Back Forum Reply New
amy

1#
Print
tT
Post at 2011-4-15 14:32 | This Author's Posts Only

ldap loading authorities problem

filter, project, everyone, loading, problem
Hello everyone!

I have tried out the new Spring Security 2.0 namespace configuration in my project and cant get the loading authorities process to work.
I would like to have some input on the issue, if I am missing something.

By reading the log file for the LDAP Server, in my case Penrose, I found out that Spring Security is doing a search for the roles/authorities with this scope and filter:

Search quot;ou=groups,dc=fse,dc=sequot; with scope one level and filter quot;(member=uid=anders, ou=people, dc=fse, dc=se)quot;

but this search doesnt find any roles for me.
However, if I change the search made above to this:

Search quot;ou=groups,dc=fse,dc=sequot; with scope one level and filter quot;(member=uid=anders,ou=people,dc=fse,dc=se)quot;

and instead uses an third party LDAP browser for the search, in my case the java LDAP Browser, it finds the roles.

The only difference here is that I have manually removed the spaces between the different elements within the member filter.

So my question is if this is caused by Spring Security adding the spaces that i see in the LDAP server log file?
Or should i address this to a Penrose forum instead?

Here is the spring security configuration for my project:HTML Code:
lt;?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?gt;
lt;beans:beans xmlns=quot;schema/securityquot;   xmlns:beans=quot;schema/beansquot;   xmlns:xsi=quot;2001/XMLSchema-instancequot;   xsi:schemaLocation=quot;schema/beans schema/beans/spring-beans-2.0.xsd            schema/security schema/security/spring-security-2.0.xsdquot;gt;
   lt;from auto-config=quot;truequot;gt;       lt;intercept-ucl pattern=quot;/secure/extreme/**quot; access=quot;ROLE_DEVELOPERquot;/gt;       lt;intercept-ucl pattern=quot;/secure/**quot; access=quot;IS_AUTHENTICATED_REMEMBEREDquot; /gt;       lt;intercept-ucl pattern=quot;/**quot; access=quot;IS_AUTHENTICATED_ANONYMOUSLYquot; /gt;       lt;concurrent-session-control max-sessions=quot;1quot; exception-if-maximum-exceeded=quot;truequot;/gt;   lt;/fromgt;
lt;ldap-server ucl=quot;ldap--localhost:10389/dc=fse,dc=sequot; manager-dn=quot;uid=admin,ou=systemquot; manager-password=quot;secretquot;/gt;   lt;ldap-authentication-provider group-search-base=quot;ou=groupsquot; group-search-filter=quot;(member={0})quot;/gt;
lt;ldap-user-service user-search-filter=quot;(uid={0}quot; group-search-filter=quot;(member={0})quot; group-search-base=quot;ou=groupsquot;/gt;
lt;/beans:beansgt;
with Kind Regards
Anders

hello again!

Just adding the fact that the loading of authorities works for me now, if I manually change the member values to contain spaces between the different elements. But my question remains, is this normal syntax? Since the first part of the LDAP query:

quot;ou=groups,dc=fse,dc=sequot;

doesnt need to have spaces in between the elements but the second part does.

Anders

I don't know about normal syntax, but I guess it depends on whether your LDAP server is smart enough to realise that the entries in member or uniqueMember are DN and not plain strings. Our tests run against Apache DS and we don't have a problem there, which is a bit confusing as I thought Penrose uses Apache DS. The actual string used in the search is a result of a call to getNameInNamespace() on an instance of Spring LDAP's DirContextAdapter.
Favor Share Rate
Reply Quote

Subscribe TOP

¥
Back Forum Reply New