{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 做个烂人 的问题《FailedLoginException encountered when using JAAS L》','https://www.manongdao.com/q-359565.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm pulling my hair out try to get LDAP authentication to work with Active Directory.
We've just setup a SharePoint Server 2010 and we thought it would be a good idea to also authenticate users against the Active Directory given it's already there for SharePoint. Our environment is Windows Server 2008 R2 Standard.
I have one user with username of ahsieh@rdl.com.tw
According to this answer https://serverfault.com/a/130556 my provider URL should be ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw (note that instead of using the hostname of vm-sps.rdl.com.tw, I've elected to use the IP address as I've not had the time to configure DNS entry for the said server)
Just to be sure, I've run the dsquery command on the server:
However, I just can't get the authentication work. I've tried all three type of JAAS config as per LdapLoginModule API
Below are the errors I encounter:
1. Search-first mode:
NOTE: I've NOT specified authzIdentity as I don't have that setup on AD
JAAS Config:
AESLogin_AD1 {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw"
userFilter="(&(uid={USERNAME})(objectClass=User))"
useSSL=false
debug=true;
};
Result:
[LdapLoginModule] search-first mode; SSL disabled
[LdapLoginModule] user provider: ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw
[LdapLoginModule] searching for entry belonging to user: ahsieh@rdl.com.tw
[LdapLoginModule] authentication failed
[LdapLoginModule] aborted authentication
javax.security.auth.login.FailedLoginException: Cannot find user's LDAP entry
2. Authentication-first mode
JAAS Config:
AESLogin_AD2 {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldap:///CN=Users,DC=rdl,DC=com,DC=tw"
authIdentity="{USERNAME}"
userFilter="(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})(cn={USERNAME}))(objectClass=user))"
useSSL=false
debug=true;
};
Result:
[LdapLoginModule] authentication-first mode; SSL disabled
[LdapLoginModule] user provider: ldap:///CN=Users,DC=rdl,DC=com,DC=tw
[LdapLoginModule] attempting to authenticate user: ahsieh@rdl.com.tw
[LdapLoginModule] authentication failed
[LdapLoginModule] aborted authentication
javax.security.auth.login.FailedLoginException: Cannot bind to LDAP server
3. Authentication-only mode
NOTE: I've NOT specified authzIdentity as I don't have that setup on AD
JAAS Config:
AESLogin_AD3 {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldap://192.168.0.81:389"
authIdentity="CN={USERNAME},CN=Users,DC=rdl,DC=com,DC=tw"
useSSL=false
debug=true;
};
Result:
[LdapLoginModule] authentication-only mode; SSL disabled
[LdapLoginModule] user provider: ldap://192.168.0.81:389
[LdapLoginModule] attempting to authenticate user: ahsieh@rdl.com.tw
[LdapLoginModule] authentication failed
[LdapLoginModule] aborted authentication
javax.security.auth.login.FailedLoginException: Cannot bind to LDAP server
I've also tried another config based on some examples I've come across on the internet:
4. Config from other example
JAAS Config:
AESLogin_AD4 {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw"
authIdentity="{USERNAME}"
useSSL=false
debug=true;
};
Result:
[LdapLoginModule] authentication-only mode; SSL disabled
[LdapLoginModule] user provider: ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw
[LdapLoginModule] attempting to authenticate user: ahsieh@rdl.com.tw
[LdapLoginModule] cannot create LdapPrincipal: bad DN
[LdapLoginModule] authentication failed
[LdapLoginModule] aborted authentication
javax.security.auth.login.FailedLoginException: Cannot create LdapPrincipal
NOTE: My fourth trial seems to show slight progress, as at least LDAP binding seems to work but now the issues seems to be cannot create LdapPrincipal: bad DN
I've gone into the source code for LdapLoginModule and by matching the debug message, seems this was caused by (starting Line 837):
try {
ldapPrincipal = new LdapPrincipal(dn);
} catch (InvalidNameException e) {
if (debug) {
System.out.println("\t\t[LdapLoginModule] " +
"cannot create LdapPrincipal: bad DN");
}
throw (LoginException)
new FailedLoginException("Cannot create LdapPrincipal")
.initCause(e);
}
And based on the LdapPrincipal API, InvalidNameException is thrown If a syntax violation is detected, but I have no idea where the syntax violation is.
Nor have I any idea how to debug this.
Any help will be much appreciated! Thanks!
I've gone through many more articles on the net and finally found the solution from Bonitasoft's Q&A JAAS config for Active Directory LDAP
JAAS Config:
Result: