Quantcast
Grails Grails - user

Spring Security LDAP plugin authentication problems

classic Classic list List threaded Threaded
7 messages Options
themarchoffolly
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Spring Security LDAP plugin authentication problems

themarchoffolly
I'm testing out the spring-security-ldap plugin with Grails 1.3.5, starting with an attempt to simply authenticate an LDAP user. Any attempt to login an LDAP user fails so I've enabled logging enabled for org.springframework.security to try and see what's happening. Here's the trace for a failing login:

authentication.ProviderManager Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
authentication.LdapAuthenticationProvider Processing authentication request for user: hnelson
search.FilterBasedLdapUserSearch Searching for user 'hnelson', with user search [ searchFilter: '(uid={0})', searchBase: 'o=sevenSeas', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
ldap.SpringSecurityLdapTemplate Searching for entry in under DN '', base = 'o=sevenSeas', filter = '(uid={0})'
ldap.SpringSecurityLdapTemplate Found DN: cn=Horatio Nelson,ou=people,o=sevenSeas
authentication.BindAuthenticator Attempting to bind as cn=Horatio Nelson,ou=people,o=sevenSeas
ldap.DefaultSpringSecurityContextSource Removing pooling flag for user cn=Horatio Nelson,ou=people,o=sevenSeas
userdetails.DefaultLdapAuthoritiesPopulator Getting authorities for user cn=Horatio Nelson,ou=people,o=sevenSeas
userdetails.DefaultLdapAuthoritiesPopulator Searching for roles for user 'hnelson', DN = 'cn=Horatio Nelson,ou=people,o=sevenSeas', with filter uniquemember={0} in search base 'ou=groups'
ldap.SpringSecurityLdapTemplate Using filter: uniquemember=cn=Horatio Nelson,ou=people,o=sevenSeas
authentication.ProviderManager Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
rememberme.TokenBasedRememberMeServices Interactive login attempt was unsuccessful.
rememberme.TokenBasedRememberMeServices Cancelling cookie
web.DefaultRedirectStrategy Redirecting to '/dap/login/authfail?login_error=1'
context.SecurityContextPersistenceFilter SecurityContextHolder now cleared, as request processing completed

It seems to start off as expected using the LdapAuthenticationProvider, it even finds the DN indicated by the username on the login.  The trace then indicates that it is attempting to authenticate with the DaoAuthenticationProvider which I assume is destined to fail as there are no users in my application database.

Does anyone have any ideas about what might be going on here?

Here's the security configuration in my Config.groovy:

grails.plugins.springsecurity.userLookup.userDomainClassName = 'com.test.User'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'com.test.UserRole'
grails.plugins.springsecurity.authority.className = 'com.test.Role'
grails.plugins.springsecurity.ldap.authenticator.useBind = true
grails.plugins.springsecurity.ldap.context.server = 'ldap://localhost:10389'
grails.plugins.springsecurity.ldap.search.base = 'o=sevenSeas'
grails.plugins.springsecurity.ldap.search.searchSubtree = true
grails.plugins.springsecurity.ldap.authorities.retrieveGroupRoles = true
grails.plugins.springsecurity.ldap.context.anonymousReadOnly = true
grails.plugins.springsecurity.ldap.authorities.retrieveDatabaseRoles = false
grails.plugins.springsecurity.ldap.authorities.groupSearchBase = 'ou=groups'
grails.plugins.springsecurity.password.algorithm = 'SHA'

?

David





--
"When we remember we are all mad, the mysteries disappear and life stands explained." ~Twain
themarchoffolly
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Spring Security LDAP plugin authentication problems

themarchoffolly
Bump. Maybe Burt, can you shed any light on what might going on here? From the logs below it shows that the steps to authenticate the LDAP user is working (connects to LDAP server, finds matching user's DN in the tree) but then for some reason it's the DaoAuthenticationProvider that is finally used to authenticate the LDAP user which means the login fails.

