[GeoNetwork-devel] LDAP Authentication

Hello,

I'm trying to setup GN's new spring security framework with LDAP authentication and haven't had any luck at all. The requirement is to only authenticate the users in our corporate AD. GN will set up and deal with security groups and privileges.

Networks have provided a dedicated service account added to an AD group that allows user's password retrieval. Is such a user enough to connect and authenticate or a LDAP user administrator required, i.e. domain controller?

Regards,
Suresh Ramayah

Technical Analyst

Science Division
Office of Environment and Heritage
Department of Premier and Cabinet

43 Bridge St, Hurstville NSW 2220

Ph: 9585 6992

----------------------------------------------------------------------------------------------------------------------------------------------------------------------
This email is intended for the addressee(s) named and may contain confidential and/or privileged information.
If you are not the intended recipient, please notify the sender and then delete it immediately.
Any views expressed in this email are those of the individual sender except where the sender expressly and with authority states them to be the views of the Office of Environment and Heritage, NSW Department of Premier and Cabinet.

PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL

Hi,

Spring security provides several ways to authenticate with LDAP. I believe we use the Fast bind method. Essentially geonetwork attempts to bind to the LDAP with the credentials. If you look in the config-security-ldap.xml file you can see the ldapAuthProvider. It has a BindAuthenticator configured. I think this should work for you but you can change it so that it will login as an administrator and do a ldap search to verify the credentials.

The other part of the story is the user data that is loaded from the ldap. I am not as familiar with that but from what I understand you should be able to configure it to not look up the user in ldap. For that you probably have to comment the ldapUserContextMapper or so. I am not so sure about that…

Jesse

···

On Fri, May 31, 2013 at 7:07 AM, Suresh Ramayah <Suresh.Ramayah@anonymised.com> wrote:

Hello,

I’m trying to setup GN’s new spring security framework with LDAP authentication and haven’t had any luck at all. The requirement is to only authenticate the users in our corporate AD. GN will set up and deal with security groups and privileges.

Networks have provided a dedicated service account added to an AD group that allows user’s password retrieval. Is such a user enough to connect and authenticate or a LDAP user administrator required, i.e. domain controller?

Regards,

Suresh Ramayah

Technical Analyst

Science Division

Office of Environment and Heritage

Department of Premier and Cabinet

43 Bridge St, Hurstville NSW 2220

Ph: 9585 6992


This email is intended for the addressee(s) named and may contain confidential and/or privileged information.
If you are not the intended recipient, please notify the sender and then delete it immediately.
Any views expressed in this email are those of the individual sender except where the sender expressly and with authority states them to be the views of the Office of Environment and Heritage, NSW Department of Premier and Cabinet.

PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL


Get 100% visibility into Java/.NET code with AppDynamics Lite
It’s a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

Hi Jesse,

We've managed to authenticate with LDAP...That was a small success. However, now we need to be able to search for the user from the base of an OU through to all of it's subfolders.

Currently we are searching in one OU only, which is working fine:

ldap.base.search.base=OU=Contractors,OU=Exchange Enabled,OU=DEC Staff
ldap.base.dn.pattern=CN={0},${ldap.base.search.base}

I've tried the below combinations in an attempt to search from the OU=DEC Staff level downwards, but nothing seems to work.
I suspect my syntax is wrong:

ldap.base.search.base=OU=DEC Staff
ldap.base.search.base.filter=CN={0}

OR

ldap.base.search.base=OU=DEC Staff
ldap.base.dn.filter=CN={0}

OR

ldap.base.search.base=OU=DEC Staff
ldap.base.user.search.base=${ldap.base.search.base}
ldap.base.user.search.filter=(&(objectClass=*)(CN=*))
ldap.base.user.search.attribute=CN

OR

ldap.base.search.base=OU=DEC Staff
ldap.base.user.search.base=${ldap.base.search.base}
ldap.base.user.search.filter=(&(objectClass=User)(CN={0})
ldap.base.user.search.attribute=CN

Are you able to help find out what the correct syntax is?

