Reputation: 1347
GlassFish Security Realm, Active Directory and Referral
I've setup up a Security Realm in Glassfish to authenticate against an Active Directory server. The configuration of the realm is as follows:
Class Name: com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
JAAS context: ldapRealm
Directory: ldap://172.16.76.10:389/
Base DN: dc=smallbusiness,dc=local
search-filter: (&(objectClass=user)(sAMAccountName=%s))
group-search-filter: (&(objectClass=group)(member=%d))
search-bind-dn: cN=Administrator,CN=Users,dc=smallbusiness,dc=local
search-bind-password: abcd1234!
The realm is functional and I can log-in, but when ever I log in I get the following error in the log:
SEC1106: Error during LDAP search with filter [(&(objectClass=group)(member=CN=Administrator,CN=Users,dc=smallbusiness,dc=local))].
SEC1000: Caught exception.
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'dc=smallbusiness,dc=local'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
....
....
ldaplm.searcherror
While searching for a solution I found that it was recommended to add java.naming.referral=follow to the properties of the realm. However, after I add this it takes 20 minutes for GlassFish to authenticate against Active Directory. I suspect it is a DNS problem on the Active Directory server. The Active Directory server is a vanilla Windows Server 2003 setup in a Virtual Machine.
Any help/recommendation is highly appreciated!
Upvotes: 1
Views: 5740
Answers (3)
Reputation: 11
This is the configuration I use in my domain.xml file, it might be of some interrest to you :
<auth-realm classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm" name="ldapRealm">
<property name="search-bind-password" value="Demodemo01"/>
<property name="search-bind-dn" value="Administrator"/>
<property name="search-filter" value="(&(objectClass=user)(sAMAccountName=%s)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"/>
<property name="group-search-filter" value="(&(objectClass=group)(member=%d))"/>
<property name="jaas-context" value="ldapRealm"/>
<property name="base-dn" value="CN=Users,DC=saierp,DC=net"/>
<property name="directory" value="ldap://192.168.1.38:389"/>
</auth-realm>
Specially, make sure to add the userAccountControl to your filter, otherwise, disabled accounts in AD will be allowed to connect.
Upvotes: 1
Reputation: 16
This was maddening trying to solve this... Glassfish 3.0.1 trying to connect with Windows, and getting the above error.
I'm not a Windows or LDAP whiz at all... but finally found this:
http://forum.springsource.org/showthread.php?t=87673
And the very last line is the key: use the "Global Catalog Port" - instead of 389, it is 3268 by default. And the exception disappears.
Why?
Who cares?
(well, ok, I'm going to read about it now.)
Upvotes: 0
Reputation: 198
Hopefully, you've resolved this, but just in case:
I used 'objectCategory' in place of 'objectClass' as I read the former are indexed, hence faster.
I had to add this property:
property name="assign-groups" value="Domain Users"
where "Domain Users" is the group in AD that all of our users are placed into. This must match the value in sun-web.xml for security-role-mapping.
Later, I was able to create a specific group for this application and make the appropriate changes.
Upvotes: 0
Related Questions
- Glassfish 3.1 ldapRealm ActiveDirectory group membership
- Java EE 6 Programmatic security, glassfish and JDBC realm
- Basic Authentication on Glassfish using Ldap
- Authenticating via LdapExtLoginModule against Active Directory Forest (LDAP_REFERRAL)
- error while getting Active Directory Realm with Glassfish 3.1
- Active Directory Implementation in Java
- Realm configuration for active directory
- Get Active Directory connection through glassfish jndi resource
- Glassfish 3 security - Form based authentication using a JDBC Realm
- Glassfish JAAS active directory