Cool, thank you that does help.
So I assume you have the "Use ldap groups for authentication" unchecked? If
so what you have to do is actually redine a user with the same name in the
default user group service. So add a new user named "testuser" in the
default user group service. You can specify a dummy password or on the user
group service settngs set password encoding to "empty" and then you can
specify no password for the new user.
We hope to improve on this soon and just have an specific ldap user group
service directly.
An alternative is to check the the "Use ldap groups for authentication"
checkbox on the ldap server config and then you won't have to redefine the
user, but you won't be able to assign any custom roles to that user. This
is somewhat documented here:
http://docs.geoserver.org/latest/en/user/security/auth/providers.html#role-assignment
On Thu, Apr 12, 2012 at 6:11 AM, thegis <[email protected]> wrote:
> Hi Justin,
>
> Yes, the LDAP provider was included in the provider chain (below the
> default provider).
>
> I managed to get a more detailed log for the test connection [1] and
> the actual login attempt [2].
>
> Maybe this helps?
>
> Regards,
> Torsten
>
> [1] TEST CONNECTION
> 2012-04-12 11:56:40,306 DEBUG [util.AntPathRequestMatcher] - Checking
> match of request : '/web/'; against '/web/**'
> 2012-04-12 11:56:40,306 DEBUG [web.FilterChainProxy] -
>
> /web/?wicket:interface=:4:panel:panel:form:panel:testCx:test::IActivePageBehaviorListener:0:&wicket:ignoreIfNotActive=true&random=0.5301492270644904
> at position 1 of 5 in additional filter chain; firing Filter:
> 'GeoServerSecurityContextPersistenceFilter'
> 2012-04-12 11:56:40,306 DEBUG
> [context.HttpSessionSecurityContextRepository] - Obtained a valid
> SecurityContext from SPRING_SECURITY_CONTEXT:
> 'org.springframework.security.core.context.SecurityContextImpl@6f128e6a:
> Authentication:
>
> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@6f128e6a
> :
> Principal: Username: myadmin; Password: [PROTECTED]; Enabled: true;
> AccountNonExpired: true; CredentialsNonExpired: true;
> AccountNonLocked: true; [ ROLE_ADMINISTRATOR ] ; Credentials:
> [PROTECTED]; Authenticated: true; Details:
> org.geoserver.security.filter.GeoServerWebAuthenticationDetails@fffc7f0c:
> RemoteIpAddress: 127.0.0.1; SessionId:
> 9C7DBFB5B20A9D08D4017C6A7CBBE4E3; Granted Authorities:
> ROLE_ADMINISTRATOR, ROLE_AUTHENTICATED'
> 2012-04-12 11:56:40,306 DEBUG [web.FilterChainProxy] -
>
> /web/?wicket:interface=:4:panel:panel:form:panel:testCx:test::IActivePageBehaviorListener:0:&wicket:ignoreIfNotActive=true&random=0.5301492270644904
> at position 2 of 5 in additional filter chain; firing Filter:
> 'GeoServerRememberMeAuthenticationFilter'
> 2012-04-12 11:56:40,306 DEBUG
> [rememberme.RememberMeAuthenticationFilter] - SecurityContextHolder
> not populated with remember-me token, as it already contained:
>
> 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@6f128e6a
> :
> Principal: Username: myadmin; Password: [PROTECTED]; Enabled: true;
> AccountNonExpired: true; CredentialsNonExpired: true;
> AccountNonLocked: true; [ ROLE_ADMINISTRATOR ] ; Credentials:
> [PROTECTED]; Authenticated: true; Details:
> org.geoserver.security.filter.GeoServerWebAuthenticationDetails@fffc7f0c:
> RemoteIpAddress: 127.0.0.1; SessionId:
> 9C7DBFB5B20A9D08D4017C6A7CBBE4E3; Granted Authorities:
> ROLE_ADMINISTRATOR, ROLE_AUTHENTICATED'
> 2012-04-12 11:56:40,306 DEBUG [web.FilterChainProxy] -
>
> /web/?wicket:interface=:4:panel:panel:form:panel:testCx:test::IActivePageBehaviorListener:0:&wicket:ignoreIfNotActive=true&random=0.5301492270644904
> at position 3 of 5 in additional filter chain; firing Filter:
> 'GeoServerAnonymousAuthenticationFilter'