Any ideas?
David

On Mon, Oct 25, 2010 at 4:57 PM, David Russell <[hidden email]> wrote:
I'm testing out the spring-security-ldap plugin with Grails 1.3.5, starting with an attempt to simply authenticate an LDAP user. Any attempt to login an LDAP user fails so I've enabled logging enabled for org.springframework.security to try and see what's happening. Here's the trace for a failing login:

authentication.ProviderManager Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
authentication.LdapAuthenticationProvider Processing authentication request for user: hnelson
search.FilterBasedLdapUserSearch Searching for user 'hnelson', with user search [ searchFilter: '(uid={0})', searchBase: 'o=sevenSeas', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
ldap.SpringSecurityLdapTemplate Searching for entry in under DN '', base = 'o=sevenSeas', filter = '(uid={0})'
ldap.SpringSecurityLdapTemplate Found DN: cn=Horatio Nelson,ou=people,o=sevenSeas
authentication.BindAuthenticator Attempting to bind as cn=Horatio Nelson,ou=people,o=sevenSeas
ldap.DefaultSpringSecurityContextSource Removing pooling flag for user cn=Horatio Nelson,ou=people,o=sevenSeas
userdetails.DefaultLdapAuthoritiesPopulator Getting authorities for user cn=Horatio Nelson,ou=people,o=sevenSeas
userdetails.DefaultLdapAuthoritiesPopulator Searching for roles for user 'hnelson', DN = 'cn=Horatio Nelson,ou=people,o=sevenSeas', with filter uniquemember={0} in search base 'ou=groups'
ldap.SpringSecurityLdapTemplate Using filter: uniquemember=cn=Horatio Nelson,ou=people,o=sevenSeas
authentication.ProviderManager Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
rememberme.TokenBasedRememberMeServices Interactive login attempt was unsuccessful.
rememberme.TokenBasedRememberMeServices Cancelling cookie
web.DefaultRedirectStrategy Redirecting to '/dap/login/authfail?login_error=1'
context.SecurityContextPersistenceFilter SecurityContextHolder now cleared, as request processing completed

It seems to start off as expected using the LdapAuthenticationProvider, it even finds the DN indicated by the username on the login.  The trace then indicates that it is attempting to authenticate with the DaoAuthenticationProvider which I assume is destined to fail as there are no users in my application database.

Does anyone have any ideas about what might be going on here?

Here's the security configuration in my Config.groovy:

grails.plugins.springsecurity.userLookup.userDomainClassName = 'com.test.User'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'com.test.UserRole'
grails.plugins.springsecurity.authority.className = 'com.test.Role'
grails.plugins.springsecurity.ldap.authenticator.useBind = true
grails.plugins.springsecurity.ldap.context.server = 'ldap://localhost:10389'
grails.plugins.springsecurity.ldap.search.base = 'o=sevenSeas'
grails.plugins.springsecurity.ldap.search.searchSubtree = true
grails.plugins.springsecurity.ldap.authorities.retrieveGroupRoles = true
grails.plugins.springsecurity.ldap.context.anonymousReadOnly = true
grails.plugins.springsecurity.ldap.authorities.retrieveDatabaseRoles = false
grails.plugins.springsecurity.ldap.authorities.groupSearchBase = 'ou=groups'
grails.plugins.springsecurity.password.algorithm = 'SHA'

?

David





--
"When we remember we are all mad, the mysteries disappear and life stands explained." ~Twain



--
"When we remember we are all mad, the mysteries disappear and life stands explained." ~Twain
GeoffM
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Spring Security LDAP plugin authentication problems

GeoffM
I had problems getting ldap authentication to work - turned out that some of the defaults were the problem. Setting these did the trick :
grails.plugins.springsecurity.ldap.context.managerDn = ''
grails.plugins.springsecurity.ldap.context.managerPassword = ''

One other observation is that no roles appear to have been found - probably a red-herring.

Hope this helps .......... Geoff

On 27 October 2010 03:15, David Russell <[hidden email]> wrote:
Bump. Maybe Burt, can you shed any light on what might going on here? From the logs below it shows that the steps to authenticate the LDAP user is working (connects to LDAP server, finds matching user's DN in the tree) but then for some reason it's the DaoAuthenticationProvider that is finally used to authenticate the LDAP user which means the login fails.