Suresh

________________________________
From: Jesse Eichar [mailto:jesse.eichar@anonymised.com]
Sent: Friday, 31 May 2013 8:30 PM
To: Ramayah Suresh
Cc: Devel geonetwork-devel@lists.sourceforge.net
Subject: Re: [GeoNetwork-devel] LDAP Authentication

Hi,

Spring security provides several ways to authenticate with LDAP. I believe we use the Fast bind method. Essentially geonetwork attempts to bind to the LDAP with the credentials. If you look in the config-security-ldap.xml file you can see the ldapAuthProvider. It has a BindAuthenticator configured. I think this should work for you but you can change it so that it will login as an administrator and do a ldap search to verify the credentials.

The other part of the story is the user data that is loaded from the ldap. I am not as familiar with that but from what I understand you should be able to configure it to not look up the user in ldap. For that you probably have to comment the ldapUserContextMapper or so. I am not so sure about that...

Jesse

On Fri, May 31, 2013 at 7:07 AM, Suresh Ramayah <Suresh.Ramayah@anonymised.com<mailto:Suresh.Ramayah@anonymised.com>> wrote:
Hello,

I'm trying to setup GN's new spring security framework with LDAP authentication and haven't had any luck at all. The requirement is to only authenticate the users in our corporate AD. GN will set up and deal with security groups and privileges.

Networks have provided a dedicated service account added to an AD group that allows user's password retrieval. Is such a user enough to connect and authenticate or a LDAP user administrator required, i.e. domain controller?

Regards,
Suresh Ramayah

Technical Analyst

Science Division
Office of Environment and Heritage
Department of Premier and Cabinet

43 Bridge St, Hurstville NSW 2220

Ph: 9585 6992

----------------------------------------------------------------------------------------------------------------------------------------------------------------------
This email is intended for the addressee(s) named and may contain confidential and/or privileged information.
If you are not the intended recipient, please notify the sender and then delete it immediately.
Any views expressed in this email are those of the individual sender except where the sender expressly and with authority states them to be the views of the Office of Environment and Heritage, NSW Department of Premier and Cabinet.

PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net<mailto:GeoNetwork-devel@anonymised.comforge.net>
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

----------------------------------------------------------------------------------------------------------------------------------------------------------------------
This email is intended for the addressee(s) named and may contain confidential and/or privileged information.
If you are not the intended recipient, please notify the sender and then delete it immediately.
Any views expressed in this email are those of the individual sender except where the sender expressly and with authority states them to be the views of the Office of Environment and Heritage, NSW Department of Premier and Cabinet.

PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL

I don’t know ldap well enough to debug this issue. I usually get the source code and put a break point in LDAPUtils and LdapAuthenticationProvider and see what ldap requests are being made then use ldapsearch or Apache Directory Studio to perform the searches to get a valid search pattern.

Jesse

···

On Tue, Jun 11, 2013 at 7:44 AM, Suresh Ramayah <Suresh.Ramayah@anonymised.com> wrote:

Hi Jesse,

We’ve managed to authenticate with LDAP…That was a small success. However, now we need to be able to search for the user from the base of an OU through to all of it’s subfolders.

Currently we are searching in one OU only, which is working fine:

ldap.base.search.base=OU=Contractors,OU=Exchange Enabled,OU=DEC Staff

ldap.base.dn.pattern=CN={0},${ldap.base.search.base}

I’ve tried the below combinations in an attempt to search from the OU=DEC Staff level downwards, but nothing seems to work.

I suspect my syntax is wrong:

ldap.base.search.base=OU=DEC Staff

ldap.base.search.base.filter=CN={0}

OR

ldap.base.search.base=OU=DEC Staff

ldap.base.dn.filter=CN={0}

OR

ldap.base.search.base=OU=DEC Staff

ldap.base.user.search.base=${ldap.base.search.base}

ldap.base.user.search.filter=(&(objectClass=)(CN=))

ldap.base.user.search.attribute=CN

OR

ldap.base.search.base=OU=DEC Staff

ldap.base.user.search.base=${ldap.base.search.base}

ldap.base.user.search.filter=(&(objectClass=User)(CN={0})

ldap.base.user.search.attribute=CN

Are you able to help find out what the correct syntax is?

