Spring LDAP Integration issue

1
votes

I am trying to integrate spring security with ldap. Using spring core version 4.0.5, spring security version 3.2.2 and spring ldap version 1.3.2. Here is my security config xml

http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<security:http auto-config="true" use-expressions="true">
    <security:intercept-url pattern="/js/**"
        access="true" />
    <security:intercept-url pattern="/css/**"
        access="true" />
    <security:intercept-url pattern="/images/**"
        access="true" />

    <security:intercept-url pattern="/**"
        access="hasRole('ROLE_USER')" />

</security:http>

<security:ldap-server id="ldapServer"
    url="ldap://qadirectory.xxxx.com:389/" />

<security:authentication-manager alias="authenticationManager">

    <security:ldap-authentication-provider
        server-ref="ldapServer" user-dn-pattern="uid={0},ou=people,o=xxxx.com" />

</security:authentication-manager>

Getting following error while doing authentication thru default spring form

org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - No Such Object]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name ''
    org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:174)
    org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:305)
    org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:258)
    org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:605)
    org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:523)
    org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:171)
    org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:215)
    org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGrantedAuthorities(DefaultLdapAuthoritiesPopulator.java:185)
    org.springframework.security.ldap.authentication.LdapAuthenticationProvider.loadUserAuthorities(LdapAuthenticationProvider.java:197)
    org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:82)
    org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
    org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)
    org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
    org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
    org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
root cause

javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name ''
    com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3112)
    com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
    com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)
    com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1849)
    com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
    com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
    com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
    com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
    javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
    org.springframework.ldap.core.LdapTemplate$4.executeSearch(LdapTemplate.java:252)
    org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:292)
    org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:258)
    org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:605)
    org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:523)
    org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:171)
    org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:215)
    org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGrantedAuthorities(DefaultLdapAuthoritiesPopulator.java:185)
    org.springframework.security.ldap.authentication.LdapAuthenticationProvider.loadUserAuthorities(LdapAuthenticationProvider.java:197)
    org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:82)
    org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
    org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)
    org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
    org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
    org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
1
springldapintegration
Seems like problem during group membership resolution. I think that default configuration of Spring Security LDAP relies on base dn configuration. That is probably the issue. You might try to specify group-search-base="ou=groups,o=xxxx.com" attribute in your provider config. - Pavel Horal
Got rid of "LDAP: error code 32". Getting HTTP 403 access denied error now. Seems <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> is wrong. - user2041648
Fixed. <security:intercept-url pattern="/**" access="isAuthenticated()" /> ...thanks a lot. - user2041648
Added my comment as an actual answer so you can accept it. - Pavel Horal

1 Answers

0
votes

Your exception is thrown when Spring Security LDAP is trying to search for user groups. These groups are searched within LDAP base DN by default. Base DN is taken from the LDAP URL, for example:

<ldap-server url="ldap://springframework.org:389/dc=springframework,dc=org" />

In your case you don't specify base DN. You need to specify group search base manually:

<security:ldap-authentication-provider server-ref="ldapServer" 
    user-dn-pattern="uid={0},ou=people,o=xxxx.com" 
    group-search-base="ou=groups,o=xxxx.com" />