Any ideas?
David


On Mon, Oct 25, 2010 at 4:57 PM, David Russell <[hidden email]> wrote:
I'm testing out the spring-security-ldap plugin with Grails 1.3.5, starting with an attempt to simply authenticate an LDAP user. Any attempt to login an LDAP user fails so I've enabled logging enabled for org.springframework.security to try and see what's happening. Here's the trace for a failing login:

authentication.ProviderManager Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
authentication.LdapAuthenticationProvider Processing authentication request for user: hnelson
search.FilterBasedLdapUserSearch Searching for user 'hnelson', with user search [ searchFilter: '(uid={0})', searchBase: 'o=sevenSeas', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
ldap.SpringSecurityLdapTemplate Searching for entry in under DN '', base = 'o=sevenSeas', filter = '(uid={0})'
ldap.SpringSecurityLdapTemplate Found DN: cn=Horatio Nelson,ou=people,o=sevenSeas
authentication.BindAuthenticator Attempting to bind as cn=Horatio Nelson,ou=people,o=sevenSeas
ldap.DefaultSpringSecurityContextSource Removing pooling flag for user cn=Horatio Nelson,ou=people,o=sevenSeas
userdetails.DefaultLdapAuthoritiesPopulator Getting authorities for user cn=Horatio Nelson,ou=people,o=sevenSeas
userdetails.DefaultLdapAuthoritiesPopulator Searching for roles for user 'hnelson', DN = 'cn=Horatio Nelson,ou=people,o=sevenSeas', with filter uniquemember={0} in search base 'ou=groups'
ldap.SpringSecurityLdapTemplate Using filter: uniquemember=cn=Horatio Nelson,ou=people,o=sevenSeas
authentication.ProviderManager Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
rememberme.TokenBasedRememberMeServices Interactive login attempt was unsuccessful.
rememberme.TokenBasedRememberMeServices Cancelling cookie
web.DefaultRedirectStrategy Redirecting to '/dap/login/authfail?login_error=1'
context.SecurityContextPersistenceFilter SecurityContextHolder now cleared, as request processing completed

It seems to start off as expected using the LdapAuthenticationProvider, it even finds the DN indicated by the username on the login.  The trace then indicates that it is attempting to authenticate with the DaoAuthenticationProvider which I assume is destined to fail as there are no users in my application database.

Does anyone have any ideas about what might be going on here?

Here's the security configuration in my Config.groovy:

grails.plugins.springsecurity.userLookup.userDomainClassName = 'com.test.User'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'com.test.UserRole'
grails.plugins.springsecurity.authority.className = 'com.test.Role'
grails.plugins.springsecurity.ldap.authenticator.useBind = true
grails.plugins.springsecurity.ldap.context.server = 'ldap://localhost:10389'
grails.plugins.springsecurity.ldap.search.base = 'o=sevenSeas'
grails.plugins.springsecurity.ldap.search.searchSubtree = true
grails.plugins.springsecurity.ldap.authorities.retrieveGroupRoles = true
grails.plugins.springsecurity.ldap.context.anonymousReadOnly = true
grails.plugins.springsecurity.ldap.authorities.retrieveDatabaseRoles = false
grails.plugins.springsecurity.ldap.authorities.groupSearchBase = 'ou=groups'
grails.plugins.springsecurity.password.algorithm = 'SHA'

?

David





--
"When we remember we are all mad, the mysteries disappear and life stands explained." ~Twain



--
"When we remember we are all mad, the mysteries disappear and life stands explained." ~Twain
themarchoffolly
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Spring Security LDAP plugin authentication problems

themarchoffolly
Thanks Geoff, turns out your red-herring thought was in fact spot on. The value of my ldap.authorities.groupSearchBase seemed to be the root cause of the problem.

Now authenticating. Thanks again.

David

On Wed, Oct 27, 2010 at 11:27 PM, Geoff Metselaar <[hidden email]> wrote:
I had problems getting ldap authentication to work - turned out that some of the defaults were the problem. Setting these did the trick :
grails.plugins.springsecurity.ldap.context.managerDn = ''
grails.plugins.springsecurity.ldap.context.managerPassword = ''

One other observation is that no roles appear to have been found - probably a red-herring.