Suresh


From: Jesse Eichar [mailto:jesse.eichar@anonymised.com]
Sent: Friday, 31 May 2013 8:30 PM
To: Ramayah Suresh
Cc: Devel geonetwork-devel@lists.sourceforge.net
Subject: Re: [GeoNetwork-devel] LDAP Authentication

Hi,

Spring security provides several ways to authenticate with LDAP. I believe we use the Fast bind method. Essentially geonetwork attempts to bind to the LDAP with the credentials. If you look in the config-security-ldap.xml file you can see the ldapAuthProvider. It has a BindAuthenticator configured. I think this should work for you but you can change it so that it will login as an administrator and do a ldap search to verify the credentials.

The other part of the story is the user data that is loaded from the ldap. I am not as familiar with that but from what I understand you should be able to configure it to not look up the user in ldap. For that you probably have to comment the ldapUserContextMapper or so. I am not so sure about that…

Jesse

On Fri, May 31, 2013 at 7:07 AM, Suresh Ramayah <Suresh.Ramayah@anonymised.com> wrote:

Hello,

I’m trying to setup GN’s new spring security framework with LDAP authentication and haven’t had any luck at all. The requirement is to only authenticate the users in our corporate AD. GN will set up and deal with security groups and privileges.

Networks have provided a dedicated service account added to an AD group that allows user’s password retrieval. Is such a user enough to connect and authenticate or a LDAP user administrator required, i.e. domain controller?

Regards,

Suresh Ramayah

Technical Analyst

Science Division

Office of Environment and Heritage

Department of Premier and Cabinet

43 Bridge St, Hurstville NSW 2220

Ph: 9585 6992


This email is intended for the addressee(s) named and may contain confidential and/or privileged information.
If you are not the intended recipient, please notify the sender and then delete it immediately.
Any views expressed in this email are those of the individual sender except where the sender expressly and with authority states them to be the views of the Office of Environment and Heritage, NSW Department of Premier and Cabinet.

PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL


Get 100% visibility into Java/.NET code with AppDynamics Lite
It’s a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork


This email is intended for the addressee(s) named and may contain confidential and/or privileged information.
If you are not the intended recipient, please notify the sender and then delete it immediately.
Any views expressed in this email are those of the individual sender except where the sender expressly and with authority states them to be the views of the Office of Environment and Heritage, NSW Department of Premier and Cabinet.

PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL

Jesse,

I can find out what ldap paths are valid - that part is easy as I have the tools to show me.
What I don't know is the first part of each line as it seems unique to this prog...?
I'm just guessing what the paths are in yellow really - are you able to explain the format? I don't know where to put the dot, what to call it, etc.
ldap.base.search.base=OU=DEC Staff
ldap.base.search.base.filter=CN={0}
OR
ldap.base.search.base=OU=DEC Staff
ldap.base.dn.filter=CN={0}
OR
ldap.base.search.base=OU=DEC Staff
ldap.base.user.search.base=${ldap.base.search.base}
ldap.base.user.search.filter=(&(objectClass=*)(CN=*))
ldap.base.user.search.attribute=CN
OR
ldap.base.search.base=OU=DEC Staff
ldap.base.user.search.base=${ldap.base.search.base}
ldap.base.user.search.filter=(&(objectClass=User)(CN={0})
ldap.base.user.search.attribute=CN
Many thanks,

Suresh

________________________________
From: Jesse Eichar [mailto:jesse.eichar@anonymised.com]
Sent: Tuesday, 11 June 2013 3:55 PM
To: Ramayah Suresh
Cc: Devel geonetwork-devel@lists.sourceforge.net
Subject: Re: [GeoNetwork-devel] LDAP Authentication

I don't know ldap well enough to debug this issue. I usually get the source code and put a break point in LDAPUtils and LdapAuthenticationProvider and see what ldap requests are being made then use ldapsearch or Apache Directory Studio to perform the searches to get a valid search pattern.

Jesse

On Tue, Jun 11, 2013 at 7:44 AM, Suresh Ramayah <Suresh.Ramayah@anonymised.com<mailto:Suresh.Ramayah@anonymised.com>> wrote:
Hi Jesse,

We've managed to authenticate with LDAP...That was a small success. However, now we need to be able to search for the user from the base of an OU through to all of it's subfolders.

