0

my ldap authentication do not work, here is the part of the application file:

port: 8080
authentication: ldap
admin-groups: admins
users:
•   name: admin
password: password
groups: admins
•   name: user
password: password
groups: users
ldap:
url: ldap://10.16.1.30:636/cn=IDT_Benutzer,ou=Gruppen,ou=IDT,dc=cit,dc=global
user-dn-pattern: uid={0}
user-search-filter: (sAMAccountName={0})
group-search-base: cn=user
group-search-filter: (member={0})
manager-dn: cn=ldap-shiny,dc=cit,dc=global
manager-password: xxxxxxxxxxxxxxx

The log-file has the following information:

2023-02-28 20:59:12.621 INFO 2664870 — [ XNIO-1 task-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 9 ms
2023-02-28 21:00:36.925 DEBUG 2664870 — [ XNIO-1 task-5] o.s.s.l.a.LdapAuthenticationProvider : Processing authentication request for user: wilczewski@cit.global
2023-02-28 21:00:36.929 DEBUG 2664870 — [ XNIO-1 task-5] o.s.s.l.a.BindAuthenticator : Attempting to bind as uid=wilczewski@cit.global,cn=IDT_Benutzer,ou=Gruppen,ou=IDT,dc=cit,dc=global
2023-02-28 21:00:36.975 ERROR 2664870 — [ XNIO-1 task-5] w.a.UsernamePasswordAuthenticationFilter : An internal error occurred while trying to authenticate the user.


org.springframework.security.authentication.InternalAuthenticationServiceException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: LDAP connection has been closed
at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206) ~[spring-security-ldap-5.3.4.RELEASE.jar!/:5.3.4.RELEASE]
at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85) ~[spring-security-ldap-5.3.4.RELEASE.jar!/:5.3.4.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) ~[spring-security-core-5.3.4.RELEASE.jar!/:5.3.4.RELEASE]

Can anyone give me some guidance on locating the fault? Many thanks

Friedbert
  • 17
  • 6
  • 1
    This is probably the problem: `ldap://10.16.1.30:636`. Port 636 is LDAPS (LDAP over SSL). The name on the SSL cert must match the name of the domain name you're using, but you're not using a domain name to connect - you're using an IP address. So that will always fail. You may also need to use `ldaps://`. I'm not a Java developer, so I can't help, but this might help: https://stackoverflow.com/q/28856960/1202807 – Gabriel Luci Feb 28 '23 at 21:02
  • 1
    I'm thinking that you should not have the `cn=IDT_Benutzer` in the `url`. – Doug Grove Feb 28 '23 at 21:56
  • As @DougGrove mentioned, by setting `url: ldap://10.16.1.30:636/cn=IDT_Benutzer,ou=Gruppen,ou=IDT,dc=cit,dc=global`, you define a default base search `cn=IDT_Benutzer,ou=Gruppen,ou=IDT,dc=cit,dc=global`, but it's a leaf entry (there is no entry to match in the DIT under this entry) so it won't work. The common approach is to target everything under the domain components, ie. `url: ldap://10.16.1.30:636/dc=cit,dc=global`, and to set specific bases _relative to that default base_ for users (ie. `user-search-base: ou:Users,ou=IDT` and groups (ie. `group-search-base: ou=Gruppen,ou=IDT`. – EricLavault Mar 01 '23 at 12:51

0 Answers0