> 2012-04-12 11:56:40,307 DEBUG [web.FilterChainProxy] -
>
> /web/?wicket:interface=:4:panel:panel:form:panel:testCx:test::IActivePageBehaviorListener:0:&wicket:ignoreIfNotActive=true&random=0.5301492270644904
> at position 4 of 5 in additional filter chain; firing Filter:
> 'GeoServerExceptionTranslationFilter'
> 2012-04-12 11:56:40,307 DEBUG [web.FilterChainProxy] -
>
> /web/?wicket:interface=:4:panel:panel:form:panel:testCx:test::IActivePageBehaviorListener:0:&wicket:ignoreIfNotActive=true&random=0.5301492270644904
> at position 5 of 5 in additional filter chain; firing Filter:
> 'GeoServerSecurityInterceptorFilter'
> 2012-04-12 11:56:40,307 DEBUG [util.AntPathRequestMatcher] - Checking
> match of request : '/web/'; against '/config/**'
> 2012-04-12 11:56:40,307 DEBUG [util.AntPathRequestMatcher] - Request
> '/web/' matched by universal pattern '/**'
> 2012-04-12 11:56:40,307 DEBUG [intercept.FilterSecurityInterceptor] -
> Secure object: FilterInvocation: URL:
>
> /web/?wicket:interface=:4:panel:panel:form:panel:testCx:test::IActivePageBehaviorListener:0:&wicket:ignoreIfNotActive=true&random=0.5301492270644904;
> Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]
> 2012-04-12 11:56:40,307 DEBUG [intercept.FilterSecurityInterceptor] -
> Previously Authenticated:
>
> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@6f128e6a
> :
> Principal: Username: myadmin; Password: [PROTECTED]; Enabled: true;
> AccountNonExpired: true; CredentialsNonExpired: true;
> AccountNonLocked: true; [ ROLE_ADMINISTRATOR ] ; Credentials:
> [PROTECTED]; Authenticated: true; Details:
> org.geoserver.security.filter.GeoServerWebAuthenticationDetails@fffc7f0c:
> RemoteIpAddress: 127.0.0.1; SessionId:
> 9C7DBFB5B20A9D08D4017C6A7CBBE4E3; Granted Authorities:
> ROLE_ADMINISTRATOR, ROLE_AUTHENTICATED
> 2012-04-12 11:56:40,307 DEBUG [vote.AffirmativeBased] - Voter:
> org.springframework.security.access.vote.RoleVoter@1337193d, returned:
> 0
> 2012-04-12 11:56:40,307 DEBUG [vote.AffirmativeBased] - Voter:
> org.springframework.security.access.vote.AuthenticatedVoter@7e1ba08b,
> returned: 1
> 2012-04-12 11:56:40,307 DEBUG [intercept.FilterSecurityInterceptor] -
> Authorization successful
> 2012-04-12 11:56:40,307 DEBUG [intercept.FilterSecurityInterceptor] -
> RunAsManager did not change Authentication object
> 2012-04-12 11:56:40,307 DEBUG [web.FilterChainProxy] -
>
> /web/?wicket:interface=:4:panel:panel:form:panel:testCx:test::IActivePageBehaviorListener:0:&wicket:ignoreIfNotActive=true&random=0.5301492270644904
> reached end of additional filter chain; proceeding with original chain
> 2012-04-12 11:56:40,307 DEBUG [servlet.DispatcherServlet] -
> DispatcherServlet with name 'dispatcher' processing POST request for
> [/repository/web/]
> 2012-04-12 11:56:40,308 DEBUG [handler.SimpleUrlHandlerMapping] -
> Matching patterns for request [/web/] are [/web/**]
> 2012-04-12 11:56:40,308 DEBUG [handler.SimpleUrlHandlerMapping] - URI
> Template variables for request [/web/] are {}
> 2012-04-12 11:56:40,308 DEBUG [handler.SimpleUrlHandlerMapping] -
> Mapping [/web/] to HandlerExecutionChain with handler
> [org.springframework.web.servlet.mvc.ServletWrappingController@37ef2806]
> and 1 interceptor
> 2012-04-12 11:56:40,308 DEBUG [wicket.Session] - Getting page [path =
> 4:panel:panel:form:panel:testCx:test, versionNumber = 0]
> 2012-04-12 11:56:40,308 DEBUG [org.geoserver] - Thread 105 locking in mode
> WRITE
> 2012-04-12 11:56:40,308 DEBUG [org.geoserver] - Thread 105 got the
> lock in mode WRITE
> 2012-04-12 11:56:40,309 DEBUG [wicket.RequestCycle] - replacing
> request target
> org.apache.wicket.request.target.component.listener.BehaviorRequestTarget@633597303
> [Page
