Reputation: 33
Grails Spring Security & LDAP Auth Failure
ISSUE: Grails ADMIN logs in via LDAP but no other account does. System = Win 7, grails 2.2.1, Active Dir lightweight
I have created a simple grails default application, installed the latest grails spring security and ldap plugins. I then followed the following tutorial to configure the spring security setup. Tutorial located at http://blog.springsource.com/2010/08/11/simplified-spring-security-with-grails/
Anyway got spring security working fairly fast, next step was setting up LDAP to use the anonymousAuthenticationProvider so my grails app would log in without checking its own DB for passwords, only LDAP. I am using windows Active Directory. Anyway, followed this configuration setup http://grails-plugins.github.io/grails-spring-security-ldap/docs/manual/guide/2.%20Usage.html . All seems to start fine, except the only user that seems to log in correctly is admin, no other user works. I get a can not find user with that username / password error. I have added error, warn and info log output for spring security but does not seem to give much info at all except for the admin account which actually works. I verified it works as I gave the spring security db password a different password to the ldap password, and once the ldap was configured the only password that worked for the admin was the ldap one. Unfortunately no other users worked though.
Here is my grails config:
// Added by the Spring Security Core plugin:
grails.plugins.springsecurity.userLookup.userDomainClassName = 'org.example.SecUser'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'org.example.SecUserSecRole'
grails.plugins.springsecurity.authority.className = 'org.example.SecRole'
grails.plugins.springsecurity.ldap.context.managerDn = 'CN=admin,OU=people,OU=imApp,DC=example,DC=org'
grails.plugins.springsecurity.ldap.context.managerPassword = 'password'
grails.plugins.springsecurity.ldap.context.server = 'ldap://localhost:55000/'
grails.plugins.springsecurity.ldap.authorities.ignorePartialResultException = true
grails.plugins.springsecurity.ldap.search.base = 'OU=people,OU=imApp,DC=example,DC=org'
grails.plugins.springsecurity.ldap.search.filter='uid={0}' //ad use sAMAccountName instead of uid
grails.plugins.springsecurity.ldap.search.searchSubtree =true
grails.plugins.springsecurity.ldap.auth.hideUserNotFoundExceptions= false
grails.plugins.springsecurity.ldap.search.derefLink = true
// specify this when you want to skip attempting to load from db and only use LDAP
grails.plugins.springsecurity.providerNames = ['ldapAuthProvider', 'anonymousAuthenticationProvider']
grails.plugins.springsecurity.conf.ldap.authorities.retrieveGroupRoles = false
grails.plugins.springsecurity.conf.ldap.authorities.retrieveDatabaseRoles = false
//grails.plugins.springsecurity.ldap.authorities.groupSearchBase = 'ou=groups,ou=imApp,dc=mcommunity,dc=org'
//role specific ldap config
grails.plugins.springsecurity.ldap.useRememberMe = false
I have tried a few variations of this config, for example it says Active Dir requires sAMAccountName as the search.filter but when I use this no accounts work, if i comment it out completely it works as already memntioned, admin logs in but no other account does. If I remove the springsecurity.providerNames the app starts but uses DB as password auth provider. I came across some blogs mentioned removing password for model class and db, or making it null-able which I tried but had no effect on outcome.
My Active Dir structure is as follows:
DC=example,dc=org
OU=imApp
OU=groups
OU=people
CN=admin user CN=admin,OU=people,OU=imApp,DC=example,DC=org
CN=user1 user CN=user1,OU=people,OU=imApp,DC=example,DC=org
CN=LostAndFound
CN= NTDS Quotas
CN=Roles
I have given each account a LDAP password, and added a parameter uid matching that of their username (CN). I have not used a Custom UserDetailsContextMapper, just default. However, I did try a Custom UserDetailsContextMapper and just came across the same issue, so reverted back to using just standard. Also I noticed Active Dir has a lower case dc for org so I tried using same lower case dc in Grails config but has same result.
Has anyone come across this issue or know where I may be going worng? Any help appreciated.
Best, Marklw16
Upvotes: 1
Views: 2120
Answers (1)
Reputation: 12228
Try these settings:
grails.plugins.springsecurity.ldap.authorities.groupSearchBase ='DC=example,dc=org'
grails.plugins.springsecurity.ldap.authorities.groupSearchFilter = 'member={0}'
Upvotes: 0
Related Questions
- Grails with ldap authentication
- Grails Ldap Remember Me IllegalArgumentException
- Grails Spring Security REST + LDAP
- Configuring grails spring security ldap plugin
- Grails Spring LDAP authentication Failed
- Grails Spring Security LDAP
- Configure ldap in grails 2.2.4 spring security core 2.0?
- Grails REST User Authentication
- Implementing LDAP authentication in grails with spring-security-core-ldap plugin?
- How to implement LDAP authentication in grails with spring-security-core-ldap plugin?