LDAP integration issue

I’m trying to configure cuba using the LDAP documentation. I’ve downloaded Jespa and start to create the AuthProvider class. However in the import, it can’t find com.haulmont.cuba.web.auth.ActiveDirectoryHelper; Is this in a different package that I need to include in the build?

These are found, just not the ActiveDirectoryHelper.
import com.haulmont.cuba.web.auth.CubaAuthProvider;
import com.haulmont.cuba.web.auth.DomainAliasesResolver;


As an add on to this issue… I’ve just modified the code to get past the class that isn’t found. Now I’m just trying to get the LDAP feature to work. I cannot get it to read in the local.app.properties file. I have in the in the tomcat/conf/app folder as well as in the web-inf directory. The app doesn’t seem to be reading from the properties file. I’ve placed breakpoints in the LDAPAuthProvider class which is supposed to be used by default if cuba.web.externalAuthentication = true. I’ve also provided cuba.web.externalAuthenticationProviderClass = com.tab.elan.web.JespaAuthProvider and placed breakpoints in there and nothing.

I’m not sure if there is something else I need to do in order for the app to read the properties file?

Ok, I’ve continued to work on this and it appears that it is reading in the file, but it won’t change
cuba.web.externalAuthentication = true
After the app comes up I’ve printed out all of the other values that I changed in the file and they display what I put in. However it prints out false for the cuba.web.externalAuthentication property for some reason.

I even used this code before printing the value and it still came back as false. Is there a hard coded setting somewhere that I have to change to allow for external authentication?

AppContext.setProperty(“cuba.web.externalAuthentication”, “true”);

Hi Kent,

It’s a bug in the latest platform version. You can work around it if you use slightly different name of the property (see capital letter):

cuba.web.ExternalAuthentication = true

Let me explain what has happened. We made some cleanup in property names recently, and for backward compatibility, we preserved the old names so their values now have priority - just in case someone uses them in production. Unfortunately, we forgot to remove the old name cuba.web.ExternalAuthentication from cuba-web-app.properties file, so now it has a priority over the new name which you are trying to use. So just use the old name until we release a bug-fix version, and switch to the new name afterward.

As for Jespa integration sample in the documentation, it indeed can be outdated due to some recent refactorings. We will check it in the next few days and let you know if there are any changes.

Thank you for reporting the issues!

Once I change the property to be cuba.web.ExternalAuthentication it no longer brings up the login screen when browsing to the app. If I go back in and remove that one property setting and restart tomcat it’ll let me get to the login screen again.

Right now I’m just trying to get the standard LDAP to work, I’m not doing any Jespa stuff yet. Here are my properties I’m setting. I’ve removed the actual values, but there are there in the property file. Are any of these other different now as well?

cuba.web.ExternalAuthentication = true
cuba.web.ldap.urls =
cuba.web.ldap.base =
cuba.web.ldap.user =
cuba.web.ldap.password =

My assumption is that by telling it to use external authentication it would still use the same login screen and just pass the entered credentials to the LDAPAuthProvider. Is this not correct?

ok, It looks like it was an issue with it still reading in a properties file from web-inf/ folder even after I deleted it. I added the file back and made the change and now it’s working. I’m just getting and LDAP 32 error, but I think that’s probably on our side

That is correct.

I got the ldap to work. Now i’ve moved onto the Jespa portion as we’d like to have the single sign on functionality. I’m getting a classnotfound exception: jcifs.dcerpc.rpc$sid_t

Most likely a documentation issue, but hoping you could point me into the right direction until you guys get a chance to update it.

ok past that part now, just having issues with it auto logging in now. As soon as you have updated documentation on Jespa that would be great!


I’m getting this error now, any ideas?


Try to stop the app server, execute Build > Clean, Run > Deploy, then start the app server again.

Strange, I now get a successfully authenticated message in the jespa log file, but it still takes me to a login screen. The username field has my domain\username filled in, if I enter my password and hit enter the log says " successfully authenticated" again, but I get a message on the screen that says unknown user… There are no errors in the jespa log, so I’m not sure where it’s failing.

ok, looks like the NTLM was working just fine, but it couldn’t find a match in the cuba user table. Do I really need to name the user with the domain and slash before the username? I change it to domain/kllewelyn and now it works.

if you use JespaAuthProvider from CUBA documentation you need to name your users as they named in Windows domain. You can change this behavior in the JespaAuthProvider authenticate method. Default implementation supports multiple domains for CUBA application users and if you don’t need this you can add domain prefix to the userName variable in the authenticate method. Also, you need to override the App loginOnStart method and remove domain prefix from principal name provided by Jespa. Note: you can copy implementation of DefaultApp.loginOnStart method to override it in your App with necessary changes.

We will consider extending our support of Jespa with a special option in the future (something like “default domain”).

How do I tell my app to use my extension of DefaultApp?

You have the App class in the com.company.project.web package. It is a descendant of DefaultApp, so you should override the loginOnStart() method as follows:

package com.company.project.web;

import com.haulmont.cuba.security.global.LoginException;
import com.haulmont.cuba.web.DefaultApp;
import com.haulmont.cuba.web.auth.ExternallyAuthenticatedConnection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class App extends DefaultApp {

    private Logger log = LoggerFactory.getLogger(App.class);

    protected boolean loginOnStart() {
        if (tryLoginOnStart &&
                principal != null
                && webAuthConfig.getExternalAuthentication()) {

            String userName = principal.getName().substring(10 /* domain name length plus 1 */);
            log.debug("Trying to login after external authentication as " + userName);
            try {
                ((ExternallyAuthenticatedConnection) connection).loginAfterExternalAuthentication(userName, locale);

                return true;
            } catch (LoginException e) {
                log.trace("Unable to login on start", e);
            } finally {
                tryLoginOnStart = false;
        return false;

Hi Kent,

Can you please guide on the changes required for basic LDAP authentication through AD to work?

I have added the file local.app.properties under WEB-INF with below contents:
cuba.web.ExternalAuthentication = true
cuba.web.ldap.urls =
cuba.web.ldap.base =
cuba.web.ldap.user =
cuba.web.ldap.password =

Values I’ v omitted in above config, but I kept it exactly as shared by Network Admin.

When I print the values through AppContext.getProperty(…), I do get all the values correctly as I configured in the log.
Is there a way to turn the debug on for Authentication to verify if it’s validating against LDAP or just internal Cuba User table?