LDAP Authentication based on Active Directory Users

I was following the Cuba documentation for the release 6.1 and trying to implement AD authentication in application.

First I would like to report some text duplication in the documentation, as per attached screenshot (DuplicationDoc.png) you can see that the text are duplicated for the section Point 1 & 2 “Keep and manage user passwords centrally in the LDAP database.Keep and manage user passwords centrally in the LDAP database.

Secondly, I added the entry cuba.web.externalAuthentication = true in the app.properties for core module and created a file local.app.properties under WEB-INF directory for the web module along with necessary AD configurations as mentioned in the doc. But, it seems authentication is not working and also as per the statement "To enable login, a user account with all the required properties and permissions must be created in the application. It is recommended to leave the password empty, so that the user could log in using the password from LDAP only. " I am not able to leave the password blank, as it’s validating the password & confirm password text fields under Adminstration -> User -> Create screen (Attachment: PasswordRequired.png)

I’m able to login using the local password I set for the user using above screen but unable to authenticate using Active Directory. Kindly guide, if I got the configuration wrong in place or if there are any other configurations required for working with AD authentication in Cuba. Also, please update the documentation accordingly as it’s bit difficult to configure based on current documentation which doesn’t states clearly the location of files to be updated/created for this configuration.

DuplicationDoc

PasswordRequired

Hi Shoaib,
Thank you for reporting the issues with the documentation. We will fix it ASAP.

I would recommend updating your project to the latest version 6.1.4 which was released today. It fixes the problem with the cuba.web.externalAuthentication property described here: https://www.cuba-platform.com/discuss/t/ldap-integration-issue#comment-867

Besides, you can debug the process of LDAP authentication if you set a breakpoint to the com.haulmont.cuba.web.LoginWindow#login() method and then go through authenticateExternally() method inside com.haulmont.cuba.web.auth.LdapAuthProvider#authenticate().

1 Like

Hi Konstantin,

Thanks for the fix with release 6.1.4. Able to create users with blank password now.
Though I’m able to get the LDAP error in app log, not able to identify if still it’s configuration issue. It’s bit confusing if have to use sAMAccountName for user creation in Cuba User module or it has to be preceded with Domain name?

Getting error [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v23f0]
which is authentication failure as per LDAP documentation. Can you please validate if below configuration is correct:

In local.app.properties I specified sAMAccountName for property cuba.web.ldap.user
Create a user from Administration -> User menu with sAMAccountName as the value for field login
Trying to input same sAMAccountName & Password in the login window for the application but getting LDAP error data 52e (Authentication Failure).

Could you print your properties here (changing the actual values of course), because I’m not sure I understand what you specified?

Below is my local.app.properties content
cuba.web.ExternalAuthentication = true
cuba.web.ldap.urls = ldap://MYSERVER:MYPORT
cuba.web.ldap.base = ou=MYOU,dc=MYDOMAIN,dc=COM
cuba.web.ldap.user = USERNAME
cuba.web.ldap.password = PASSWORD

I wanted to know if the cuba.web.ldap.user in above configuration file has to be sAMAccountName of the AD Administrative user or it has to be in specific format such as DOMAIN slash username (MYDOMAIN/USERNMAE)

Also when creating users form Cuba Adminstration -> Users menu, what format for the login name I should specify? Should it be just sAMAccountName or has to be in domain slash username format (MYDOMAIN/User1)

By the way, I tried both ways it doesn’t work. If you have access to any Dev Environment, could you please test and confirm if the latest release for Cuba works with Active Directory, I mean are you able to login using AD users ?

cuba.web.ldap.user should be the user distinguished name (principal).
For example (Konstantin Krivopustov has rights to read the directory):


cuba.web.externalAuthentication = true
cuba.web.ldap.urls = ldap://xyz.com:389
cuba.web.ldap.base = ou=Employees,dc=haulmont,dc=com
cuba.web.ldap.user = Konstantin Krivopustov
cuba.web.ldap.password = mypass

When creating users in the application, use their sAMAccountName without domain.
Sorry for the mistakes in the docs.

Thank you very much Konstantin, it worked.

Just to update for other users, in order to find the Distinguished name on AD execute below command on the AD server itself:
dsquery user -limit 1000 | dsget user -dn > C:\temp\ADUsersDN.txt
(Search the name of Administrative user as shared by Network admin in the ADUsersDN.txt generated from above command, in case the organisation hierarchy is bigger you could increase the limit in above command)

In my case, the Distinguished name (DN) for the Administrative user was as below and it worked perfectly:
cuba.web.ldap.user = CN=AdminUser1,CN=Users,DC=MYDOMAIN,DC=COM

Just to mention, Cuba platform is very well documented and is more than enough to start using the platform and I’m sure over time it could be enriched further for new comers on the platform. Moreover, support on the forum is highly appreciable as we get resolution and workaround from experts here on time.