name-attribute="sAMAccountName"
     user-DN-suffix=",OU=Parramatta,OU=Offices,OU=Sites,DC=StateWater,DC=local"
     user-context-DN="OU=Parramatta,OU=Offices,OU=Sites,DC=StateWater,DC=local"
     role-DN-prefix="distinguishedName="
     role-name-attribute="distinguishedName"
     role-object-classes="group"
     role-DN-suffix=",OU=Groups,OU=Sites,DC=StateWater,DC=local"
     role-context-DN="OU=Groups,OU=Sites,DC=StateWater,DC=local"
     user-role-attribute="memberOf"
     user-object-classes="user" 
     role-attribute-is-DN="false"/>




                         

                  • Actions
                • 5. Re: ldap-identity-store with Active Directory
                  stephen.masters
                  stephen.masters Mar 22, 2013 12:54 PM (in response to charliebarjel)

                  FWIW, being a few years too late to be useful to the original poster, my own solution to the out-of-the-box LDAP identity store not working for Active Directory was to write my own AD Identity Store. Anybody who comes across this thread, whilst facing a similar issue can find it here.

                   

                  https://gist.github.com/gratiartis/4545962

                    • Actions