Spring Security & Active Directory LDAP Error 32 problem 2001 (NO_OBJECT)

Question

I am trying to authenticate a user again AD LDS\ADAM using the Spring framework and Spring Security 3.0. I keep getting the following error and hopefully someone from here can explain where the problem lies.

[LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Users,DC=Domain,DC=local' ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Users,DC=Domain,DC=local' ]; remaining name 'cn=Mo Logan,cn=Users,dc=Domain,dc=local'

Can anyone explain what the best match of and remaining name bits mean - this is really confusing me? Is this type of search case sensitive? And would problems like time differences between the server and client make a difference?

From what I have read online error code 32 means that object cant be found - very helpful I'm sure you'll agree. Here is the configuration information which I am using:

<authentication-manager alias="ldapAuthenicationManager">   
    <ldap-authentication-provider
        user-search-base="cn=Users,dc=Domain,dc=local" 
        user-search-filter="(uid={0})" 
        role-prefix="Users"
    />
</authentication-manager>

<ldap-server url="ldap://server:50006/" manager-dn="CN=Admin,CN=Users,DC=Domain,DC=local" manager-password="Password101" />

I am searching by uid (no SAMAccountName in LDS) and when I search by the same criteria using ldap.exe on the server I can find the user correctly e.g:

ldap_search_s(ld, "CN=Users,DC=Domain,DC=local", 2, "(uid=mologan)", attrList,  0, &msg)

***Searching...

ldap_search_s(ld, "CN=Users,DC=Domain,DC=local", 2, "(uid=mologan)", attrList,  0, &msg)

Getting 1 entries:

Dn: CN=Mo Logan,CN=Users,DC=Domain,DC=local

badPasswordTime: 9/20/2011 1:19:51 PM GMT Standard Time; 

badPwdCount: 0; 

cn: Mo Logan; 

distinguishedName: CN=Mo Logan,CN=Users,DC=Domain,DC=local; 

dSCorePropagationData: 0x0 = (  ); 

instanceType: 0x4 = ( WRITE ); 

lastLogonTimestamp: 9/20/2011 9:10:32 AM GMT Standard Time; 

lockoutTime: 0; 

memberOf (2): CN=DMSUsers,CN=Users,DC=Domain,DC=local; CN=Users,CN=Roles,CN=Users,DC=Domain,DC=local; 

msDS-UserAccountDisabled: FALSE; 

name: Mo Logan; 

objectCategory: CN=Person,CN=Schema,CN=Configuration,CN={BD500A33-CE7C-492F-9007-BF1B17F972EE}; 

objectClass (4): top; person; organizationalPerson; user; 

objectGUID: 40f74ed4-6cf3-495e-a28c-6aa080a0333b; 

objectSid: S-1-514506224-2209559093-2723712157-1234827279-3369888698-2052446679; 

pwdLastSet: 9/20/2011 8:19:06 AM GMT Standard Time; 

uid: mologan; 

uSNChanged: 13994; 

uSNCreated: 13985; 

whenChanged: 9/20/2011 9:10:32 AM GMT Standard Time; 

whenCreated: 9/20/2011 8:16:54 AM GMT Standard Time; 

I am binding to AD LDS as an administrator account which belongs to the reader group under roles. This user sits at the same level as the username I am trying to verify.

As you can probably tell I am flat out of ideas as to why I am getting this error and hopefully someone will be able to help me out or point me in the right direction,

Cheers & thanks in advance

Answer 1

I think I finally got to the bottom of this, hopefully this will help someone else. Below is the configuration for my security:

<authentication-manager alias="ldapAuthenicationManager">    
    <ldap-authentication-provider           
            user-search-filter="(uid={0})" 
            group-search-filter="(member=userGroup)"
        >     
    </ldap-authentication-provider>     
</authentication-manager> 

<ldap-server url="ldap://server:50006/CN=Users,CN=Domain,CN=local" manager-dn="Cn=Admin,CN=Domain,CN=local" manager-password="Password101" />

I had to create a user in LDS called admin and allocated it to the reader role in LDS (if you dont have this, import it from the ldf files provided for LDS). Now create a user and then a group, adding the user to the group created in AD

At this point I was getting Ldap error 32. After a debugging through the spring security code and looking at the event logs of the server I guessed that the problem was with how AD LDS was set up. After a lot of fiddling and guess work I stumbled upon the problem.

To resolve this I ended up adding the user I wanted to log in with (not the manager-dn) to the reader group to allow a successful bind. Doing that resolved the problem.

Hopefully this is of use?

Answer 2

I notice a strange thing in your question. your make a search :

ldap_search_s(ld, "CN=Users,DC=Domain,DC=local", 2, "(uid=mologan)", attrList, 0, &msg)

with (uid=mologan) as a filter and the result return uid: chweeks is it just a typo copy/past from result of another search ?

another thing you wrote about LDAP.EXE you mean LDP.EXE

----EDITED------

Can you try this kind of configuration

<authentication-manager alias="ldapAuthenicationManager">    
    <ldap-authentication-provider 
        user-search-base="cn=Users"  
        user-search-filter="(uid={0})"  
        role-prefix="Users" 
    /> 
</authentication-manager> 

<ldap-server url="ldap://server:50006/dc=Domain,dc=local" manager-dn="CN=Admin,CN=Users,DC=Domain,DC=local" manager-password="Password101" />