Spring Security + LDAP always returns BadCredentialsException

Question

I have been trying to configure Spring Security to work with LDAP with little success.

I have the following configuration beans:

@Bean
public ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider() {

    ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("go.com.mt", "LDAP://CORPORATE.INTRA");
    provider.setConvertSubErrorCodesToExceptions(true);
    provider.setUseAuthenticationRequestCredentials(true);
    provider.setUserDetailsContextMapper(userDetailsContextMapper());
    return provider;
}

@Bean
public UserDetailsContextMapper userDetailsContextMapper() {
    UserDetailsContextMapper contextMapper = new AttributesLDAPUserDetailsContextMapper();
    return contextMapper;
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
}

I tried creating a custom mapper as suggested by many answers here on stack overflow that sets every authority to ROLE_USER

public class AttributesLDAPUserDetailsContextMapper implements UserDetailsContextMapper {
    @Override
    public UserDetails mapUserFromContext(DirContextOperations dirContextOperations, String username, Collection<? extends GrantedAuthority> authority) {
        List<GrantedAuthority> mappedAuthorities = new ArrayList<GrantedAuthority>();
        for (GrantedAuthority granted : authority) {
            if (true) {
                mappedAuthorities.add(() -> "ROLE_USER");
            } else if(granted.getAuthority().equalsIgnoreCase("MY ADMIN GROUP")) {
                mappedAuthorities.add(() -> "ROLE_ADMIN");
            }
        }
        return new User(username, "", mappedAuthorities);
    }

    @Override
    public void mapUserToContext(UserDetails userDetails, DirContextAdapter dirContextAdapter) {

    }
}

When I try authenticating with an existing user and an incorrect password I get the following message:

[apr-8080-exec-6] ctiveDirectoryLdapAuthenticationProvider : Active Directory authentication failed: Supplied password was invalid
[apr-8080-exec-6] o.s.b.a.audit.listener.AuditListener     : AuditEvent [timestamp=Thu Aug 20 07:31:59 CEST 2015, principal=samantha.catania, type=AUTHENTICATION_FAILURE, data={type=org.springframework.security.authentication.BadCredentialsException, message=Bad credentials}]

meaning that the active directory is being working correctly but when I try to authenticate with correct credentials I get the following message:

[pr-8080-exec-10] o.s.s.ldap.SpringSecurityLdapTemplate    : Ignoring PartialResultException
[pr-8080-exec-10] o.s.b.a.audit.listener.AuditListener     : AuditEvent [timestamp=Thu Aug 20 07:32:05 CEST 2015, principal=samantha.catania, type=AUTHENTICATION_FAILURE, data={type=org.springframework.security.authentication.BadCredentialsException, message=Bad credentials}]

Any ideas how to fix this please?

Answer 1

The problem seemed to be because ActiveDirectoryLdapAuthenticationProvider was "guessing" the DNs using the domain. Updating spring-security-ldap to the latests version made available a new constructor with 3 parameters where the last one allows you to specify the DNs. After that the mapper started being called successfully and the authentication went through.

I would like to thank everyone that contributed :)

Answer 2

Try using the setting the java environment property "java.naming.referral" to "follow" (either in code at startup, or via an argument to the JVM -Djava.naming.referral=follow.

Do you get a stack trace, or could you print the BadCredentialsException?

This is very similar to an issue I was having with AD, where the problem was with how AD handles referrals and this would generate errors during data retrieval.

From what you have posted I expect the exception is generated in ActiveDirectoryLdapAuthenticationProvider.java line 323, which would point to the same issue.