Ldap Error:

110 views
Skip to first unread message

Juan López

unread,
Aug 31, 2021, 9:58:24 AM8/31/21
to DSpace Technical Support

Hi!

I'm trying to set my LDAP authentication, I've already followed what the documentation says here: https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-LDAPAuthentication
But, now when I try to log in with my institutional user, Dspace throws this error:


2021-08-24 09:29:15,622 INFO org.dspace.authenticate.LDAPAuthentication @ anonymous::auth:attempting trivial auth of user=juanfelipe.lopezf 2021-08-24 09:29:15,626 WARN org.dspace.authenticate.LDAPAuthentication @ anonymous::ldap_authentication:type=failed_auth javax.naming.AuthenticationException\colon; [LDAP\colon; error code 49 - 80090308\colon; LdapErr\colon; DSID-0C090439, comment\colon; AcceptSecurityContext error, data 52e, v4563] 2021-08-24 09:29:15,626 INFO org.dspace.authenticate.LDAPAuthentication @ anonymous::failed_login:no DN found for user juanfelipe.lopezf 2021-08-24 09:29:15,626 INFO org.dspace.authenticate.PasswordAuthentication @ anonymous::authenticate:attempting password auth of user=juanfelipe.lopezf 2021-08-24 09:29:15,627 INFO org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ anonymous::failed_login:email=juanfelipe.lopezf, result=2 2021-08-24 09:29:15,627 ERROR org.dspace.app.rest.security.StatelessLoginFilter @ Authentication failed (status:401) org.springframework.security.authentication.BadCredentialsException: Login failed at org.dspace.app.rest.security.EPersonRestAuthenticationProvider.authenticateNewLogin(EPersonRestAuthenticationProvider.java:108) ~[classes/:7.0-beta5] at org.dspace.app.rest.security.EPersonRestAuthenticationProvider.authenticate(EPersonRestAuthenticationProvider.java:71) ~[classes/:7.0-beta5] at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175) ~[spring-security-core-5.2.2.RELEASE.jar:5.2.2.RELEASE] at org.dspace.app.rest.security.StatelessLoginFilter.attemptAuthentication(StatelessLoginFilter.java:56) [classes/:7.0-beta5] at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) [spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE] at org.dspace.app.rest.security.StatelessAuthenticationFilter.doFilterInternal(StatelessAuthenticationFilter.java:101) [classes/:7.0-beta5] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE] at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:141) [spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE] at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:92) [spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE] at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) [spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE] at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) [spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE] at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE] at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE] at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE] at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE] at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE] at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [catalina.jar:9.0.45] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [catalina.jar:9.0.45] at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) [spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [catalina.jar:9.0.45] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [catalina.jar:9.0.45] at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:128) [spring-boot-2.2.6.RELEASE.jar:2.2.6.RELEASE] at org.springframework.boot.web.servlet.support.ErrorPageFilter.access$000(ErrorPageFilter.java:66) [spring-boot-2.2.6.RELEASE.jar:2.2.6.RELEASE] at org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:103) [spring-boot-2.2.6.RELEASE.jar:2.2.6.RELEASE] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE] at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:121) [spring-boot-2.2.6.RELEASE.jar:2.2.6.RELEASE] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [catalina.jar:9.0.45] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [catalina.jar:9.0.45] at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [catalina.jar:9.0.45] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [catalina.jar:9.0.45] at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) [log4j-web-2.13.3.jar:2.13.3] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [catalina.jar:9.0.45] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [catalina.jar:9.0.45] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) [catalina.jar:9.0.45] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) [catalina.jar:9.0.45] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) [catalina.jar:9.0.45] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) [catalina.jar:9.0.45] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:9.0.45] at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) [catalina.jar:9.0.45] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) [catalina.jar:9.0.45] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) [catalina.jar:9.0.45] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374) [tomcat-coyote.jar:9.0.45] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote.jar:9.0.45] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893) [tomcat-coyote.jar:9.0.45] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1707) [tomcat-coyote.jar:9.0.45] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:9.0.45] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:9.0.45] at java.lang.Thread.run(Thread.java:829) [?:?]

In my browser console I got a HTTP ERROR 401 when I try to login with my LDAP credentials.

To produce this error all I did was:

  1. Configure LDAP in DSPACE 7.
  2. Try To login with an user registered in your LDAP.

Hope you guys can guide me through a solution... I asked in the "tech-support" slack channel and github, but didn't get a response.

