1

ISSUE: Grails ADMIN logs in via LDAP but no other account does. System = Win 7, grails 2.2.1, Active Dir lightweight

I have created a simple grails default application, installed the latest grails spring security and ldap plugins. I then followed the following tutorial to configure the spring security setup. Tutorial located at http://blog.springsource.com/2010/08/11/simplified-spring-security-with-grails/

Anyway got spring security working fairly fast, next step was setting up LDAP to use the anonymousAuthenticationProvider so my grails app would log in without checking its own DB for passwords, only LDAP. I am using windows Active Directory. Anyway, followed this configuration setup http://grails-plugins.github.io/grails-spring-security-ldap/docs/manual/guide/2.%20Usage.html . All seems to start fine, except the only user that seems to log in correctly is admin, no other user works. I get a can not find user with that username / password error. I have added error, warn and info log output for spring security but does not seem to give much info at all except for the admin account which actually works. I verified it works as I gave the spring security db password a different password to the ldap password, and once the ldap was configured the only password that worked for the admin was the ldap one. Unfortunately no other users worked though.

Here is my grails config:

    // Added by the Spring Security Core plugin:
    grails.plugins.springsecurity.userLookup.userDomainClassName = 'org.example.SecUser'
   grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'org.example.SecUserSecRole'
   grails.plugins.springsecurity.authority.className = 'org.example.SecRole'


   grails.plugins.springsecurity.ldap.context.managerDn = 'CN=admin,OU=people,OU=imApp,DC=example,DC=org'
   grails.plugins.springsecurity.ldap.context.managerPassword = 'password'
   grails.plugins.springsecurity.ldap.context.server = 'ldap://localhost:55000/'
   grails.plugins.springsecurity.ldap.authorities.ignorePartialResultException = true
   grails.plugins.springsecurity.ldap.search.base = 'OU=people,OU=imApp,DC=example,DC=org'
   grails.plugins.springsecurity.ldap.search.filter='uid={0}'  //ad use sAMAccountName instead of uid
   grails.plugins.springsecurity.ldap.search.searchSubtree =true
   grails.plugins.springsecurity.ldap.auth.hideUserNotFoundExceptions= false
   grails.plugins.springsecurity.ldap.search.derefLink = true
   // specify this when you want to skip attempting to load from db and only use LDAP
   grails.plugins.springsecurity.providerNames = ['ldapAuthProvider', 'anonymousAuthenticationProvider'] 
   grails.plugins.springsecurity.conf.ldap.authorities.retrieveGroupRoles = false
   grails.plugins.springsecurity.conf.ldap.authorities.retrieveDatabaseRoles = false
   //grails.plugins.springsecurity.ldap.authorities.groupSearchBase =   'ou=groups,ou=imApp,dc=mcommunity,dc=org'
  //role specific ldap config
  grails.plugins.springsecurity.ldap.useRememberMe = false

I have tried a few variations of this config, for example it says Active Dir requires sAMAccountName as the search.filter but when I use this no accounts work, if i comment it out completely it works as already memntioned, admin logs in but no other account does. If I remove the springsecurity.providerNames the app starts but uses DB as password auth provider. I came across some blogs mentioned removing password for model class and db, or making it null-able which I tried but had no effect on outcome.

My Active Dir structure is as follows:

    DC=example,dc=org
      OU=imApp
        OU=groups
        OU=people
          CN=admin   user   CN=admin,OU=people,OU=imApp,DC=example,DC=org
          CN=user1   user   CN=user1,OU=people,OU=imApp,DC=example,DC=org
    CN=LostAndFound
    CN= NTDS Quotas
    CN=Roles

I have given each account a LDAP password, and added a parameter uid matching that of their username (CN). I have not used a Custom UserDetailsContextMapper, just default. However, I did try a Custom UserDetailsContextMapper and just came across the same issue, so reverted back to using just standard. Also I noticed Active Dir has a lower case dc for org so I tried using same lower case dc in Grails config but has same result.

Has anyone come across this issue or know where I may be going worng? Any help appreciated.

Best, Marklw16

marklw16
  • 33
  • 5
  • If you used a custom `UserDetailsContextMapper` and didn't work is probably you search that's wrong. Maybe [this topic](http://stackoverflow.com/questions/4157201/finding-cn-of-users-in-active-directory) helps you. –  Jun 11 '13 at 11:11
  • Thanks Sérgio, had a read of the topic and tried a few other ideas but still did not get it working. I thought maybe adding a parameter CN=users to the OU people folder would help. Then I changed the ldap.search.base = 'CN=users,OU=people,OU=imApp,DC=example,DC=org' as that would then be similar to managerDn syntax which works, but no joy as of yet – marklw16 Jun 11 '13 at 12:19

1 Answers1

0

Try these settings:

grails.plugins.springsecurity.ldap.authorities.groupSearchBase ='DC=example,dc=org'
grails.plugins.springsecurity.ldap.authorities.groupSearchFilter = 'member={0}'
James Kleeh
  • 12,094
  • 5
  • 34
  • 61
  • Thanks James, I tried your config suggestion. Although it did not work, it did however get a bit further. I can now see in the logs that it is attempting to do something. I tried a few variations of the config you suggested, e.g change member to uid, capitals DC, adding in OU=people, OU=imApp. Seems to give same result. Id say its so close, just something small I am missing. – marklw16 Jun 12 '13 at 09:25
  • Logs extract - Processing authentication request for user: user1 Searching for user 'user1', with user search [ searchFilter: 'uid={0}', searchBase: 'OU=people,OU=imApp,DC=example,DC=org', scope: subtree, searchTimeLimit: 0, derefLinkFlag: true ] Searching for entry under DN '', base = 'ou=people,ou=imApp,dc=example,dc=org', filter = 'uid={0}' Found DN: cn=user1,ou=people,ou=imApp,dc=example,dc=org Attempting to bind as cn=user1,ou=people,ou=imApp,dc=example,dc=org Removing pooling flag for user cn=user1,ou=people,ou=imApp,dc=example,dc=org Retrieving attributes login attempt was unsuccessful – marklw16 Jun 12 '13 at 09:33