> class = org.geoserver.security.web.SecurityNamedServiceEditPage, id =
> 4, version = 0]->test->interface
> org.apache.wicket.behavior.IBehaviorListener.IActivePageBehaviorListener
> (request paramaters: [RequestParameters
> componentPath=4:panel:panel:form:panel:testCx:test pageMapName=null
> versionNumber=0 interfaceName=IActivePageBehaviorListener
> componentId=null behaviorId=0 urlDepth=-1
>
> parameters={panel:testCx:username=testuser,panel:testCx:test=1,random=0.5301492270644904,panel:userDnPattern=CN={0},OU=user,OU=e,OU=d,panel:testCx:password=!CLEARTEXTPASSWORD!,panel:serverURL=ldap://server:389/dc=c,dc=b,dc=a,panel:authorizationPanelContainer:authorizationPanel:userGroupServiceName=default,id44_hf_0=}
> onlyProcessIfPathActive=true]) with [AjaxRequestTarget@1368398530
> markupIdToComponent [{}], prependJavascript [[]], appendJavascript
> [[]]
> 2012-04-12 11:56:40,324 DEBUG [wicket.Localizer] - Property found in
> cache: 'LDAPAuthProviderPanel.connectionSuccessful'; Component:
> 'null'; value: 'Connection Successful'
> 2012-04-12 11:56:40,324 DEBUG [model.LoadableDetachableModel] - loaded
> transient object Connection Successful for
>
> StringResourceModel[key:LDAPAuthProviderPanel.connectionSuccessful,default:null,params:],
> requestCycle [RequestCycle@43eb7ea1 thread=catalina-exec-8]
> 2012-04-12 11:56:40,324 DEBUG [feedback.FeedbackMessages] - Adding
> feedback message [FeedbackMessage message = "Connection Successful",
> reporter = test, level = INFO]
>
> [2] LOGIN
> 2012-04-12 11:28:54,705 DEBUG [util.AntPathRequestMatcher] - Checking
> match of request : '/j_spring_security_check'; against '/web/**'
> 2012-04-12 11:28:54,706 DEBUG [util.AntPathRequestMatcher] - Checking
> match of request : '/j_spring_security_check'; against
> '/gwc/rest/web/**'
> 2012-04-12 11:28:54,706 DEBUG [util.AntPathRequestMatcher] - Checking
> match of request : '/j_spring_security_check'; against
> '/j_spring_security_check'
> 2012-04-12 11:28:54,707 DEBUG [web.FilterChainProxy] -
> /j_spring_security_check at position 1 of 2 in additional filter
> chain; firing Filter: 'GeoServerSecurityContextPersistenceFilter'
> 2012-04-12 11:28:54,707 DEBUG
> [context.HttpSessionSecurityContextRepository] - HttpSession returned
> null object for SPRING_SECURITY_CONTEXT
> 2012-04-12 11:28:54,707 DEBUG
> [context.HttpSessionSecurityContextRepository] - No SecurityContext
> was available from the HttpSession:
> org.apache.catalina.session.StandardSessionFacade@eae7ead. A new one
> will be created.
> 2012-04-12 11:28:54,707 DEBUG [web.FilterChainProxy] -
> /j_spring_security_check at position 2 of 2 in additional filter
> chain; firing Filter: 'GeoServerUserNamePasswordAuthenticationFilter'
> 2012-04-12 11:28:54,707 DEBUG
> [authentication.UsernamePasswordAuthenticationFilter] - Request is to
> process authentication
> 2012-04-12 11:28:54,708 DEBUG [authentication.ProviderManager] -
> Authentication attempt using
> org.geoserver.security.auth.GeoServerRootAuthenticationProvider
> 2012-04-12 11:28:54,708 DEBUG [authentication.ProviderManager] -
> Authentication attempt using
> org.geoserver.security.auth.UsernamePasswordAuthenticationProvider
> 2012-04-12 11:28:54,709 DEBUG [dao.DaoAuthenticationProvider] - User
> 'testuser' not found
> 2012-04-12 11:28:54,709 DEBUG [authentication.ProviderManager] -
> Authentication attempt using
> org.geoserver.security.ldap.LDAPAuthenticationProvider
> 2012-04-12 11:28:54,709 DEBUG
> [authentication.LdapAuthenticationProvider] - Processing
> authentication request for user: testuser
> 2012-04-12 11:28:54,712 DEBUG [authentication.BindAuthenticator] -
> Attempting to bind as cn=testuser,ou=user,dc=c,dc=b,dc=a
> 2012-04-12 11:28:54,713 DEBUG [support.AbstractContextSource] - Using
> LDAP pooling.
