Jesse,
I can find out what ldap paths are valid - that part is easy as I have the tools to show me.
What I don't know is the first part of each line as it seems unique to this prog...?
I'm just guessing what the paths are in yellow really - are you able to explain the format? I don't know where to put the dot, what to call it, etc.
ldap.base.search.base=OU=DEC Staff
ldap.base.search.base.filter=CN={0}
OR
ldap.base.search.base=OU=DEC Staff
ldap.base.dn.filter=CN={0}
OR
ldap.base.search.base=OU=DEC Staff
ldap.base.user.search.base=${ldap.base.search.base}
ldap.base.user.search.filter=(&(objectClass=*)(CN=*))
ldap.base.user.search.attribute=CN
OR
ldap.base.search.base=OU=DEC Staff
ldap.base.user.search.base=${ldap.base.search.base}
ldap.base.user.search.filter=(&(objectClass=User)(CN={0})
ldap.base.user.search.attribute=CN
Many thanks,
Suresh
________________________________
From: Jesse Eichar [mailto:jesse.eichar@anonymised.com]
Sent: Tuesday, 11 June 2013 3:55 PM
To: Ramayah Suresh
Cc: Devel geonetwork-devel@lists.sourceforge.net
Subject: Re: [GeoNetwork-devel] LDAP Authentication
I don't know ldap well enough to debug this issue. I usually get the source code and put a break point in LDAPUtils and LdapAuthenticationProvider and see what ldap requests are being made then use ldapsearch or Apache Directory Studio to perform the searches to get a valid search pattern.
Jesse
On Tue, Jun 11, 2013 at 7:44 AM, Suresh Ramayah <Suresh.Ramayah@anonymised.com<mailto:Suresh.Ramayah@anonymised.com>> wrote:
Hi Jesse,
We've managed to authenticate with LDAP...That was a small success. However, now we need to be able to search for the user from the base of an OU through to all of it's subfolders.
Currently we are searching in one OU only, which is working fine:
ldap.base.search.base=OU=Contractors,OU=Exchange Enabled,OU=DEC Staff
ldap.base.dn.pattern=CN={0},${ldap.base.search.base}
I've tried the below combinations in an attempt to search from the OU=DEC Staff level downwards, but nothing seems to work.
I suspect my syntax is wrong:
ldap.base.search.base=OU=DEC Staff
ldap.base.search.base.filter=CN={0}
OR
ldap.base.search.base=OU=DEC Staff
ldap.base.dn.filter=CN={0}
OR
ldap.base.search.base=OU=DEC Staff
ldap.base.user.search.base=${ldap.base.search.base}
ldap.base.user.search.filter=(&(objectClass=*)(CN=*))
ldap.base.user.search.attribute=CN
OR
ldap.base.search.base=OU=DEC Staff
ldap.base.user.search.base=${ldap.base.search.base}
ldap.base.user.search.filter=(&(objectClass=User)(CN={0})
ldap.base.user.search.attribute=CN
Are you able to help find out what the correct syntax is?
Suresh
________________________________
From: Jesse Eichar [mailto:jesse.eichar@anonymised.com9…>]
Sent: Friday, 31 May 2013 8:30 PM
To: Ramayah Suresh
Cc: Devel geonetwork-devel@lists.sourceforge.net<mailto:geonetwork-devel@anonymised.comsts.sourceforge.net>
Subject: Re: [GeoNetwork-devel] LDAP Authentication
Hi,
Spring security provides several ways to authenticate with LDAP. I believe we use the Fast bind method. Essentially geonetwork attempts to bind to the LDAP with the credentials. If you look in the config-security-ldap.xml file you can see the ldapAuthProvider. It has a BindAuthenticator configured. I think this should work for you but you can change it so that it will login as an administrator and do a ldap search to verify the credentials.
The other part of the story is the user data that is loaded from the ldap. I am not as familiar with that but from what I understand you should be able to configure it to not look up the user in ldap. For that you probably have to comment the ldapUserContextMapper or so. I am not so sure about that...
Jesse
On Fri, May 31, 2013 at 7:07 AM, Suresh Ramayah <Suresh.Ramayah@anonymised.com<mailto:Suresh.Ramayah@anonymised.com>> wrote:
Hello,
I'm trying to setup GN's new spring security framework with LDAP authentication and haven't had any luck at all. The requirement is to only authenticate the users in our corporate AD. GN will set up and deal with security groups and privileges.
Networks have provided a dedicated service account added to an AD group that allows user's password retrieval. Is such a user enough to connect and authenticate or a LDAP user administrator required, i.e. domain controller?
Regards,
Suresh Ramayah
Technical Analyst
Science Division
Office of Environment and Heritage
Department of Premier and Cabinet
43 Bridge St, Hurstville NSW 2220
Ph: 9585 6992
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
This email is intended for the addressee(s) named and may contain confidential and/or privileged information.
If you are not the intended recipient, please notify the sender and then delete it immediately.
Any views expressed in this email are those of the individual sender except where the sender expressly and with authority states them to be the views of the Office of Environment and Heritage, NSW Department of Premier and Cabinet.
PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net<mailto:GeoNetwork-devel@anonymised.comforge.net>
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
This email is intended for the addressee(s) named and may contain confidential and/or privileged information.
If you are not the intended recipient, please notify the sender and then delete it immediately.
Any views expressed in this email are those of the individual sender except where the sender expressly and with authority states them to be the views of the Office of Environment and Heritage, NSW Department of Premier and Cabinet.
PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
This email is intended for the addressee(s) named and may contain confidential and/or privileged information.
If you are not the intended recipient, please notify the sender and then delete it immediately.
Any views expressed in this email are those of the individual sender except where the sender expressly and with authority states them to be the views of the Office of Environment and Heritage, NSW Department of Premier and Cabinet.
PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL