Grails Spring Security & LDAP Auth Failure

mwilliamson

New member
Hi All,

ISSUE: Grails ADMIN logs in via LDAP but no other account does.

I have created a simple grails default application, installed the latest grails spring security and ldap plugins. I then followed the following tutorial to configure the spring security setup. Tutorial located at http://blog.springsource.com/2010/08/11/simplified-spring-security-with-grails/

Anyway got spring security working fairly fast, next step was setting up LDAP to use the anonymousAuthenticationProvider so my grails app would log in without checking its own DB for passwords, only LDAP. I am using windows Active Directory. Anyway, followed this configuration setup http://grails-plugins.github.io/grails-spring-security-ldap/docs/manual/guide/2. Usage.html . All seems to start fine, except the only user that seems to log in correctly is admin, no other user works. I get a can not find user with that username / password error. I have added error, warn and info log output for spring security but does not seem to give much info at all except for the admin account which actually works. I verified it works as I gave the spring security db password a different password to the ldap password, and once the ldap was configured the only password that worked for the admin was the ldap one. Unfortunately no other users worked though.

Here is my grails config:

Code:
// Added by the Spring Security Core plugin:
        grails.plugins.springsecurity.userLookup.userDomainClassName = 'org.example.SecUser'
       grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'org.example.SecUserSecRole'
       grails.plugins.springsecurity.authority.className = 'org.example.SecRole'


       grails.plugins.springsecurity.ldap.context.managerDn = 'CN=admin,OU=people,OU=imApp,DC=example,DC=org'
       grails.plugins.springsecurity.ldap.context.managerPassword = 'password'
       grails.plugins.springsecurity.ldap.context.server = 'ldap://localhost:55000/'
       grails.plugins.springsecurity.ldap.authorities.ignorePartialResultException = true
       grails.plugins.springsecurity.ldap.search.base = 'OU=people,OU=imApp,DC=example,DC=org'
       grails.plugins.springsecurity.ldap.search.filter='uid={0}'  //ad use sAMAccountName instead of uid
       grails.plugins.springsecurity.ldap.search.searchSubtree =true
       grails.plugins.springsecurity.ldap.auth.hideUserNotFoundExceptions= false
       grails.plugins.springsecurity.ldap.search.derefLink = true
       // specify this when you want to skip attempting to load from db and only use LDAP
       grails.plugins.springsecurity.providerNames = ['ldapAuthProvider', 'anonymousAuthenticationProvider'] 
       grails.plugins.springsecurity.conf.ldap.authorities.retrieveGroupRoles = false
       grails.plugins.springsecurity.conf.ldap.authorities.retrieveDatabaseRoles = false
       //grails.plugins.springsecurity.ldap.authorities.groupSearchBase =   'ou=groups,ou=imApp,dc=mcommunity,dc=org'
      //role specific ldap config
      grails.plugins.springsecurity.ldap.useRememberMe = false



I have tried a few variations of this config, for example it says Active Dir requires sAMAccountName as the search.filter but when I use this no accounts work, if i comment it out completely it works as already memntioned, admin logs in but no other account does. If I remove the springsecurity.providerNames the app starts but uses DB as password auth provider. I came across some blogs mentioned removing password for model class and db, or making it null-able which I tried but had no effect on outcome.

My Active Dir structure is as follows:
Code:
DC=example,dc=org
          OU=imApp
            OU=groups
              OU=people
                CN=admin   user   CN=admin,OU=people,OU=imApp,DC=example,DC=org
                CN=user1   user   CN=user1,OU=people,OU=imApp,DC=example,DC=org
        CN=LostAndFound
        CN= NTDS Quotas
        CN=Roles


I have given each account a LDAP password, and added a parameter uid matching that of their username (CN). I have not used a Custom UserDetailsContextMapper, just default. However, I did try a Custom UserDetailsContextMapper and just came across the same issue, so reverted back to using just standard.

Has anyone come across this issue or know where I may be going worng? Any help appreciated.

Best,
mwilliamson
 

mwilliamson

New member
based on some advice, I have added in these config params now also

Code:
grails.plugins.springsecurity.ldap.authorities.groupSearchBase ='DC=example,dc=org'
grails.plugins.springsecurity.ldap.authorities.groupSearchFilter = 'member={0}'

It now gets a bit further and I can see in the logs that it is attempting to log in. However, still only the admin account works and no other user accounts. Any advice?

Code:
Processing authentication request for user: user1 Searching for user 'user1', with user search [ searchFilter: 'uid={0}', searchBase: 'OU=people,OU=imApp,DC=example,DC=org', scope: subtree, searchTimeLimit: 0, derefLinkFlag: true ] Searching for entry under DN '', base = 'ou=people,ou=imApp,dc=example,dc=org', filter = 'uid={0}' Found DN: cn=user1,ou=people,ou=imApp,dc=example,dc=org Attempting to bind as cn=user1,ou=people,ou=imApp,dc=example,dc=org Removing pooling flag for user cn=user1,ou=people,ou=imApp,dc=example,dc=org Retrieving attributes login attempt was unsuccessful
 
Last edited:
Top