Spring ActiveDirectoryLdapAuthenticationProvider handleBindException - Supplied password was invalid error

Question

We are trying to use Spring security for authenticating against our enterprise LDAP. I'm using ActiveDirectoryLdapAuthenticationProvider. Below is the snippet from the Spring config file:

<security:authentication-manager erase-credentials="true">
    <security:authentication-provider  ref="ldapActiveDirectoryAuthProvider"/>
</security:authentication-manager>

<bean id="ldapActiveDirectoryAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="DC=xxx,DC=ds,DC=yyy,DC=com" />  
<constructor-arg value="ldap://xxx.ds.yyy.com:389" />
<property name="convertSubErrorCodesToExceptions" value="true"/>
</bean>

I'm getting: ActiveDirectoryLdapAuthenticationProvider handleBindException Active Directory authentication failed: Supplied password was invalid error.

My understanding is that, this is because LDAP bind is failing as it is looking for userDN/credentials. How do we specify this information in the configuration file?

Prior to using ActiveDirectoryLdapAuthenticationProvider, I had got this working using <ldap-authentication-provider> and DefaultSpringSecurityContextSource. I was able to specify the userDN/password while configuring the DefaultSpringSecurityContextSource bean. Can someone tell me how to specify the userDn and password while configuring using ActiveDirectoryLdapAuthenticationProvider?

Answer 1

It looks like you might be a bit confused about what ActiveDirectoryLdapAuthenticationProvider does and how to configure it. It binds using an email-like name in the form user@domain.com where domain.com is the argument you've supplied in the first constructor. It doesn't use a standard LDAP DN. This is specific to Active Directory and not part of standard LDAP. You might also want to take a look at the source and Javadoc for the class.

If you already had a standard LDAP authentication configuration working with your setup, then it's not clear why you would want to change. You're probably better sticking with what you have as it won't be directly compatible with ActiveDirectoryLdapAuthenticationProvider.