Currently we are searching in one OU only, which is working fine:

ldap.base.search.base=OU=Contractors,OU=Exchange Enabled,OU=DEC Staff
ldap.base.dn.pattern=CN={0},${ldap.base.search.base}

I've tried the below combinations in an attempt to search from the OU=DEC Staff level downwards, but nothing seems to work.
I suspect my syntax is wrong:

ldap.base.search.base=OU=DEC Staff
ldap.base.search.base.filter=CN={0}

OR

ldap.base.search.base=OU=DEC Staff
ldap.base.dn.filter=CN={0}

OR

ldap.base.search.base=OU=DEC Staff
ldap.base.user.search.base=${ldap.base.search.base}
ldap.base.user.search.filter=(&(objectClass=*)(CN=*))
ldap.base.user.search.attribute=CN

OR

ldap.base.search.base=OU=DEC Staff
ldap.base.user.search.base=${ldap.base.search.base}
ldap.base.user.search.filter=(&(objectClass=User)(CN={0})
ldap.base.user.search.attribute=CN

Are you able to help find out what the correct syntax is?

Suresh

________________________________
From: Jesse Eichar [mailto:jesse.eichar@anonymised.com9…>]
Sent: Friday, 31 May 2013 8:30 PM
To: Ramayah Suresh
Cc: Devel geonetwork-devel@lists.sourceforge.net<mailto:geonetwork-devel@anonymised.comsts.sourceforge.net>
Subject: Re: [GeoNetwork-devel] LDAP Authentication

Hi,

Spring security provides several ways to authenticate with LDAP. I believe we use the Fast bind method. Essentially geonetwork attempts to bind to the LDAP with the credentials. If you look in the config-security-ldap.xml file you can see the ldapAuthProvider. It has a BindAuthenticator configured. I think this should work for you but you can change it so that it will login as an administrator and do a ldap search to verify the credentials.

The other part of the story is the user data that is loaded from the ldap. I am not as familiar with that but from what I understand you should be able to configure it to not look up the user in ldap. For that you probably have to comment the ldapUserContextMapper or so. I am not so sure about that...

Jesse

On Fri, May 31, 2013 at 7:07 AM, Suresh Ramayah <Suresh.Ramayah@anonymised.com<mailto:Suresh.Ramayah@anonymised.com>> wrote:
Hello,

I'm trying to setup GN's new spring security framework with LDAP authentication and haven't had any luck at all. The requirement is to only authenticate the users in our corporate AD. GN will set up and deal with security groups and privileges.

Networks have provided a dedicated service account added to an AD group that allows user's password retrieval. Is such a user enough to connect and authenticate or a LDAP user administrator required, i.e. domain controller?

Regards,
Suresh Ramayah

Technical Analyst

Science Division
Office of Environment and Heritage
Department of Premier and Cabinet

43 Bridge St, Hurstville NSW 2220

Ph: 9585 6992

----------------------------------------------------------------------------------------------------------------------------------------------------------------------
This email is intended for the addressee(s) named and may contain confidential and/or privileged information.
If you are not the intended recipient, please notify the sender and then delete it immediately.
Any views expressed in this email are those of the individual sender except where the sender expressly and with authority states them to be the views of the Office of Environment and Heritage, NSW Department of Premier and Cabinet.

PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net<mailto:GeoNetwork-devel@anonymised.comforge.net>
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

----------------------------------------------------------------------------------------------------------------------------------------------------------------------
This email is intended for the addressee(s) named and may contain confidential and/or privileged information.
If you are not the intended recipient, please notify the sender and then delete it immediately.
Any views expressed in this email are those of the individual sender except where the sender expressly and with authority states them to be the views of the Office of Environment and Heritage, NSW Department of Premier and Cabinet.

PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL

----------------------------------------------------------------------------------------------------------------------------------------------------------------------
This email is intended for the addressee(s) named and may contain confidential and/or privileged information.
If you are not the intended recipient, please notify the sender and then delete it immediately.
Any views expressed in this email are those of the individual sender except where the sender expressly and with authority states them to be the views of the Office of Environment and Heritage, NSW Department of Premier and Cabinet.

PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL

Ok I think I understand you question better now.

ldap.base.search.base seems to just for substitutions within the config-security-properties file. It is not required unless used elsewhere in the file.

ldap.base.dn.filter I don’t know where you got that from… It is not in any of the files on master. What version are you trying out?