Hope this helps .......... Geoff

On 27 October 2010 03:15, David Russell <[hidden email]> wrote:
Bump. Maybe Burt, can you shed any light on what might going on here? From the logs below it shows that the steps to authenticate the LDAP user is working (connects to LDAP server, finds matching user's DN in the tree) but then for some reason it's the DaoAuthenticationProvider that is finally used to authenticate the LDAP user which means the login fails.

Any ideas?
David


On Mon, Oct 25, 2010 at 4:57 PM, David Russell <[hidden email]> wrote:
I'm testing out the spring-security-ldap plugin with Grails 1.3.5, starting with an attempt to simply authenticate an LDAP user. Any attempt to login an LDAP user fails so I've enabled logging enabled for org.springframework.security to try and see what's happening. Here's the trace for a failing login:

authentication.ProviderManager Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
authentication.LdapAuthenticationProvider Processing authentication request for user: hnelson
search.FilterBasedLdapUserSearch Searching for user 'hnelson', with user search [ searchFilter: '(uid={0})', searchBase: 'o=sevenSeas', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
ldap.SpringSecurityLdapTemplate Searching for entry in under DN '', base = 'o=sevenSeas', filter = '(uid={0})'
ldap.SpringSecurityLdapTemplate Found DN: cn=Horatio Nelson,ou=people,o=sevenSeas
authentication.BindAuthenticator Attempting to bind as cn=Horatio Nelson,ou=people,o=sevenSeas
ldap.DefaultSpringSecurityContextSource Removing pooling flag for user cn=Horatio Nelson,ou=people,o=sevenSeas
userdetails.DefaultLdapAuthoritiesPopulator Getting authorities for user cn=Horatio Nelson,ou=people,o=sevenSeas
userdetails.DefaultLdapAuthoritiesPopulator Searching for roles for user 'hnelson', DN = 'cn=Horatio Nelson,ou=people,o=sevenSeas', with filter uniquemember={0} in search base 'ou=groups'
ldap.SpringSecurityLdapTemplate Using filter: uniquemember=cn=Horatio Nelson,ou=people,o=sevenSeas
authentication.ProviderManager Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
rememberme.TokenBasedRememberMeServices Interactive login attempt was unsuccessful.
rememberme.TokenBasedRememberMeServices Cancelling cookie
web.DefaultRedirectStrategy Redirecting to '/dap/login/authfail?login_error=1'
context.SecurityContextPersistenceFilter SecurityContextHolder now cleared, as request processing completed

It seems to start off as expected using the LdapAuthenticationProvider, it even finds the DN indicated by the username on the login.  The trace then indicates that it is attempting to authenticate with the DaoAuthenticationProvider which I assume is destined to fail as there are no users in my application database.

Does anyone have any ideas about what might be going on here?

Here's the security configuration in my Config.groovy:

grails.plugins.springsecurity.userLookup.userDomainClassName = 'com.test.User'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'com.test.UserRole'
grails.plugins.springsecurity.authority.className = 'com.test.Role'
grails.plugins.springsecurity.ldap.authenticator.useBind = true
grails.plugins.springsecurity.ldap.context.server = 'ldap://localhost:10389'
grails.plugins.springsecurity.ldap.search.base = 'o=sevenSeas'
grails.plugins.springsecurity.ldap.search.searchSubtree = true
grails.plugins.springsecurity.ldap.authorities.retrieveGroupRoles = true
grails.plugins.springsecurity.ldap.context.anonymousReadOnly = true
grails.plugins.springsecurity.ldap.authorities.retrieveDatabaseRoles = false
grails.plugins.springsecurity.ldap.authorities.groupSearchBase = 'ou=groups'
grails.plugins.springsecurity.password.algorithm = 'SHA'

?

David





--
"When we remember we are all mad, the mysteries disappear and life stands explained." ~Twain



--
"When we remember we are all mad, the mysteries disappear and life stands explained." ~Twain




--
"When we remember we are all mad, the mysteries disappear and life stands explained." ~Twain
Alexander Scott
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

removeFrom not working with a HasMany relationship

Alexander Scott

I have a SystemMessage domain object that has many Users it is visible to;

 

class SystemMessage extends PublishableMessage {

    static hasMany = [recipients: User]

}

 

Now once I have a SystemMessage with multiple users, I try and remove a user once they have read the message;

SystemMessage message = SystemMessage.get(Long.parseLong(params.id))

message.removeFromRecipients(user)

 

Unfortunately the removeFromRecipients does not seem to work. I assume this is because the SystemMessage.recipients is not a list of ‘proper’ gorm objects – i.e. Message.recipients is a hibernate PresistentSet?

