There are other similar posts here, but none of them have answers that worked for me.
I have a spring boot application where I am trying to use LDAP authentication. When I input an invalid username, I get "bad credentials", and the logs say "Failed to bind with any user DNs []".
When I input a valid username but the wrong password, I get "bad credentials" once again and the log says "Found DN...", then "Found user... using FilterBasedLdapUserSearch", then "Failed to find user using FilterBasedLdapUserSearch".
That seems fine, but the weird thing is that when I input valid credentials, I get "Found user ...", then "Got Ldap context on server", then "Bound user", implying everything worked successfully, but then it throws the error:
Bound cn=Firstname Lastname,ou=place,dc=place,dc=local
The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to
true
Got Ldap context on server
Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
"org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310021F, problem 2001 (NO_OBJECT), data 0, best match of:
''
(I added a few lines before for context)
It doesn't make sense for this to be that the user was not found in the context as the error suggests because it was clearly found (the correct user was found and bound and more information than I gave was printed in the logs).
Some possible causes of errors are that the Distinguished Name of the users (specifically the cn) is just the full name, and has a space in it (maybe that can cause a parsing error, I'm not sure). I am searching based on a different parameter, which is basically just account name (not sure if that is causing something as well). Also, to get access to the LDAP server, the only managerDN that has worked for for me is not even in dn format. You will see what I mean later, but if I make any change to spring.ldap.username in application.properties (the things that binds to managerDN), I get an LDAP error 49 with data 52e saying that I couldn't authenticate into the server at all.
Anyway, here is the relevant code:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
// LADP info from application.properties
@Value("${spring.ldap.userDnPatterns}")
private String userDnPatterns;
@Value("${spring.ldap.urls}")
private String ldapURL;
@Value("${spring.ldap.base}")
private String ldapBase;
@Value("${spring.ldap.username}")
private String ldapManagerDn;
@Value("${spring.ldap.password}")
private String ldapManagerPassword;
@Autowired
public void configure (AuthenticationManagerBuilder auth) throws Exception {
auth
.ldapAuthentication()
.contextSource()
.url(ldapURL)
.managerDn(ldapManagerDn)
.managerPassword(ldapManagerPassword)
.and()
.userSearchBase(ldapBase)
.userSearchFilter(userDnPatterns);
}
// The rest is probably not relevant -------------------------------------------------------
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.requestMatchers("/favicon.ico").permitAll()
.anyRequest().authenticated()
)
.formLogin(formLogin -> formLogin
.permitAll()
)
.logout(logout -> logout
.logoutUrl("/logout").permitAll()
)
.csrf(
csrf -> csrf.disable()
);
return http.build();
}
}
My application.properties file, looks like, with some names changed:
spring.ldap.urls=ldap://myurl.place.local:389
spring.ldap.base=ou=place,dc=place,dc=local
spring.ldap.userDnPatterns=(accountName={0})
spring.ldap.username=username@place.local
spring.ldap.password=********
...
All of the users are within OU=place,DC=place,DC=local, as I can see on Apache Directory Studio
DIT
Root DSE
DC=place,DC=local
...
OU=place
CN=Firstname Lastname
CN=Firstname Lastname
If I copy the DN for any of these users, I get CN=Firstname Lastname,OU=place,DC=place,DC=local, and they have a property called accountName, which is what they log in with.
Last note, if I open a bash shell and run:
ldapsearch -x -b "ou=place,dc=place,dc=local" -H ldap://myurl.place.local:389 -D "username@place.local" -W 'accountName=otherUserName'
it succeeds and returns all the details of the correct user.
