On Thu, Apr 12, 2012 at 12:19 PM, thegis <[email protected]> wrote:
> On Thu, Apr 12, 2012 at 5:06 PM, Justin Deoliveira <[email protected]>
> wrote:
> > Cool, thank you that does help.
> >
> > So I assume you have the "Use ldap groups for authentication" unchecked?
> If
> > so what you have to do is actually redine a user with the same name in
> the
> > default user group service. So add a new user named "testuser" in the
> > default user group service. You can specify a dummy password or on the
> user
> > group service settngs set password encoding to "empty" and then you can
> > specify no password for the new user.
> >
> > We hope to improve on this soon and just have an specific ldap user group
> > service directly.
> >
> > An alternative is to check the the "Use ldap groups for authentication"
> > checkbox on the ldap server config and then you won't have
> to redefine the
> > user, but you won't be able to assign any custom roles to that user.
> This is
> > somewhat documented here:
> >
> >
> http://docs.geoserver.org/latest/en/user/security/auth/providers.html#role-assignment
> >
>
> Thanks for your explanation!
>
> It works when not using LDAP groups/roles and defining a local user
> with the same name as the one in LDAP. This is somewhat hard to
> maintain but will work for now, especially if there will be a ldap
> user group service later on.
>
Cool, glad it worked. And yeah, what is currently there is not really
ideal, the user group should make this a lot more seamless.
>
> It does not work when using LDAP groups/roles to authenticate. I'll
> try to figure out why next week, below is just a dump of the exception
> and log. I've use these group settings:
>
> What happens upon login exactly? Does authentication fail? Or are you
logged in with no privileges?
> group search base: OU=groups,OU=path-to-group
> group search filter: member={0}
>
> Cheers,
> Torsten
>
> Servlet Exception:
> javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr:
> DSID-0C090627, comment: In order to perform this operation a
> successful bind must be completed on the connection., data 0, vece];
> remaining name 'OU=groups,OU=path-to-group'
>
> Geoserver log of login with ldap groups:
> 2012-04-12 17:23:34,398 DEBUG [util.AntPathRequestMatcher] - Checking
> match of request : '/j_spring_security_check'; against '/web/**'
> 2012-04-12 17:23:34,398 DEBUG [util.AntPathRequestMatcher] - Checking
> match of request : '/j_spring_security_check'; against
> '/gwc/rest/web/**'
> 2012-04-12 17:23:34,398 DEBUG [util.AntPathRequestMatcher] - Checking
> match of request : '/j_spring_security_check'; against
> '/j_spring_security_check'
> 2012-04-12 17:23:34,398 DEBUG [web.FilterChainProxy] -
> /j_spring_security_check at position 1 of 2 in additional filter
> chain; firing Filter: 'GeoServerSecurityContextPersistenceFilter'
> 2012-04-12 17:23:34,398 DEBUG
> [context.HttpSessionSecurityContextRepository] - HttpSession returned
> null object for SPRING_SECURITY_CONTEXT
> 2012-04-12 17:23:34,398 DEBUG
> [context.HttpSessionSecurityContextRepository] - No SecurityContext
> was available from the HttpSession:
> org.apache.catalina.session.StandardSessionFacade@3d339c48. A new one
> will be created.
> 2012-04-12 17:23:34,399 DEBUG [web.FilterChainProxy] -
> /j_spring_security_check at position 2 of 2 in additional filter
> chain; firing Filter: 'GeoServerUserNamePasswordAuthenticationFilter'
> 2012-04-12 17:23:34,399 DEBUG
> [authentication.UsernamePasswordAuthenticationFilter] - Request is to
> process authentication
> 2012-04-12 17:23:34,399 DEBUG [authentication.ProviderManager] -
> Authentication attempt using
> org.geoserver.security.auth.GeoServerRootAuthenticationProvider
> 2012-04-12 17:23:34,399 DEBUG [authentication.ProviderManager] -
> Authentication attempt using
> org.geoserver.security.ldap.LDAPAuthenticationProvider
> 2012-04-12 17:23:34,400 DEBUG
> [authentication.LdapAuthenticationProvider] - Processing
> authentication request for user: testuser
> 2012-04-12 17:23:34,402 DEBUG [authentication.BindAuthenticator] -
> Attempting to bind as
> cn=testuser,ou=users,ou=path-to-users,dc=pany,dc=com
> 2012-04-12 17:23:34,403 DEBUG [support.AbstractContextSource] - Using
> LDAP pooling.
> 2012-04-12 17:23:34,403 DEBUG [support.AbstractContextSource] - Trying
> provider Urls: ldap://server:389/dc=pany,dc=com
> 2012-04-12 17:23:34,403 DEBUG
> [ldap.DefaultSpringSecurityContextSource] - Removing pooling flag for
> user cn=testuser,ou=users,ou=path-to-users,dc=pany,dc=com
> 2012-04-12 17:23:34,423 DEBUG [support.AbstractContextSource] - Got
> Ldap context on server 'ldap://server:389/dc=pany,dc=com'
> 2012-04-12 17:23:34,424 DEBUG [authentication.BindAuthenticator] -
> Retrieving attributes...
> 2012-04-12 17:23:34,454 DEBUG
> [userdetails.DefaultLdapAuthoritiesPopulator] - Getting authorities
> for user cn=testuser,ou=users,ou=path-to-users,dc=pany,dc=com
> 2012-04-12 17:23:34,455 DEBUG
> [userdetails.DefaultLdapAuthoritiesPopulator] - Searching for roles
> for user 'testuser', DN =
> 'cn=testuser,ou=users,ou=path-to-users,dc=pany,dc=com', with filter
> member={0} in search base 'OU=groups,OU=path-to-groups'
> 2012-04-12 17:23:34,455 DEBUG [ldap.SpringSecurityLdapTemplate] -
> Using filter: member=cn=testuser,ou=users,ou=path-to-users,dc=pany,dc=com
> 2012-04-12 17:23:34,459 INFO [core.LdapTemplate] - The returnObjFlag
> of supplied SearchControls is not set but a ContextMapper is used -
> setting flag to true
> 2012-04-12 17:23:34,464 WARN
> [authentication.SpringSecurityAuthenticationSource] - No
> Authentication object set in SecurityContext - returning empty String
> as Principal
> 2012-04-12 17:23:34,464 WARN
> [authentication.SpringSecurityAuthenticationSource] - No
> Authentication object set in SecurityContext - returning empty String
> as Credentials
> 2012-04-12 17:23:34,464 DEBUG [support.AbstractContextSource] - Using
> LDAP pooling.
> 2012-04-12 17:23:34,464 DEBUG [support.AbstractContextSource] - Trying
> provider Urls: ldap://server:389/dc=pany,dc=com
> 2012-04-12 17:23:34,479 DEBUG [support.AbstractContextSource] - Got
> Ldap context on server 'ldap://server:389/dc=pany,dc=com'
> 2012-04-12 17:23:34,494 DEBUG
> [context.HttpSessionSecurityContextRepository] - SecurityContext is
> empty or contents are anonymous - context will not be stored in
> HttpSession.
> 2012-04-12 17:23:34,495 DEBUG
> [context.SecurityContextPersistenceFilter] - SecurityContextHolder now
> cleared, as request processing completed
>
>
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> _______________________________________________
> Geoserver-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
