Hi Bryce,
I did some tests with ldapsearch and it proved very usefull. Thank you for the tip.
It turns out that we use a Microsoft Active directory and LDAP search did not search subtrees. I modified the function findUserDN in LDAPUtil.java by adding subtree searches as follows:
...
import javax.naming.*;
import javax.naming.directory.*;
// import javax.naming.Context;
// import javax.naming.NamingEnumeration;
// import javax.naming.NamingException;
// import javax.naming.directory.Attribute;
// import javax.naming.directory.Attributes;
// import javax.naming.directory.DirContext;
// import javax.naming.directory.InitialDirContext;
// import javax.naming.directory.SearchResult;
...
public static String findUserDN(String url, String uidFilter, String userDN) throws NamingException
{
try
{
Hashtable<String,String> env = new Hashtable<String,String>();
// Set the referral property to "follow" referrals automatically
env.put(Context.REFERRAL, "follow");
DirContext dc = new InitialDirContext(env);
DirContext connection = (DirContext) dc.lookup(url);
// Set the controls for performing a subtree search
SearchControls ctls = new SearchControls();
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration<SearchResult> results = connection.search(userDN, uidFilter, ctls);
...
And now it works perfectly!
Thank you for your help,
James
Le mercredi 27 mars 2013 à 16:37 -0600, Bryce L Nordgren a écrit :
Two questions:
1] Is your AD set up to allow anonymous bind? (and the follow-up: are you sure the bind credentials are right?)
2] What happens when you try to use ldapsearch on the command line?
Typically what happens is that the application (geonetwork) connects with some known "bind credentials" to search through the directory for the person's account. If the account is found, it then tries to rebind against the user's directory entry with the supplied password.
Bryce
On Wed, Mar 27, 2013 at 3:00 PM, <James_Caveen@...1225...<mailto:James_Caveen@…1225…>> wrote:
Hi all,
I have been trying for over a week now to configure my Geonetwork 2.6.4 to authenticate with our Windows AD using LDAP.
I've tried to deploy Geonetwork with various versions of Tomcat and Java (and with Jetty as well) and all attempts fail. In fact, everything works perfectly except for LDAP authentification.
As a test, I have installed jxplorer to validate my users' DN so I am sure I have the right syntax for DN. Problem is that even jxplorer cannot login into our AD with a proper DN and password!
I keep getting the following message with geonetwork as well as with jxplorer:
WARN [geonetwork.ldap] - Unprocessed Continuation Reference(s)
2013-03-27 11:30:59,338 INFO [geonetwork.ldap] - Opening LDAP context on :ldap://suppressed:389
2013-03-27 11:30:59,340 WARN [geonetwork.ldap] - Cannot open context on : ldap://suppressed:389
2013-03-27 11:30:59,340 WARN [geonetwork.ldap] - (C) Reason : [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
2013-03-27 11:30:59,340 WARN [geonetwork.ldap] - Raised exception during LDAP access
2013-03-27 11:30:59,340 WARN [geonetwork.ldap] - (C) Message :[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
2013-03-27 11:30:59,341 ERROR [jeeves.service] - Exception when executing service
2013-03-27 11:30:59,341 ERROR [jeeves.service] - (C) Exc : UserLoginEx : User login failed
2013-03-27 11:30:59,341 DEBUG [jeeves.service] - Raised exception while executing service
Obviously something is missing in the configuration of my server (java or whatever) but I don't have a clue as to where to look.
Any help would be greatly appreciated.
Regards,
james
--
James Caveen
Service des technologies de l'information
ISMER/Université du Québec à Rimouski
310 Allée des Ursulines
Rimouski Qc G5L 3A1
courriel: james_caveen@...1225...<mailto:james_caveen@…1225…>
Tél.: (418) 723-1986<tel:%28418%29%20723-1986> Poste 1295
Télécopieur: (418) 724-1842<tel:%28418%29%20724-1842>
Pour les demandes concernant les serveurs de calcul: admin_calcul@...1225...<mailto:admin_calcul@…1225…><mailto:admin_calcul@…1225…>
------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game
on Steam. $5K grand prize plus 10 genre and skill prizes.
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
GeoNetwork-users mailing list
GeoNetwork-users@lists.sourceforge.net<mailto:GeoNetwork-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geonetwork-users
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork
--
James Caveen
Analyste informatique
Service des technologies de l'information
Bureau O-242 (ISMER)
Université du Québec à Rimouski
Tel. : (418) 723-1986 poste 1295