[GeoNetwork-devel] LDAP authentication and Active Directory

Hi,

I have sorted my issues with AD and the LDAP authentication. I had to make changes to the config-security-ldap.xml file. The main issue for us is that the username is not store in a User’s DN. It must retrieved from the sAMAccountName attribute in the Users AD object. To do this you can still use the BindAuthenticator bean, but instead of setting the userDnPatterns property, you initialise the userSearch property with a FilterBasedLdapUserSearch bean.

<bean id=“ldapAuthProvider”

class=“org.springframework.security.ldap.authentication.LdapAuthenticationProvider”>

The first constructor arg for the FilterBasedLdapUserSearch bean must take into account what you have set for the ldap.base.dn property. It’s from the base the search is performed, so don’t include the base value. So in the above config the base was set to dc=myorg,dc=org,dc=au so the search will be from CN=Users, dc=myorg,dc=org,dc=au

It’s worth noting that spring has a bean specific for AD authentication.

<bean id=“adAuthenticationProvider”

class=“org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider”>

I ran into another issue with oracle and the saving of the user into the Geonetwork database after successful authentication.

java.sql.SQLIntegrityConstraintViolationException: ORA-01400: cannot insert NULL into (“MEST_TESTER_2”.“USERS”.“PASSWORD”)

caused by insert statement at org.fao.geonet.kernel.security.ldap.LDAPUtils.saveUser(LDAPUtils.java:74)

where an empty string is passed as the argument for the password. There is a non-null constraint on this field in the USERS table, and with oracle anyway the empty string is being converted to null.

Cheers

Kevin

From: Kevin Gunn
Sent: Wednesday, 9 October 2013 4:14 PM
To: geonetwork-devel@anonymised.com.sourceforge.net
Subject: LDAP authentication and Active Directory

Hi,

Having a some issues using the LDAP authentication with Active Directory. I think it’s due to case sensitivity, as it appears even though I configure with case, the logs are showing lower case versions of those configuration parameters.

Has anyone have the LDAP authentication working with Active Directory where your DN’s have upper case characters?

Cheers

Kevin


The information contained within this transmission is for the use of the intended recipient only and may contain confidential and/or legally privileged material and/or material the subject of copyright and/or personal information and/or sensitive information that is subject to the Privacy Act 1988. Any review, re-transmission, disclosure, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you have received this email in error please notify the AIMS Privacy Officer on (07) 4753 4444 and delete all copies of this transmission together with any attachments.