On Thu, Apr 12, 2012 at 5:06 PM, Justin Deoliveira <jdeol...@opengeo.org> wrote:
> Cool, thank you that does help.
>
> So I assume you have the "Use ldap groups for authentication" unchecked? If
> so what you have to do is actually redine a user with the same name in the
> default user group service. So add a new user named "testuser" in the
> default user group service. You can specify a dummy password or on the user
> group service settngs set password encoding to "empty" and then you can
> specify no password for the new user.
>
> We hope to improve on this soon and just have an specific ldap user group
> service directly.
>
> An alternative is to check the the "Use ldap groups for authentication"
> checkbox on the ldap server config and then you won't have to redefine the
> user, but you won't be able to assign any custom roles to that user. This is
> somewhat documented here:
>
> http://docs.geoserver.org/latest/en/user/security/auth/providers.html#role-assignment
>
Thanks for your explanation!
It works when not using LDAP groups/roles and defining a local user
with the same name as the one in LDAP. This is somewhat hard to
maintain but will work for now, especially if there will be a ldap
user group service later on.
It does not work when using LDAP groups/roles to authenticate. I'll
try to figure out why next week, below is just a dump of the exception
and log. I've use these group settings:
group search base: OU=groups,OU=path-to-group
group search filter: member={0}
Cheers,
Torsten
Servlet Exception:
javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr:
DSID-0C090627, comment: In order to perform this operation a
successful bind must be completed on the connection., data 0, vece];
remaining name 'OU=groups,OU=path-to-group'
Geoserver log of login with ldap groups:
2012-04-12 17:23:34,398 DEBUG [util.AntPathRequestMatcher] - Checking
match of request : '/j_spring_security_check'; against '/web/**'
2012-04-12 17:23:34,398 DEBUG [util.AntPathRequestMatcher] - Checking
match of request : '/j_spring_security_check'; against
'/gwc/rest/web/**'
2012-04-12 17:23:34,398 DEBUG [util.AntPathRequestMatcher] - Checking
match of request : '/j_spring_security_check'; against
'/j_spring_security_check'
2012-04-12 17:23:34,398 DEBUG [web.FilterChainProxy] -
/j_spring_security_check at position 1 of 2 in additional filter
chain; firing Filter: 'GeoServerSecurityContextPersistenceFilter'
2012-04-12 17:23:34,398 DEBUG
[context.HttpSessionSecurityContextRepository] - HttpSession returned
null object for SPRING_SECURITY_CONTEXT
2012-04-12 17:23:34,398 DEBUG
[context.HttpSessionSecurityContextRepository] - No SecurityContext
was available from the HttpSession:
org.apache.catalina.session.StandardSessionFacade@3d339c48. A new one
will be created.
2012-04-12 17:23:34,399 DEBUG [web.FilterChainProxy] -
/j_spring_security_check at position 2 of 2 in additional filter
chain; firing Filter: 'GeoServerUserNamePasswordAuthenticationFilter'
2012-04-12 17:23:34,399 DEBUG
[authentication.UsernamePasswordAuthenticationFilter] - Request is to
process authentication
2012-04-12 17:23:34,399 DEBUG [authentication.ProviderManager] -
Authentication attempt using
org.geoserver.security.auth.GeoServerRootAuthenticationProvider
2012-04-12 17:23:34,399 DEBUG [authentication.ProviderManager] -
Authentication attempt using
org.geoserver.security.ldap.LDAPAuthenticationProvider
2012-04-12 17:23:34,400 DEBUG
[authentication.LdapAuthenticationProvider] - Processing
authentication request for user: testuser
2012-04-12 17:23:34,402 DEBUG [authentication.BindAuthenticator] -
Attempting to bind as
cn=testuser,ou=users,ou=path-to-users,dc=pany,dc=com
2012-04-12 17:23:34,403 DEBUG [support.AbstractContextSource] - Using
LDAP pooling.
2012-04-12 17:23:34,403 DEBUG [support.AbstractContextSource] - Trying
provider Urls: ldap://server:389/dc=pany,dc=com
2012-04-12 17:23:34,403 DEBUG
[ldap.DefaultSpringSecurityContextSource] - Removing pooling flag for
user cn=testuser,ou=users,ou=path-to-users,dc=pany,dc=com
2012-04-12 17:23:34,423 DEBUG [support.AbstractContextSource] - Got
Ldap context on server 'ldap://server:389/dc=pany,dc=com'
2012-04-12 17:23:34,424 DEBUG [authentication.BindAuthenticator] -
Retrieving attributes...
2012-04-12 17:23:34,454 DEBUG
[userdetails.DefaultLdapAuthoritiesPopulator] - Getting authorities
for user cn=testuser,ou=users,ou=path-to-users,dc=pany,dc=com
2012-04-12 17:23:34,455 DEBUG
[userdetails.DefaultLdapAuthoritiesPopulator] - Searching for roles
for user 'testuser', DN =
'cn=testuser,ou=users,ou=path-to-users,dc=pany,dc=com', with filter
member={0} in search base 'OU=groups,OU=path-to-groups'
2012-04-12 17:23:34,455 DEBUG [ldap.SpringSecurityLdapTemplate] -
Using filter: member=cn=testuser,ou=users,ou=path-to-users,dc=pany,dc=com
2012-04-12 17:23:34,459 INFO [core.LdapTemplate] - The returnObjFlag
of supplied SearchControls is not set but a ContextMapper is used -
setting flag to true
2012-04-12 17:23:34,464 WARN
[authentication.SpringSecurityAuthenticationSource] - No
Authentication object set in SecurityContext - returning empty String
as Principal
2012-04-12 17:23:34,464 WARN
[authentication.SpringSecurityAuthenticationSource] - No
Authentication object set in SecurityContext - returning empty String
as Credentials
2012-04-12 17:23:34,464 DEBUG [support.AbstractContextSource] - Using
LDAP pooling.
2012-04-12 17:23:34,464 DEBUG [support.AbstractContextSource] - Trying
provider Urls: ldap://server:389/dc=pany,dc=com
2012-04-12 17:23:34,479 DEBUG [support.AbstractContextSource] - Got
Ldap context on server 'ldap://server:389/dc=pany,dc=com'
2012-04-12 17:23:34,494 DEBUG
[context.HttpSessionSecurityContextRepository] - SecurityContext is
empty or contents are anonymous - context will not be stored in
HttpSession.
2012-04-12 17:23:34,495 DEBUG
[context.SecurityContextPersistenceFilter] - SecurityContextHolder now
cleared, as request processing completed
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