> 2012-04-12 11:28:54,713 DEBUG [support.AbstractContextSource] - Trying
> provider Urls: ldap://server:389/dc=c,dc=b,dc=a
> 2012-04-12 11:28:54,713 DEBUG
> [ldap.DefaultSpringSecurityContextSource] - Removing pooling flag for
> user cn=testuser,ou=user,dc=c,dc=b,dc=a
> 2012-04-12 11:28:54,771 DEBUG [support.AbstractContextSource] - Got
> Ldap context on server 'ldap://server:389/dc=c,dc=b,dc=a'
> 2012-04-12 11:28:54,771 DEBUG [authentication.BindAuthenticator] -
> Retrieving attributes...
> 2012-04-12 11:28:54,830 DEBUG
> [authentication.UsernamePasswordAuthenticationFilter] - Authentication
> request failed:
> org.springframework.security.core.userdetails.UsernameNotFoundException:
> User testuser not found in usergroupservice: default
> 2012-04-12 11:28:54,830 DEBUG
> [authentication.UsernamePasswordAuthenticationFilter] - Updated
> SecurityContextHolder to contain null Authentication
> 2012-04-12 11:28:54,830 DEBUG
> [authentication.UsernamePasswordAuthenticationFilter] - Delegating to
> authentication failure
>
> handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@430cd4b8
> 2012-04-12 11:28:54,830 DEBUG
> [rememberme.GeoServerTokenBasedRememberMeServices] - Interactive login
> attempt was unsuccessful.
> 2012-04-12 11:28:54,830 DEBUG
> [rememberme.GeoServerTokenBasedRememberMeServices] - Cancelling cookie
> 2012-04-12 11:28:54,830 DEBUG
> [authentication.SimpleUrlAuthenticationFailureHandler] - Redirecting
> to
> /web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=true
> 2012-04-12 11:28:54,831 DEBUG [web.DefaultRedirectStrategy] -
> Redirecting to
> '/repository/web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=true'
> 2012-04-12 11:28:54,831 DEBUG
> [context.HttpSessionSecurityContextRepository] - SecurityContext is
> empty or contents are anonymous - context will not be stored in
> HttpSession.
>
>
>
>
> On Thu, Apr 12, 2012 at 5:21 AM, Justin Deoliveira <[email protected]>
> wrote:
> > Hi Torsten,
> >
> > On the Authentication page did you set the ldap authentication provider
> as
> > active? ie moved to the selected list?
> >
> > -Justin
> >
> > On Wed, Apr 11, 2012 at 11:35 AM, thegis <[email protected]> wrote:
> >>
> >> Hi List!
> >>
> >> I’ve tried to use the new LDAP authentication feature to connect
> >> Geoserver to our active directory based LDAP server as described in
> >> [1]. After some trial and error, I successfully tested the connection
> >> with the “Test Connection” button and following settings:
> >>
> >> ServerURL: ldap://server:port/dc=z,dc=y,dc=x
> >> User lookup pattern: cn={0}, ou=users, ou=b,ou=a (Note that we had to
> >> use “cn={0}” instead of “uid={0}”)
> >> Group search base: ou=groups,ou=e,ou=d
> >> Group search filter: member={0}
> >>
> >> However, when testing the login on the home page as described in [2]
> >> with the same username/password, Geoserver redirects to
> >>
> >>
> “geoserver/web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=true”.
> >> There is no error in the log or UI but the login obviously didn’t
> >> work. It would surely help to show the log messages from Spring, but I
> >> couldn’t enable them (editing e.g. VERBOSE_LOGGING.properties didn’t
> >> work).
> >>
> >> I also noticed, that the Users/Groups tab in [3] does not show any
> >> users or groups. Shouldn’t they get populated with the LDAP
> >> users/groups?
> >>
> >> Any ideas what’s wrong?
> >>
> >> Regards,
> >> Torsten
> >>
> >> [1]
> >>
> http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html#configure-the-ldap-authentication-provider
> >> [2]
> >>
> http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html#test-a-ldap-login
> >> [3]
> >>
> http://localhost:8080/geoserver/web/?wicket:bookmarkablePage=:org.geoserver.security.web.UserGroupRoleServicesPage
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Better than sec? Nothing is better than sec when it comes to
> >> monitoring Big Data applications. Try Boundary one-second
> >> resolution app monitoring today. Free.
> >> http://p.sf.net/sfu/Boundary-dev2dev
> >> _______________________________________________
> >> Geoserver-users mailing list
> >> [email protected]
> >> https://lists.sourceforge.net/lists/listinfo/geoserver-users
> >
> >
> >
> >
> > --
> > Justin Deoliveira
> > OpenGeo - http://opengeo.org
> > Enterprise support for open source geospatial.
> >
>
>
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> _______________________________________________
> Geoserver-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
