Search code examples
active-directoryjasperserver

JasperReports Server 5.2 Active Directory Integration

Apologies for yet another AD integration question :)

I've got a fresh install of JasperReports Server 5.2 on Windows Server 2008 R2 and I'm trying to configure AD authentication but logins always fail.

I've copied the sample applicationContext-externalAuth-LDAP.xml file into the WEB-INF folder and customised it:

    <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
        <constructor-arg>
            <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
                <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
                <property name="userSearch" ref="userSearch"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
            <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
                <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
                <constructor-arg index="1"><value></value></constructor-arg>
                <property name="groupRoleAttribute" value="cn"/>
                <property name="groupSearchFilter" value="((member={0})(objectClass=group))"/>
                <property name="searchSubtree" value="true"/>
                <!-- Can setup additional external default roles here  <property name="defaultRole" value="LDAP"/> -->
            </bean>
        </constructor-arg>
    </bean>

    <bean id="userSearch"
          class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
        <constructor-arg index="0">
            <value></value>
        </constructor-arg>
        <constructor-arg index="1">
            <value>((sAMAccountName={0})(objectClass=user))</value>
        </constructor-arg>
        <constructor-arg index="2">
            <ref local="ldapContextSource" />
        </constructor-arg>
        <property name="searchSubtree">
            <value>true</value>
        </property>
    </bean>

    <bean id="ldapContextSource" class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource">
        <constructor-arg value="ldap://hostname:389/dc=domain,dc=local"/>
        <!-- manager user name and password (may not be needed)  -->
        <property name="userDn" value="Administrator"/>
        <property name="password" value="password"/>
    </bean>

Actual Hostname, Domain name and Password have been removed in the above, our AD is set up a bit strangely in that users are spread across several OUs so I've left the branch DN properties empty and attempted to limit the search to entries with a certain objectClass (user or group).

I've enabled debug level logging for org.springframework.security and com.jaspersoft.jasperserver.api.security but I'm not getting anything particularly informative in the logs:

    2013-09-03 10:12:32,882 DEBUG BaseAuthenticationProcessingFilter,http-bio-80-exec-6:252 - Request is to process authentication
    2013-09-03 10:12:32,884 DEBUG ProviderManager,http-bio-80-exec-6:183 - Authentication attempt using org.springframework.security.providers.ldap.LdapAuthenticationProvider
    2013-09-03 10:12:32,888 DEBUG FilterBasedLdapUserSearch,http-bio-80-exec-6:109 - Searching for user 'username', with user search [ searchFilter: '((sAMAccountName={0})(objectClass=user))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
    2013-09-03 10:12:32,905 DEBUG SpringSecurityLdapTemplate,http-bio-80-exec-6:197 - Searching for entry in under DN 'dc=domain,dc=local', base = '', filter = '((sAMAccountName={0})(objectClass=user))'
    2013-09-03 10:12:32,933 DEBUG ProviderManager,http-bio-80-exec-6:183 - Authentication attempt using com.jaspersoft.jasperserver.api.security.internalAuth.InternalDaoAuthenticationProvider
    2013-09-03 10:12:32,940  WARN LoggerListener,http-bio-80-exec-6:60 - Authentication event AuthenticationFailureBadCredentialsEvent: username; details: org.springframework.security.ui.WebAuthenticationDetails@21a2c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: F8EA36A4CF952E3DE41E7211B4EB529D; exception: Bad credentials
    2013-09-03 10:12:32,941 DEBUG BaseAuthenticationProcessingFilter,http-bio-80-exec-6:406 - Updated SecurityContextHolder to contain null Authentication
    2013-09-03 10:12:32,941 DEBUG BaseAuthenticationProcessingFilter,http-bio-80-exec-6:412 - Authentication request failed: org.springframework.security.BadCredentialsException: Bad credentials
    2013-09-03 10:12:32,943 DEBUG HttpSessionContextIntegrationFilter,http-bio-80-exec-6:255 - SecurityContextHolder now cleared, as request processing completed

Any suggestions gratefully received, I've played around with the settings in the externalAuth XML file but nothing seems to make a difference to the log or the login failures.

Cheers, Matt

Solution

  • Generally speaking when doing ldap searches on AD the only time a baseless search will work is when talking to the GC.

    Try putting in the base of DC=domain,DC=local this should still search over your entire domain .

    Also in your user and group searches it appears you are missing the & needed after the first (.

    e.g.

    <property name="groupSearchFilter" value="(&amp;(member={0})(objectClass=group))"/>

    and

    <constructor-arg index="1">
    <value>(&amp;(sAMAccountName={0})(objectClass=user))</value>
</constructor-arg>

    One last thing that I have seen that helps with the Spring LDAP is to use the DN for the bind account.

    e.g.

    HTH