I'm still learning LDAP / Active Directory so correct me if my terminology is wrong at all :)
In our Java Web Application, I'm trying to secure it with Spring Security LDAP. I managed to get Spring Security working with in-memory authentication but we need to tie it to our AD server.
I'm going to mask our actual domain with com.test
Here is the error I receive when I try to login from my application
13:39:55,701 ERROR ActiveDirectoryLdapAuthenticationProvider:133 - Failed to locate directory entry for authenticated user: johnsmit javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Users,DC=ad,DC=test,DC=com'
I am using class based configuration with Spring Here is my SecurityConfiguration class
@Configuration
@EnableWebMvcSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Bean
public ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
provider = new ActiveDirectoryLdapAuthenticationProvider("ad.test.com", "ldap://servername.ad.test.com:389/cn=Users,dc=ad,dc=test,dc=com");
provider.setUseAuthenticationRequestCredentials(true);
return provider;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.
authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin().failureUrl("/login?error")
.loginPage("/login")
.permitAll()
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login")
.permitAll()
.and()
.httpBasic();
}
}
So here is the issue (at least I think)... In our AD server we have our cn,name,sAMAccountName and uid as our username that we login with, johnsmit in my example above.
Our userPrincipalName (in our AD server) is our email address so [email protected].
I was looking at the ActiveDirectoryLdapAuthenticationProvider class and it says it uses the userPrincipalName. Looking in the code here on github it shows that it is using userPrincipalName. I checked the newer versions of Spring Security which is not General Availability yet, but it was the same thing.
There must be someway that I can search AD with the username "johnsmit" instead of "[email protected]"...
If the searchFilter was
String searchFilter = "(&(objectClass=user)(sAMAccountName={0}))";
that would be the ideal situation but I don't know if that is possible to override anywhere and I can't find any documentation?