Thursday, August 05, 2010

Authentication request failed AuthenticationServiceException LDAP error code 32 NO_OBJECT

I spent a considerable amount of time today trying to get Spring Security with LDAP (Active Directory) working. The error below was showing up even though the Active Directory server was correctly authenticating the user.

2010-08-05 15:48:44,898 DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter] - <Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001A8, problem 2001 (NO_OBJECT)

Looking deeper in the logs I saw a TRACE (not even an INFO level message):
Not granted any authorities

But I was member of several groups! I added group-search-base with same content as user-search-base (same root) to ldap-authentication-provider and then I got authenticated and got my roles (Spring authorities or in this case Active Directory groups) back from the server.

Below is my final *tainted* settings:

<ldap-server url="ldap://domain.com:port" manager-dn="***"
manager-password="***" root="OU=***,dc=***,dc=***" />
<authentication-manager>

<ldap-authentication-provider
user-search-filter="mail={0}" user-search-base="OU=***,dc=***,dc=***"
user-context-mapper-ref="customUserDetailsContextMapper" group-search-base="OU=***,dc=***,dc=***" group-search-filter="***" />

</authentication-manager>

No comments:

Followers