Reputation: 221
Spring LDAP cannot read from AD LDS
I currently have a Spring-boot application that is taking Employee data from Active Directory, and displaying them as JSON.
However, I don't want to link directly to Active Directory, I would like to use Active Directory Lightweight services.
I assumed I could just set up the connection and connect in the same way, but I keep getting an error 49 (invalid credentials) error. I am using the same credentials that work on Active Directory.
This is the Spring.xml configuration credentials:
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldap://example.com:389" />
<property name="base" value=" DC=example,DC=com" />
<property name="userDn" value="jsmith@example.com" />
<property name="password" value="password" />
</bean>
<bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
<constructor-arg ref="contextSource" />
<property name="ignorePartialResultException" value="true" />
</bean>
If I try and change the url to the AD LDS url (that uses localhost), I get an Ldap error 49. Does anybody have experience with these technologies? Please help.
EDIT:
If I try to use my Active directory domain username I get:
The authentication failed
- [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0903C4, comment: AcceptSecurityContext error, data 2030, v295a
If I try and use the userDN I get:
The authentication failed
- [LDAP: error code 80 - 80090304: LdapErr: DSID-0C0903C4, comment: AcceptSecurityContext error, data 20ee, v295a
Upvotes: 1
Views: 2897
Answers (2)
Reputation: 1
I just ran into this issue myself and was able to resolve it. The issue I had was a result of my AD LDS being configured with SASL, so doing a simple bind did not work. For a clarification of SASL, see the LDAPv3 authentication methods rfc2829 (section 6.1).
I'll walk through setting up a connection using Apache Directory Studio, but I'm sure the Spring docs describe how to configure SASL for your connection.
Configure connection to server In my test lab, I'm not securing with TLS so I'm able to just bind to 389.
Configure authentication When configuring authentication, you want to select the SASL method that is supported by your LDAPv3 server (my AD LDS supported DIGEST-MD5). Enter your credentials for the user and password (I was able to use the full DN like provided in the screenshot, as well as just the cn). When using the DIGEST-MD5 authentication method, you'll also have to provide a SASL Realm under SASL Settings. This is the realm of the Principal being used to bind.
If you want to check the the supported SASL methods for your LDAP server (like AD LDS), you can use the ldp.exe (or Softerra) tool to retrieve bind metadata and look for the supported LDAP SASL methods.
Upvotes: 0
Reputation: 2175
You need to provide complete DN of the user as "userDn" like cn=jsmith@example.com,ou=xyz,dc=abc,dc-com.
Upvotes: 0
Related Questions
- Can't authenticate in Spring LDAP
- Ldap AD Authentication in Spring Security
- SpringSecurity Active Directory authenticating but throwing exception getting user data
- Active Directory authentication via spring security returns bad credential for valid users caused by LDAP: error code 49
- Active Directory Authentication using Spring Security 3.2, Spring Ldap 2.0 and JavaConfig
- LDAP Authentication with Spring Security throwing LDAP error 49, 52e for any userDn
- Spring security authentication using active directory failed
- Spring Security + LDAP always returns BadCredentialsException
- Spring Security 3.1 LDAP Active Directory Issue
- Configuring Spring Security Ldap 3.0 to work with Active Directory LDS