I do have: ldap.base.dn.pattern which is maybe the equivalent on master.

It is used for performing the bind.

I would recommend looking at:

https://github.com/geonetwork/core-geonetwork/blob/develop/web/src/main/webapp/WEB-INF/config-security-ldap.xml

That is the true ldap configuration. the properties file is just to make the basic setup easier but if you want fine control you may want to edit config-security-ldap.xml

Jesse

On Wed, Jun 12, 2013 at 2:46 AM, Suresh Ramayah <Suresh.Ramayah@anonymised.com> wrote:

Jesse,

I can find out what ldap paths are valid – that part is easy as I have the tools to show me.

What I don’t know is the first part of each line as it seems unique to this prog…?

I’m just guessing what the paths are in yellow really – are you able to explain the format? I don’t know where to put the dot, what to call it, etc.

ldap.base.search.base=OU=DEC Staff
ldap.base.search.base.filter=CN={0}

OR

ldap.base.search.base=OU=DEC Staff
ldap.base.dn.filter=CN={0}

OR

ldap.base.search.base=OU=DEC Staff
ldap.base.user.search.base=${ldap.base.search.base}
ldap.base.user.search.filter=(&(objectClass=)(CN=))
ldap.base.user.search.attribute=CN

OR

ldap.base.search.base=OU=DEC Staff
ldap.base.user.search.base=${ldap.base.search.base}
ldap.base.user.search.filter=(&(objectClass=User)(CN={0})
ldap.base.user.search.attribute=CN

OK Thanks. I've resolved this....

As you mentioned, the mechanics is in the config-security-ldap.xml file. The spring security documentation talks about using a FilterBasedLdapUserSearch class to do a more robust search. So I added a bean -

<bean id="ldapUserSearch"
                        class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
              <constructor-arg index="0" value=""/>
              <constructor-arg index="1" value="(CN={0})"/>
              <constructor-arg index="2" ref="contextSource" />
</bean>

The pattern I used was (CN={0}). The bind authenticator in the file will need to reference the bean along the lines of (in bold):

<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <constructor-arg ref="contextSource"/>
                <property name="userDnPatterns">
                    <list><value>${ldap.base.dn.pattern}</value></list>
                </property>
                                                <property name="userSearch" ref="ldapUserSearch"/>
        </bean>
        </constructor-arg>
        <property name="userDetailsContextMapper" ref="ldapUserContextMapper" />
    </bean>

And that's it! And provided you've referenced your parent OU directory in the properties ....

Thought I'd mention these steps for the next victim caught in the LDAP world.....

Suresh

________________________________
From: Jesse Eichar [mailto:jesse.eichar@anonymised.com]
Sent: Wednesday, 12 June 2013 4:33 PM
To: Ramayah Suresh
Cc: Devel geonetwork-devel@lists.sourceforge.net
Subject: Re: [GeoNetwork-devel] LDAP Authentication

Ok I think I understand you question better now.

ldap.base.search.base seems to just for substitutions within the config-security-properties file. It is not required unless used elsewhere in the file.

ldap.base.dn.filter I don't know where you got that from... It is not in any of the files on master. What version are you trying out?

I do have: ldap.base.dn.pattern which is maybe the equivalent on master.

It is used for performing the bind.

I would recommend looking at:

https://github.com/geonetwork/core-geonetwork/blob/develop/web/src/main/webapp/WEB-INF/config-security-ldap.xml

That is the true ldap configuration. the properties file is just to make the basic setup easier but if you want fine control you may want to edit config-security-ldap.xml

Jesse

On Wed, Jun 12, 2013 at 2:46 AM, Suresh Ramayah <Suresh.Ramayah@anonymised.com<mailto:Suresh.Ramayah@anonymised.com>> wrote:
Jesse,

