Question: Ldap user authorization failed - Unhandled Spring authentication "Access is denied"
We have REST services we would authenticate for using with ldap.
The REST services without the ldap security works fine as expected.
The REST services are running on an PAS instance (Progress Technology)
We use the form and filled in our credentials when I push the login button then I get the error message. As I read the logs file, I can see that: The login to the LDAP server is fine but when it try to authenticate the user I'm an exception.
We use tomcat version 8.5.23
EDIT 16/01/2018 09:24:
I have the whole question updated with the latest information.
If I set this grouprole attribute to cn:
ldap.grouprole.attribute=cn
I see in the logging that we get further but now we get an other error.
Error Message:
Access is denied - 403 status code
Previous error message without ldap grouprole attribute set (for further readers):
java.lang.IllegalArgumentException: Name must not be empty => initial error message
Logging Messages:
The oepas1.DATE.log shows the following:
09:04:40.550/20215 [catalina-exec-5] DEBUG o.s.l.c.s.AbstractContextSource - Got Ldap context on server 'our internal ip'
09:04:40.553/20218 [catalina-exec-5] DEBUG o.s.s.l.u.DefaultLdapAuthoritiesPopulator - Roles from search: [Makelaars]
09:04:40.560/20225 [catalina-exec-5] WARN c.p.a.s.s.OEAuthenticationLogger - Unhandled Spring authentication event: org.springframework.security.web.authentication.session.SessionFixationProtectionEvent[source=org.springframework.security.authentication.UsernamePasswordAuthenticationToken@5d0c4105: Principal: org.springframework.security.ldap.userdetails.InetOrgPerson@aa53233b: Dn: cn=Test C&C,ou=Users,ou=Domain BPB,dc=bpb,dc=be; Username: tc; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_MAKELAARS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 991C2EE38AA27E364FFB812CD6BFC9ABDD85795BF2F8.oepas1; Granted Authorities: ROLE_MAKELAARS]
My Configuration: (oeablSecurity.properties in the WEB-INF folder)
http.all.authmanager=ldap
client.login.model=form
ldap.url="internal ldap url"
ldap.manager-dn=cn=Ad Reader,ou=Special Users,ou=Domain BPB,dc=bpb,dc=be
ldap.manager-password=topsecret
ldap.root.dn=
ldap.grouprole.attribute= tc
ldap.groupsearch.filter=(member={0})
ldap.groupsearch.base=cn=Makelaars,ou=Groups,ou=Domain BPB,dc=bpb,dc=be
ldap.usersearch.base=ou=Users,ou=Domain BPB,dc=bpb,dc=be
ldap.usersearch.filter=(sAMAccountName={0})
Expected solution:
I expect that the user is correctly authenticated after I push the login button and I see the response JSON from the REST service. (After authenticated with ldap)
