LDAP Authentication with Spring Security throwing LDAP error 49, 52e for any userDn

0
votes

I have basic sample 3.2.4 ldap-xml script downloaded from spring security. The only part modified is the application security context.xml to point to my ldap server instead of dummy server.

<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <constructor-arg value="ldap://server:389"/>
    <property name="userDn" value="cn=myUsername"/>
    <property name="password" value="myPassword"/>
</bean>

Now thing is, no matter what I provide in userDn value, whether it is, "afdjljaf" or "1234244" or even " ". I get error as

"LDAP: error code 49 - 80090308 : LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e".

Using AdFind.exe "http://www.joeware.net/freetools/tools/adfind/usage.htm", using same userDn (Lets assume my userDn is XYZ, and password is passxyz), I am able to login in ldap server using command

"Adfind.exe -h server:port -u XYZ -up passxyz"

I am able to connect to ldap server successfully and browse directory.

Can someone please tell me equivalent value for userDn and password properties that I should put in security context xml?

2
springspring-securityactive-directoryldap

2 Answers

1
votes

userDN should be like that "cn=myUsername,ou=myDepartment,dc=mydomain,dc=com". your user name should contain partition name and another thing you can use spring security tags.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:s="http://www.springframework.org/schema/security"
       xsi:schemaLocation="
       http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security.xsd">

    <s:ldap-server id="contextSource" url="${ldap.url}" manager-dn="${ldap.userDn}"
                   manager-password="${ldap.password}"/>


</beans>

UPDATE:

your server url should contain partition name too. "ldap://10.0.0.1:389/DC=mycompany,DC=com,DC=tr"

0
votes

Generally Speaking, a DN or Distinguished Name contains a full path of the object with active directory.

CN=myUsername is not a valid DN. Firstly, where you put myUsername, should actually go the object's name (NOT their samAccountName or UserPrincipalName, i.e. a username, or their displayName for that matter) and should contain the domain name and containers like this example:

CN=Joe Bloggs,OU=Users,OU=Company,DN=domainname,DN=local

This can be accessed by viewing the distinguishedName property of an active directory object.