1

I currently have a Spring-boot application that is taking Employee data from Active Directory, and displaying them as JSON.

However, I don't want to link directly to Active Directory, I would like to use Active Directory Lightweight services.

I assumed I could just set up the connection and connect in the same way, but I keep getting an error 49 (invalid credentials) error. I am using the same credentials that work on Active Directory.

This is the Spring.xml configuration credentials:

 <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
        <property name="url" value="ldap://example.com:389" />
        <property name="base" value=" DC=example,DC=com" />
        <property name="userDn" value="jsmith@example.com" />
        <property name="password" value="password" />
    </bean>

    <bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
        <constructor-arg ref="contextSource" />
        <property name="ignorePartialResultException" value="true" />
    </bean>

If I try and change the url to the AD LDS url (that uses localhost), I get an Ldap error 49. Does anybody have experience with these technologies? Please help.

EDIT:

If I try to use my Active directory domain username I get: 

The authentication failed
 - [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0903C4, comment: AcceptSecurityContext error, data 2030, v295a

If I try and use the userDN I get: 

The authentication failed
 - [LDAP: error code 80 - 80090304: LdapErr: DSID-0C0903C4, comment: AcceptSecurityContext error, data 20ee, v295a
Razor88
  • 221
  • 1
  • 5
  • 18
  • Did you try connecting to AD LDS using an LDAP browser like Apache Directory Studio ? – Roshith Dec 06 '16 at 09:39
  • Yes I have. It does not allow me to get in there either. However, if I use Softerra's LDAP browser, and use the "current user" credentials, I can get in. If I try and manually add my credentials in the Softerra browser, it also complains. – Razor88 Dec 06 '16 at 09:54
  • Please update the question with the complete error stack. The error code 49 have associated sub error codes like 532 , 533 etc to indicate the specific cause of the error , say account disabled , password expired. – Roshith Dec 06 '16 at 11:36
  • Ok I have done that now. – Razor88 Dec 06 '16 at 12:16

2 Answers2

0

You need to provide complete DN of the user as "userDn" like cn=jsmith@example.com,ou=xyz,dc=abc,dc-com.

Roshith
  • 2,116
  • 13
  • 21
0

I just ran into this issue myself and was able to resolve it. The issue I had was a result of my AD LDS being configured with SASL, so doing a simple bind did not work. For a clarification of SASL, see the LDAPv3 authentication methods rfc2829 (section 6.1).

I'll walk through setting up a connection using Apache Directory Studio, but I'm sure the Spring docs describe how to configure SASL for your connection.

Configure connection to server In my test lab, I'm not securing with TLS so I'm able to just bind to 389.

Configure authentication When configuring authentication, you want to select the SASL method that is supported by your LDAPv3 server (my AD LDS supported DIGEST-MD5). Enter your credentials for the user and password (I was able to use the full DN like provided in the screenshot, as well as just the cn). When using the DIGEST-MD5 authentication method, you'll also have to provide a SASL Realm under SASL Settings. This is the realm of the Principal being used to bind.

If you want to check the the supported SASL methods for your LDAP server (like AD LDS), you can use the ldp.exe (or Softerra) tool to retrieve bind metadata and look for the supported LDAP SASL methods.

tomd8451
  • 1