I can find out what ldap paths are valid - that part is easy as I have the tools to show me.
What I don't know is the first part of each line as it seems unique to this prog...?
I'm just guessing what the paths are in yellow really - are you able to explain the format? I don't know where to put the dot, what to call it, etc.
ldap.base.search.base=OU=DEC Staff
ldap.base.search.base.filter=CN={0}
OR
ldap.base.search.base=OU=DEC Staff
ldap.base.dn.filter=CN={0}
OR
ldap.base.search.base=OU=DEC Staff
ldap.base.user.search.base=${ldap.base.search.base}
ldap.base.user.search.filter=(&(objectClass=*)(CN=*))
ldap.base.user.search.attribute=CN
OR
ldap.base.search.base=OU=DEC Staff
ldap.base.user.search.base=${ldap.base.search.base}
ldap.base.user.search.filter=(&(objectClass=User)(CN={0})
ldap.base.user.search.attribute=CN

----------------------------------------------------------------------------------------------------------------------------------------------------------------------
This email is intended for the addressee(s) named and may contain confidential and/or privileged information.
If you are not the intended recipient, please notify the sender and then delete it immediately.
Any views expressed in this email are those of the individual sender except where the sender expressly and with authority states them to be the views of the Office of Environment and Heritage, NSW Department of Premier and Cabinet.

PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL

Good news! And thanks for the update.

Jesse

···

On Fri, Jun 14, 2013 at 6:29 AM, Suresh Ramayah <Suresh.Ramayah@anonymised.com> wrote:

OK Thanks. I’ve resolved this….

As you mentioned, the mechanics is in the config-security-ldap.xml file. The spring security documentation talks about using a FilterBasedLdapUserSearch class to do a more robust search. So I added a bean –

<bean id=“ldapUserSearch”

class=“org.springframework.security.ldap.search.FilterBasedLdapUserSearch”>

The pattern I used was (CN={0}). The bind authenticator in the file will need to reference the bean along the lines of (in bold):

${ldap.base.dn.pattern}

And that’s it! And provided you’ve referenced your parent OU directory in the properties ….

Thought I’d mention these steps for the next victim caught in the LDAP world……

Suresh


From: Jesse Eichar [mailto:jesse.eichar@anonymised.com]
Sent: Wednesday, 12 June 2013 4:33 PM

To: Ramayah Suresh
Cc: Devel geonetwork-devel@lists.sourceforge.net
Subject: Re: [GeoNetwork-devel] LDAP Authentication

Ok I think I understand you question better now.

ldap.base.search.base seems to just for substitutions within the config-security-properties file. It is not required unless used elsewhere in the file.

ldap.base.dn.filter I don’t know where you got that from… It is not in any of the files on master. What version are you trying out?

I do have: ldap.base.dn.pattern which is maybe the equivalent on master.

It is used for performing the bind.

I would recommend looking at:

https://github.com/geonetwork/core-geonetwork/blob/develop/web/src/main/webapp/WEB-INF/config-security-ldap.xml

That is the true ldap configuration. the properties file is just to make the basic setup easier but if you want fine control you may want to edit config-security-ldap.xml

Jesse

On Wed, Jun 12, 2013 at 2:46 AM, Suresh Ramayah <Suresh.Ramayah@anonymised.com> wrote:

Jesse,

I can find out what ldap paths are valid – that part is easy as I have the tools to show me.

What I don’t know is the first part of each line as it seems unique to this prog…?

I’m just guessing what the paths are in yellow really – are you able to explain the format? I don’t know where to put the dot, what to call it, etc.

ldap.base.search.base=OU=DEC Staff
ldap.base.search.base.filter=CN={0}

OR

ldap.base.search.base=OU=DEC Staff
ldap.base.dn.filter=CN={0}

OR

ldap.base.search.base=OU=DEC Staff
ldap.base.user.search.base=${ldap.base.search.base}
ldap.base.user.search.filter=(&(objectClass=)(CN=))
ldap.base.user.search.attribute=CN

OR

ldap.base.search.base=OU=DEC Staff
ldap.base.user.search.base=${ldap.base.search.base}
ldap.base.user.search.filter=(&(objectClass=User)(CN={0})
ldap.base.user.search.attribute=CN


This email is intended for the addressee(s) named and may contain confidential and/or privileged information.
If you are not the intended recipient, please notify the sender and then delete it immediately.
Any views expressed in this email are those of the individual sender except where the sender expressly and with authority states them to be the views of the Office of Environment and Heritage, NSW Department of Premier and Cabinet.

PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL