Spring security: ldap configuration











up vote
0
down vote

favorite












I have a trouble with configuring LDAP authentication with Spring.



Using LDAP Apache Directory Studio I have following working connection to LDAP Server:



Bind DN or USER: cn=HIDDEN_USERNAME,OU=HIDDEN_OU1,OU=HIDDEN2,OU=Admin,DC=MY_COMPANYNAME,DC=COM

Authorization ID: SASL PLAIN only

Bind Password: ******


Using this connection, I can find my account under root:



Root DSE/DC=MY_COMPANYNAME,DC=COM/OU=User Accounts/OU=Enabled Users/OU=Consultants/CN=MySurname My Name


Right click on my account gives following values:



DN: CN=MySurname MyName,OU=Consultants,OU=Enabled Users,OU=User Accounts,DC=MY_COMPANYNAME,DC=COM

URL: ldap://IP_ADRESS:389/CN=MySurname%20MyName,OU=Consultants,OU=Enabled%20Users,OU=User%20Accounts,DC=MY_COMPANYNAME,DC=COM


I am going to configure WebSecurityConfigurerAdapter in order to get authentication via ldap server in the following way:



@Override

public void configure(AuthenticationManagerBuilder auth) throws Exception {

    auth.ldapAuthentication()

            .userDnPatterns("CN={0},OU=Consultants,OU=Enabled Users,OU=User Accounts,DC=MY_COMPANYNAME,DC=COM")

            .contextSource()

            .url("ldap://IP_ADRESS:389/")

            .managerDn("HIDDEN_USERNAME")

            .managerPassword("*****")

            .and()

            .passwordCompare()

            .passwordEncoder(new LdapShaPasswordEncoder())

            .passwordAttribute("userPassword");

}


I tried to set userDnPattern in many ways without result. What I am doing wrong?






spring-security ldap







share|improve this question


























    up vote
    0
    down vote

    favorite












    I have a trouble with configuring LDAP authentication with Spring.



    Using LDAP Apache Directory Studio I have following working connection to LDAP Server:



    Bind DN or USER: cn=HIDDEN_USERNAME,OU=HIDDEN_OU1,OU=HIDDEN2,OU=Admin,DC=MY_COMPANYNAME,DC=COM
    
Authorization ID: SASL PLAIN only
    
Bind Password: ******


    Using this connection, I can find my account under root:



    Root DSE/DC=MY_COMPANYNAME,DC=COM/OU=User Accounts/OU=Enabled Users/OU=Consultants/CN=MySurname My Name


    Right click on my account gives following values:



    DN: CN=MySurname MyName,OU=Consultants,OU=Enabled Users,OU=User Accounts,DC=MY_COMPANYNAME,DC=COM
    
URL: ldap://IP_ADRESS:389/CN=MySurname%20MyName,OU=Consultants,OU=Enabled%20Users,OU=User%20Accounts,DC=MY_COMPANYNAME,DC=COM


    I am going to configure WebSecurityConfigurerAdapter in order to get authentication via ldap server in the following way:



    @Override
    
public void configure(AuthenticationManagerBuilder auth) throws Exception {
    
    auth.ldapAuthentication()
    
            .userDnPatterns("CN={0},OU=Consultants,OU=Enabled Users,OU=User Accounts,DC=MY_COMPANYNAME,DC=COM")
    
            .contextSource()
    
            .url("ldap://IP_ADRESS:389/")
    
            .managerDn("HIDDEN_USERNAME")
    
            .managerPassword("*****")
    
            .and()
    
            .passwordCompare()
    
            .passwordEncoder(new LdapShaPasswordEncoder())
    
            .passwordAttribute("userPassword");
    
}


    I tried to set userDnPattern in many ways without result. What I am doing wrong?






    spring-security ldap







    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I have a trouble with configuring LDAP authentication with Spring.



      Using LDAP Apache Directory Studio I have following working connection to LDAP Server:



      Bind DN or USER: cn=HIDDEN_USERNAME,OU=HIDDEN_OU1,OU=HIDDEN2,OU=Admin,DC=MY_COMPANYNAME,DC=COM
      
Authorization ID: SASL PLAIN only
      
Bind Password: ******


      Using this connection, I can find my account under root:



      Root DSE/DC=MY_COMPANYNAME,DC=COM/OU=User Accounts/OU=Enabled Users/OU=Consultants/CN=MySurname My Name


      Right click on my account gives following values:



      DN: CN=MySurname MyName,OU=Consultants,OU=Enabled Users,OU=User Accounts,DC=MY_COMPANYNAME,DC=COM
      
URL: ldap://IP_ADRESS:389/CN=MySurname%20MyName,OU=Consultants,OU=Enabled%20Users,OU=User%20Accounts,DC=MY_COMPANYNAME,DC=COM


      I am going to configure WebSecurityConfigurerAdapter in order to get authentication via ldap server in the following way:



      @Override
      
public void configure(AuthenticationManagerBuilder auth) throws Exception {
      
    auth.ldapAuthentication()
      
            .userDnPatterns("CN={0},OU=Consultants,OU=Enabled Users,OU=User Accounts,DC=MY_COMPANYNAME,DC=COM")
      
            .contextSource()
      
            .url("ldap://IP_ADRESS:389/")
      
            .managerDn("HIDDEN_USERNAME")
      
            .managerPassword("*****")
      
            .and()
      
            .passwordCompare()
      
            .passwordEncoder(new LdapShaPasswordEncoder())
      
            .passwordAttribute("userPassword");
      
}


      I tried to set userDnPattern in many ways without result. What I am doing wrong?






      spring-security ldap







      share|improve this question













      I have a trouble with configuring LDAP authentication with Spring.



      Using LDAP Apache Directory Studio I have following working connection to LDAP Server:



      Bind DN or USER: cn=HIDDEN_USERNAME,OU=HIDDEN_OU1,OU=HIDDEN2,OU=Admin,DC=MY_COMPANYNAME,DC=COM
      
Authorization ID: SASL PLAIN only
      
Bind Password: ******


      Using this connection, I can find my account under root:



      Root DSE/DC=MY_COMPANYNAME,DC=COM/OU=User Accounts/OU=Enabled Users/OU=Consultants/CN=MySurname My Name


      Right click on my account gives following values:



      DN: CN=MySurname MyName,OU=Consultants,OU=Enabled Users,OU=User Accounts,DC=MY_COMPANYNAME,DC=COM
      
URL: ldap://IP_ADRESS:389/CN=MySurname%20MyName,OU=Consultants,OU=Enabled%20Users,OU=User%20Accounts,DC=MY_COMPANYNAME,DC=COM


      I am going to configure WebSecurityConfigurerAdapter in order to get authentication via ldap server in the following way:



      @Override
      
public void configure(AuthenticationManagerBuilder auth) throws Exception {
      
    auth.ldapAuthentication()
      
            .userDnPatterns("CN={0},OU=Consultants,OU=Enabled Users,OU=User Accounts,DC=MY_COMPANYNAME,DC=COM")
      
            .contextSource()
      
            .url("ldap://IP_ADRESS:389/")
      
            .managerDn("HIDDEN_USERNAME")
      
            .managerPassword("*****")
      
            .and()
      
            .passwordCompare()
      
            .passwordEncoder(new LdapShaPasswordEncoder())
      
            .passwordAttribute("userPassword");
      
}


      I tried to set userDnPattern in many ways without result. What I am doing wrong?






      spring-security ldap




      spring-security ldap






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Oct 30 at 13:06









      user109447

      1401214




      1401214
























          2 Answers
          2






          active

          oldest

          votes

















          up vote
          0
          down vote













          Using the DN pattern you specify, your logon attempt would need to be made with user ID "MySurname MyName" (and the space may be an issue). The user provided logon ID string is inserted into the DN pattern you include above, and you'll be binding with 



          CN=MySurname MyName,OU=Consultants,OU=Enabled Users,OU=User Accounts,DC=MY_COMPANYNAME,DC=COM


          Which matches what your fully qualified DN appears to be. If you want to be able to log on with your ID and not the surname/name string that makes up your CN, or if accounts which need to authenticate exist in multiple OU locations, userSearch may be preferable to DN patterns.



          If you are authenticating against an Active Directory domain, you may be able to use {0}@domain.gTLD or DOMAIN{0} as the user pattern -- when a logon ID is supplied, these patterns form the userPrincipalName and sAMAccountName respectively.






          share|improve this answer





















          • When I use Apache Directory Studio to see all properties names and values on my LDAP account, I see, that property 'userPassword' doesn't exist. I dont see any reasonable property on the list wich could be a password value. What does it mean? This is production LDAP in my corpo, so It works somewhow.
            – user109447
            Oct 30 at 16:13




















          up vote
          0
          down vote













          In response to your comment above: Active Directory hides the password field and it cannot be read even by domain administrators.



          I concur with the other user that for AD you need to use a user search filter and if you want to do it against the username you should use samaccountname={0}






          share|improve this answer





















            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














             

            draft saved


            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53064991%2fspring-security-ldap-configuration%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            Using the DN pattern you specify, your logon attempt would need to be made with user ID "MySurname MyName" (and the space may be an issue). The user provided logon ID string is inserted into the DN pattern you include above, and you'll be binding with 



            CN=MySurname MyName,OU=Consultants,OU=Enabled Users,OU=User Accounts,DC=MY_COMPANYNAME,DC=COM


            Which matches what your fully qualified DN appears to be. If you want to be able to log on with your ID and not the surname/name string that makes up your CN, or if accounts which need to authenticate exist in multiple OU locations, userSearch may be preferable to DN patterns.



            If you are authenticating against an Active Directory domain, you may be able to use {0}@domain.gTLD or DOMAIN{0} as the user pattern -- when a logon ID is supplied, these patterns form the userPrincipalName and sAMAccountName respectively.






            share|improve this answer





















            • When I use Apache Directory Studio to see all properties names and values on my LDAP account, I see, that property 'userPassword' doesn't exist. I dont see any reasonable property on the list wich could be a password value. What does it mean? This is production LDAP in my corpo, so It works somewhow.
              – user109447
              Oct 30 at 16:13

















            up vote
            0
            down vote













            Using the DN pattern you specify, your logon attempt would need to be made with user ID "MySurname MyName" (and the space may be an issue). The user provided logon ID string is inserted into the DN pattern you include above, and you'll be binding with 



            CN=MySurname MyName,OU=Consultants,OU=Enabled Users,OU=User Accounts,DC=MY_COMPANYNAME,DC=COM


            Which matches what your fully qualified DN appears to be. If you want to be able to log on with your ID and not the surname/name string that makes up your CN, or if accounts which need to authenticate exist in multiple OU locations, userSearch may be preferable to DN patterns.



            If you are authenticating against an Active Directory domain, you may be able to use {0}@domain.gTLD or DOMAIN{0} as the user pattern -- when a logon ID is supplied, these patterns form the userPrincipalName and sAMAccountName respectively.






            share|improve this answer





















            • When I use Apache Directory Studio to see all properties names and values on my LDAP account, I see, that property 'userPassword' doesn't exist. I dont see any reasonable property on the list wich could be a password value. What does it mean? This is production LDAP in my corpo, so It works somewhow.
              – user109447
              Oct 30 at 16:13















            up vote
            0
            down vote










            up vote
            0
            down vote









            Using the DN pattern you specify, your logon attempt would need to be made with user ID "MySurname MyName" (and the space may be an issue). The user provided logon ID string is inserted into the DN pattern you include above, and you'll be binding with 



            CN=MySurname MyName,OU=Consultants,OU=Enabled Users,OU=User Accounts,DC=MY_COMPANYNAME,DC=COM


            Which matches what your fully qualified DN appears to be. If you want to be able to log on with your ID and not the surname/name string that makes up your CN, or if accounts which need to authenticate exist in multiple OU locations, userSearch may be preferable to DN patterns.



            If you are authenticating against an Active Directory domain, you may be able to use {0}@domain.gTLD or DOMAIN{0} as the user pattern -- when a logon ID is supplied, these patterns form the userPrincipalName and sAMAccountName respectively.






            share|improve this answer












            Using the DN pattern you specify, your logon attempt would need to be made with user ID "MySurname MyName" (and the space may be an issue). The user provided logon ID string is inserted into the DN pattern you include above, and you'll be binding with 



            CN=MySurname MyName,OU=Consultants,OU=Enabled Users,OU=User Accounts,DC=MY_COMPANYNAME,DC=COM


            Which matches what your fully qualified DN appears to be. If you want to be able to log on with your ID and not the surname/name string that makes up your CN, or if accounts which need to authenticate exist in multiple OU locations, userSearch may be preferable to DN patterns.



            If you are authenticating against an Active Directory domain, you may be able to use {0}@domain.gTLD or DOMAIN{0} as the user pattern -- when a logon ID is supplied, these patterns form the userPrincipalName and sAMAccountName respectively.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Oct 30 at 14:18









            LisaJ

            50116




            50116












            • When I use Apache Directory Studio to see all properties names and values on my LDAP account, I see, that property 'userPassword' doesn't exist. I dont see any reasonable property on the list wich could be a password value. What does it mean? This is production LDAP in my corpo, so It works somewhow.
              – user109447
              Oct 30 at 16:13




















            • When I use Apache Directory Studio to see all properties names and values on my LDAP account, I see, that property 'userPassword' doesn't exist. I dont see any reasonable property on the list wich could be a password value. What does it mean? This is production LDAP in my corpo, so It works somewhow.
              – user109447
              Oct 30 at 16:13


















            When I use Apache Directory Studio to see all properties names and values on my LDAP account, I see, that property 'userPassword' doesn't exist. I dont see any reasonable property on the list wich could be a password value. What does it mean? This is production LDAP in my corpo, so It works somewhow.
            – user109447
            Oct 30 at 16:13






            When I use Apache Directory Studio to see all properties names and values on my LDAP account, I see, that property 'userPassword' doesn't exist. I dont see any reasonable property on the list wich could be a password value. What does it mean? This is production LDAP in my corpo, so It works somewhow.
            – user109447
            Oct 30 at 16:13














            up vote
            0
            down vote













            In response to your comment above: Active Directory hides the password field and it cannot be read even by domain administrators.



            I concur with the other user that for AD you need to use a user search filter and if you want to do it against the username you should use samaccountname={0}






            share|improve this answer

























              up vote
              0
              down vote













              In response to your comment above: Active Directory hides the password field and it cannot be read even by domain administrators.



              I concur with the other user that for AD you need to use a user search filter and if you want to do it against the username you should use samaccountname={0}






              share|improve this answer























                up vote
                0
                down vote










                up vote
                0
                down vote









                In response to your comment above: Active Directory hides the password field and it cannot be read even by domain administrators.



                I concur with the other user that for AD you need to use a user search filter and if you want to do it against the username you should use samaccountname={0}






                share|improve this answer












                In response to your comment above: Active Directory hides the password field and it cannot be read even by domain administrators.



                I concur with the other user that for AD you need to use a user search filter and if you want to do it against the username you should use samaccountname={0}







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 11 at 2:47









                Justin Cervero

                515




                515






























                     

                    draft saved


                    draft discarded



















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53064991%2fspring-security-ldap-configuration%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Xamarin.iOS Cant Deploy on Iphone

                    Image
                    .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } -1 I have a windows laptop and a mac mini my problem is that It wont deploy on iphone if I use Visual Studio Xamarin on windows to install my app, but it works fine with Visual Studio For Mac. Here's what I get after build succeded on Visual Studio Xamarin on windows : 1>------ Build started: Project: FinalCustomerApp.iOS, Configuration: Debug iPhone ------ 1> Connecting to Mac server 192.168.8.100... 1> FinalCustomerApp.iOS -> C:UsersJeremy PaulDesktopFinalCustomerAppFinalCustomerAppFinalCustomerApp.iOSbiniPhoneDebugFinalCustomerApp.iOS.exe 1> Detected signing identity: 1> Code Signing Key: &quo
                    Read more

                    Glorious Revolution

                    Image
                    "The Bloodless Revolution" redirects here. For a history of the vegetarian movement, see The Bloodless Revolution (book). This article is about the English revolution of 1688. For the revolution of 1868 in Spain, see Glorious Revolution (Spain). For other uses, see Glorious Revolution (disambiguation). Glorious Revolution The Prince of Orange lands at Torbay Date 1688–1689 Location British Isles Also known as Revolution of 1688 War of the English Succession Bloodless Revolution Participants English, Welsh and Scottish society, Dutch forces Outcome Replacement of James II by William III and Mary II Jacobite rising of 1689 Williamite War in Ireland War with France; England and Scotland join Grand Alliance Drafting of the Bill of Rights 1689 Part of a series on the History of England Timeline Prehistoric Britain Roman Britain Sub-Roman Britain Medieval period Economy in the Middle Ages Anglo-Saxon period
                    Read more

                    Dulmage-Mendelsohn matrix decomposition in Python

                    Image
                    0 Matlab has a function called dmperm that computes the so-called Dulmage–Mendelsohn decomposition of a n x n matrix. From wikipedia, the Dulmage–Mendelsohn is a partition of the vertices of a bipartite graph into subsets, with the property that two adjacent vertices belong to the same subset if and only if they are paired with each other in a perfect matching of the graph. Looking both on scipy and numpy, I could not find this function, nor some similar version. Is it possible to implement it using basic linear algebra operations? Any idea if this is implemented in some Python package? python matlab linear-algebra graph-theory matrix-decomposition share | improve this question
                    Read more