 

I see in Grails JIRA bug #5778 that Burt Beckwith suggests adding equals and hashcode overrides to the User object, but for some reason that is causing some weird errors in my webapp. So are there any other workarounds for this issue?

 

Regards, Alex.
Alexander Scott
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

RE: removeFrom not working with a HasMany relationship - workaround

Alexander Scott

As usual, I got a workaround working 5 minutes after sending the original email.

 

As already stated in GRAILS-5778;

        SystemMessage message = SystemMessage.get(Long.parseLong(params.id))

        User user = message.recipients.find { it.id == authenticateService.userDomain().id }

        message.removeFromRecipients(user)

 

This works. Notice the icky 2nd line that grabs the user out of the collection.

 

Regards, Alex.

 

From: Alexander Scott [mailto:[hidden email]]
Sent: 28 October 2010 14:27
To: [hidden email]
Subject: removeFrom not working with a HasMany relationship

 

I have a SystemMessage domain object that has many Users it is visible to;

 

class SystemMessage extends PublishableMessage {

    static hasMany = [recipients: User]

}

 

Now once I have a SystemMessage with multiple users, I try and remove a user once they have read the message;

SystemMessage message = SystemMessage.get(Long.parseLong(params.id))

message.removeFromRecipients(user)

 

Unfortunately the removeFromRecipients does not seem to work. I assume this is because the SystemMessage.recipients is not a list of ‘proper’ gorm objects – i.e. Message.recipients is a hibernate PresistentSet?

 

I see in Grails JIRA bug #5778 that Burt Beckwith suggests adding equals and hashcode overrides to the User object, but for some reason that is causing some weird errors in my webapp. So are there any other workarounds for this issue?

 

Regards, Alex.
burtbeckwith
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

RE: removeFrom not working with a HasMany relationship - workaround

burtbeckwith
The best thing to do is implement equals and hashCode on any class that's contained in a hash-based collection. This includes domain classes in a 1-many and non-domain classes. The problem here is that you're comparing proxies and non-proxies and a proper equals/hashCode fixes the problem.

Burt

> As usual, I got a workaround working 5 minutes after sending the original
> email.
>
>  
>
> As already stated in GRAILS-5778;
>
>         SystemMessage message = SystemMessage.get(Long.parseLong(params.id))
>
>         User user = message.recipients.find { it.id ==
> authenticateService.userDomain().id }
>
>         message.removeFromRecipients(user)
>
>  
>
> This works. Notice the icky 2nd line that grabs the user out of the
> collection.
>
>  
>
> Regards, Alex.
>
>  
>
> From: Alexander Scott [mailto:[hidden email]]
> Sent: 28 October 2010 14:27
> To: [hidden email]
> Subject: removeFrom not working with a HasMany relationship
>
>  
>
> I have a SystemMessage domain object that has many Users it is visible to;
>
>  
>
> class SystemMessage extends PublishableMessage {
>
>     static hasMany = [recipients: User]
>
> }
>
>  
>
> Now once I have a SystemMessage with multiple users, I try and remove a user
> once they have read the message;
>
> SystemMessage message = SystemMessage.get(Long.parseLong(params.id))
>
> message.removeFromRecipients(user)
>
>  
>
> Unfortunately the removeFromRecipients does not seem to work. I assume this
> is because the SystemMessage.recipients is not a list of 'proper' gorm
> objects - i.e. Message.recipients is a hibernate PresistentSet?
>
>  
>
> I see in Grails JIRA bug #5778 that Burt Beckwith suggests adding equals and
> hashcode overrides to the User object, but for some reason that is causing
> some weird errors in my webapp. So are there any other workarounds for this
> issue?
>
>  
>
> Regards, Alex.
>
>

signature.asc (205 bytes) Download Attachment
Loading...
Powered by Nabble Edit this page