CopyDisable

Sunday, 6 January 2013

WebPasswordSafe LDAP authentication problem

I faced a problem while configuring LDAP authentication in WebPasswordSafe. My configuration was as follows:

<bean id="authnContextSource" class="org.springframework.ldap.core.support.LdapContextSource">
        <property name="url" value="ldap://192.168.20.1:389" />
        <property name="userDn" value="CN=Websafe,OU=IT Infra,OU=L6 Users,DC=mkmumbai,DC=local" />
        <property name="password" value="xxxxxxxx" />
</bean>
    <bean id="authnLdapTemplate" class="org.springframework.ldap.core.LdapTemplate">
        <constructor-arg ref="authnContextSource" />
</bean>
<bean id="ldapAuthenticator" class="net.webpasswordsafe.server.plugin.authentication.LdapAuthenticator">
        <property name="ldapTemplate" ref="authnLdapTemplate" />
        <property name="filter" value="(&amp;(objectclass=person)(sAMAccountName=$1))" />
        <property name="base" value="DC=mkmumbai,DC=local" />
</bean>

But login was getting failed. I got the following

DEBUG [http-80-1]: ldap error authenticating: Unprocessed Continuation Reference(s); nested exception is javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'dc=mkmumbai,dc=local'
2013-01-02 12:21:15,106 DEBUG [http-80-1]: LdapAuthenticator: login success for websafe? false

 

Where as with the following configuration, LDAP authentication was successful.

<bean id="authnContextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldap://192.168.20.1:389" />
<property name="userDn" value="CN=Websafe,OU=IT Infra,OU=L6 Users,DC=mkmumbai,DC=local" />
<property name="password" value="xxxxxxxx" />
</bean>
<bean id="authnLdapTemplate" class="org.springframework.ldap.core.LdapTemplate">
<constructor-arg ref="authnContextSource" />
</bean>
<bean id="ldapAuthenticator" class="net.webpasswordsafe.server.plugin.authentication.LdapAuthenticator">
<property name="ldapTemplate" ref="authnLdapTemplate" />
<property name="filter" value="(&amp;(objectclass=person)(sAMAccountName=$1))" />
<property name="base" value="OU=IT Infra,OU=L6 Users,DC=mkmumbai,DC=local" />
</bean>

 

In our active directory setup, users are placed in different OUs as per our policy. For LDAP search, the base has to be DC=mkmumbai,DC=local otherwise authentication LDAP search will not be successful. So to resolve this issue, I used the following LDAP configuration (I have added the line <property name="referral" value="follow"/> ) which worked for me:

 

<bean id="authnContextSource" class="org.springframework.ldap.core.support.LdapContextSource">
       
<property name="referral" value="follow"/>
        <property name="url" value="ldap://192.168.20.1:389" />
        <property name="userDn" value="CN=Websafe,OU=IT Infra,OU=L6 Users,DC=mkmumbai,DC=local" />
        <property name="password" value="xxxxxxxx" />
    </bean>
    <bean id="authnLdapTemplate" class="org.springframework.ldap.core.LdapTemplate">
        <constructor-arg ref="authnContextSource" />
    </bean>
    <bean id="ldapAuthenticator" class="net.webpasswordsafe.server.plugin.authentication.LdapAuthenticator">
        <property name="ldapTemplate" ref="authnLdapTemplate" />
        <property name="filter" value="(&amp;(objectclass=person)(sAMAccountName=$1))" />
        <property name="base" value="DC=mkmumbai,DC=local" />
    </bean>

5 comments:

J. Overholt said...

This was extremely helpful, thank you! Could you share the steps you used to create the Websafe Active Directory account? I'm setting this up right now and it works using my domain administrator account but not the unprivileged service account I created for it.

Pranab Sharma said...

Suppose my AD users are in OU=Staff,DC=example,DC=local
I will create the unprivileged account say pranabtest (normal user with no special privilege) under the OU Staff.
So the userDn will be:
property name="userDn" value=CN=pranabtest,OU=Staff,DC=example,DC=local"


and search base will be:

property name="base" value="OU=Staff,DC=example,DC=local"

J. Overholt said...
This comment has been removed by the author.
J. Overholt said...

That's what I did the first time but there was apparently some kind of problem. I deleted and recreated the unprivileged account and everything works great now. I'm not sure what the problem was but I'm glad it's fixed. Thanks!

Dennis said...

Thanks For Your Information. We Sphinax Info Systems are one of the leading ERP and SAP software development company in chennai India. We have more than 7+ years of strong experience in ERP Applications Development And SAP based services & support like SAP B1, SAP Hana, SAP R3 etc.. For More Info.. http://sphinaxinfosystems.com/

Post a Comment