Mark H. Wood

unread,
Aug 31, 2021, 11:16:23 AM8/31/21
to dspac...@googlegroups.com
On Tue, Aug 31, 2021 at 06:58:24AM -0700, Juan López wrote:
> I'm trying to set my LDAP authentication, I've already followed what the
> documentation says here:
> https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-LDAPAuthentication
> But, now when I try to log in with my institutional user, Dspace throws
> this error:
>
>
> 2021-08-24 09:29:15,622 INFO org.dspace.authenticate.LDAPAuthentication @
> anonymous::auth:attempting trivial auth of user=juanfelipe.lopezf
> 2021-08-24 09:29:15,626 WARN org.dspace.authenticate.LDAPAuthentication @
> anonymous::ldap_authentication:type=failed_auth
> javax.naming.AuthenticationException\colon; [LDAP\colon; error code 49 -
> 80090308\colon; LdapErr\colon; DSID-0C090439, comment\colon;
> AcceptSecurityContext error, data 52e, v4563] 2021-08-24 09:29:15,626 INFO
> org.dspace.authenticate.LDAPAuthentication @ anonymous::failed_login:no DN
> found for user juanfelipe.lopezf 2021-08-24 09:29:15,626 INFO

Within the LDAP context that you specified as the value of
authentication-ldap.object_context, there is no object which has
"juanfelipe.lopezf" as a value of the attribute named by the value you
have set on "authentication-ldap.id_field".

We don't use LDAP here but, if we did, I would check that the value of
authentication-ldap.id_field is the name of the attribute which holds
the user object's name ("uid", "cname", or whatever you use at your
site). I would check that authentication-ldap.object_context names
the context in which the juanfelipe.lopezf object is defined. I would
check that any commas in these values are escaped as shown in the page
that you mentioned above.

If that is all correct, you might post the complete content of your
'config/modules/authentication-ldap.cfg' (with any passwords removed)
and a complete sample user object from your LDAP directory, such as
may be produced using 'ldapsearch'.

The information at
https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-DebuggingLDAPconnectionandconfiguration
may be helpful.

--
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
signature.asc

Tim Donohue

unread,
Aug 31, 2021, 5:15:45 PM8/31/21
to Juan López, DSpace Technical Support
Hi Juan,

The main error there says "failed_login:no DN found for user [username]".

The DSpace error you are seeing is occurring BEFORE it even checks the login...which tends to imply that one of your configurations may be wrong (either the "search.user", "search.password", "object_context" or "id_field" perhaps?).  Here's the code that returns that error: https://github.com/DSpace/DSpace/blob/main/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java#L246-L251
(notice that error happens BEFORE DSpace even tries to call "ldapAuthenticate()")

So, have you tried similar settings using "ldapsearch" or another basic LDAP tool to verify they work from the machine which is running DSpace? 

My guess is this may be a configuration issue...but, every LDAP is different (and I cannot claim to be an LDAP expert), so it's really hard to tell you exactly which configuration may be wrong.

Good luck,

Tim


From: dspac...@googlegroups.com <dspac...@googlegroups.com> on behalf of Juan López <juanlop...@gmail.com>
Sent: Tuesday, August 31, 2021 8:58 AM
To: DSpace Technical Support <dspac...@googlegroups.com>
Subject: [dspace-tech] Ldap Error:
 
--
All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/02d1a9de-1be8-4d5a-9b3c-7defda28fbddn%40googlegroups.com.

Juan López

unread,
Sep 2, 2021, 12:17:29 PM9/2/21
to DSpace Technical Support
Ok, so I've modified my ldap config with the information that I use in my dspace 6.3 dev server, however I'm getting the same error 🤔

This is my ldap configuration:

authentication-ldap.enable = true
authentication-ldap.autoregister = true
authentication-ldap.provider_url = ldap://myldap.edu/
authentication-ldap.id_field = cn
authentication-ldap.search_context = DC=UNIVERSITY\,DC=EDU
authentication-ldap.email_field = 
authentication-ldap.surname_field = sn
authentication-ldap.givenname_field = givenName
authentication-ldap.phone_field = telephoneNumber
authentication-ldap.search_scope = 2
authentication-ldap.search.anonymous = false
authentication-ldap.search.user = CN=ldap\,OU=Cuentas\ de\ servicio\,OU=No\ administradas\,OU=UNIVERSITY\,DC=UNI\,DC=EDU
authentication-ldap.search.password = password
authentication-ldap.netid_email_domain = \@unversity\.edu.co

and here is my authentication.cfg:
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
                        org.dspace.authenticate.LDAPAuthentication,\
                        org.dspace.authenticate.PasswordAuthentication










Juan López

unread,
Sep 2, 2021, 12:37:41 PM9/2/21
to DSpace Technical Support
I forgot to mention, my "ldapsearch" works perfectly if I run a:

ldapsearch -x -H ldap:// myldap.edu/ -D "CN=ldap,OU=Cuentas de servicio,OU=No administradas,OU= UNIVERSITY,DC=UNI,DC=EDU" -b "DC= UNIVERSITY,DC=EDU" -W

Juan López

unread,
Sep 2, 2021, 1:47:58 PM9/2/21
to DSpace Technical Support
Found the error!

There is no need to escape the spaces in this line:
  •  authentication-ldap.search.user = CN=ldap\,OU=Cuentas\ de\ servicio\,OU=No\ administradas\,OU=UNIVERSITY\,DC=UNI\,DC=EDU 
Thank you guys for the support!!

El jueves, 2 de septiembre de 2021 a las 11:17:29 UTC-5, Juan López escribió:
Reply all
Reply to author
Forward
0 new messages