Spring Security 2.0.6 Authentication with Active Directory

Question

I have tried to put de authentication with Ldap-Active Directory and Spring Security 2.0.6. But I don't know why the authentication don't pass...

Here you can see the console:

> INFO  [Server] JBoss (MX MicroKernel)
> [4.2.3.GA (build:
> SVNTag=JBoss_4_2_3_GA
> date=200807181439)] Started in
> 30s:118ms
> 
> INFO  [STDOUT] [WARN] Authentication
> event
> AuthenticationFailureBadCredentialsEvent:
> secretariauno1; details:
> org.springframework.security.ui.WebAuthenticationDetails@255f8:
> RemoteIpAddress: 127.0.0.1; SessionId:
> 1D1DEAD28D4AE44AF67277654889D73E;
> exception: User secretariauno1 not
> found in directory.
> 
> INFO  [STDOUT] [WARN] Authentication
> event
> AuthenticationFailureBadCredentialsEvent:
> secretariauno; details:
> org.springframework.security.ui.WebAuthenticationDetails@255f8:
> RemoteIpAddress: 127.0.0.1; SessionId:
> 1D1DEAD28D4AE44AF67277654889D73E;
> exception: Bad credentials; nested
> exception is
> org.springframework.ldap.AuthenticationException:
> [LDAP: error code 49 - 80090308:
> LdapErr: DSID-0C0903A9, comment:
> AcceptSecurityContext error, data 52e,
> v1db0
> 
> INFO  [STDOUT] [INFO] The
> returnObjFlag of supplied
> SearchControls is not set but a
> ContextMapper is used - setting flag
> to true
> 
> INFO  [STDOUT] [WARN] Authentication
> event
> AuthenticationFailureServiceExceptionEvent:
> secretariauno; details:
> org.springframework.security.ui.WebAuthenticationDetails@255f8:
> RemoteIpAddress: 127.0.0.1; SessionId:
> 1D1DEAD28D4AE44AF67277654889D73E;
> exception: Unprocessed Continuation
> Reference(s); nested exception is
> javax.naming.PartialResultException:
> Unprocessed Continuation Reference(s);
> remaining name ''; nested exception is
> org.springframework.ldap.PartialResultException:
> Unprocessed Continuation Reference(s);
> nested exception is
> javax.naming.PartialResultException:
> Unprocessed Continuation Reference(s);
> remaining name ''

There are three [WARN], the first secretariauno1 is not in LDAP. The second, the password is bad. But the thirds, is good and it don't pass. It return to loging page. I have looked for "returnObjFlag" and about "remaining name" without goals...

Please, if anyone can help me..., THANK YOU!!!

Here you can see tha applicationContext-security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                      http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                      http://www.springframework.org/schema/security
                      http://www.springframework.org/schema/security/spring-security-2.0.xsd">

    <bean id="loggerListener"
          class="org.springframework.security.event.authentication.LoggerListener" />

    <security:http>
        <security:intercept-url pattern="/**" access="ROLE_USUARIO_AUTENTICADO" />
        <security:intercept-url pattern="/login.jsp" filters="none"/>
        <security:intercept-url pattern="/css/*" filters="none"/>
        <security:form-login
            login-processing-url="/j_security_check"
            login-page="/login.jsp"
            default-target-url="/index.jsp"
            always-use-default-target="true"
            authentication-failure-url="/login.jsp" />
        <security:anonymous/>
        <security:http-basic/>
        <security:logout/>
    </security:http>

    <security:ldap-server id="ldapServer"
                          url="ldap://bibredc05.preadm.com:389/dc=preadm,dc=com"
                          manager-dn="cn=desLector,ou=Users,dc=preminjus,dc=es"
                          manager-password="pwd123"/>   

    <security:ldap-authentication-provider user-search-filter="(sAMAccountName={0})"
                                           user-search-base="ou=Users"/>



    <security:ldap-user-service server-ref="ldapServer"
                                user-search-filter="sAMAccountName={0}"
                                user-search-base="ou=Users"/>

</beans>

Answer 1

Resolved

Well, finally I have migrated to Spring Security 3.0.4. The problem was that you have to use the beans definition because Active Directory need the Populator bean.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
         http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
         http://www.springframework.org/schema/security
         http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

 <bean id="loggerListener"
    class="org.springframework.security.authentication.event.LoggerListener" />

 <security:http>
  <security:session-management>
   <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
  </security:session-management>
  <security:intercept-url pattern="/css/*" filters="none"/>
  <security:intercept-url pattern="/login.jsp" filters="none"/>
     <security:intercept-url pattern="/**" access="ROLE_USER_AUTENTICADO" />
     <security:form-login
   login-processing-url="/j_spring_security_check"
   login-page="/login.jsp"
   default-target-url="/index.jsp"
   always-use-default-target="true"
   authentication-failure-url="/login.jsp" />
  <security:anonymous/>
  <security:http-basic/>
  <security:logout/>
 </security:http>

 <security:authentication-manager>
    <security:authentication-provider ref='ldapAuthProvider' />
 </security:authentication-manager>


 <!-- 
 * The second constructor of the DefaultLdapAuthoritiesPopulator class is the paramerter
   what is included in LDAP as memberOf, for example, if it have value="ou=Users" the
   users without thios group don't have access. 

 * It put to the accessed user: ROLE_USUARIO_AUTENTICADO". I use this in the interceptor. 
   But, for example, if in the LDAP, the user have in memberOf attribute:
   "CN=Preadm,OU=Applications,OU=Usuers,DC=preadm,DC=com" the user should have authority for
   OU=Users, but it will work if the interceptor have "ROLE_PREADM", "ROLE_" is the default prefix,
    "PREADM" is for CN=Preadm in the memberOf.
   -->

 <bean id="ldapAuthProvider"
         class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <constructor-arg>
   <bean id="bindAuthenticator" 
      class="org.springframework.security.ldap.authentication.BindAuthenticator">
    <constructor-arg ref="contextSource" />
    <property name="userSearch" ref="userSearch"/>
   </bean>
    </constructor-arg>
    <constructor-arg>
      <bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
    <constructor-arg ref="contextSource"/>
    <constructor-arg value="ou=Users"/>
    <property name="defaultRole" value="ROLE_USER_AUTENTICADO"/>
    <property name="searchSubtree" value="true" />
    <property name="ignorePartialResultException" value="true"/>
      </bean>
  </constructor-arg>
 </bean> 

 <bean id="userSearch"
   class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <constructor-arg index="0" value="ou=Users"/> 
  <constructor-arg index="1" value="(sAMAccountName={0})"/>
  <constructor-arg index="2" ref="contextSource" />
  <property name="searchSubtree" value="true"/>
 </bean>

 <bean id="contextSource" 
   class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
     <constructor-arg value="ldap://bibredc05.preadm.com:389/dc=preadm,dc=com"/>
     <property name="userDn" value="cn=desReader,ou=Users,dc=preadm,dc=com"/>
     <property name="password" value="pwd123"/>
 </bean>

</beans>

Answer 2

Perhaps this link could help you. There is a possible reason for the problem.

It is probably due to a need to follow referral searches.

This link is also related on one way to configure referral.