[GeoNetwork-users] geonetwork ldap

juergen_sorg · February 18, 2015, 3:27pm

i was not registered in the geonetwork list when i send my question.
therefore the same question again:

hi,

i tried to bind geonetwork to active directory (ldap).
the authentication works, but i do not understand how to configure the group
/ profile mapping. within the config-security-overrides.properties file i
tried to setup the mapping following the geonetwork howto
(http://geonetwork-opensource.org/manuals/trunk/eng/users/admin/authentication/index.html).

what does this line means:

ldapUserContextMapper.mapping[privilege]=groups,sample

what is "privilege"? is this a group name (cn) from the ldap? because i
think sample is a sample group in geonetwork. if this is a ldap group then
may i set this value with cn or dn?
then follows the next question what does "groups" mean?

maybe i am totally wrong

thanks in advance

gruss juergen

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/geonetwork-ldap-tp5188420p5188433.html
Sent from the GeoNetwork users mailing list archive at Nabble.com.

juergen_sorg · February 23, 2015, 7:41am

hi,

has anybody experiences with this issue? it is very urgent.

i am very appreciative for any help.

thanks in advance

gruss juergen

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/geonetwork-ldap-tp5188420p5189338.html
Sent from the GeoNetwork users mailing list archive at Nabble.com.

Jose_Garcia1 · February 23, 2015, 8:01am

Hi Juergen

According to the documentation:

ldapUserContextMapper.mapping[privilege]=groups,sample# If not set,
the default profile is RegisteredUser# Valid profiles are
http://geonetwork-opensource.org/manuals/trunk/eng/developer/apidocs/geonetwork/org/fao/geonet/constants/Geonet.Profile.htmlldapUserContextMapper.mapping\[profile\]=privileges,RegisteredUser

   - privilege attribute contains the group this user is member of. More
   than one group is allowed.
   - profile attribute contains the profile of the user

It's pretty unclear indeed, but what I understand is that privilege and
profile should be replaced with the values defined in LDAP.

See the example in
http://geonetwork-opensource.org/manuals/trunk/eng/users/admin/authentication/index.html#profile-mapping-configuration,
looks like that.

Anyway, a clarification from the person that wrote that documentation would
be great.

Regards,
Jose García

On Mon, Feb 23, 2015 at 8:41 AM, juergen sorg <j.sorg@anonymised.com> wrote:

hi,

has anybody experiences with this issue? it is very urgent.

i am very appreciative for any help.

thanks in advance

gruss juergen

--
View this message in context:
http://osgeo-org.1560.x6.nabble.com/geonetwork-ldap-tp5188420p5189338.html
Sent from the GeoNetwork users mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE

http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
GeoNetwork-users mailing list
GeoNetwork-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-users
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork

--

*GeoCat Bridge for ArcGIS allows instant publishing of data and metadata on
GeoServer and GeoNetwork. Visit http://geocat.net/> for
details. _________________________Jose GarcíaGeoCat bvVeenderweg 136721 WD
BennekomThe Netherlandshttp://GeoCat.net/>*

juergen_sorg · April 29, 2015, 8:25am

hi joern,

i have the same configuration like you (memberOf) in file
config-security-overrides.properties:

ldapUserContextMapper.mapping[privilege]=memberOf,ICG4
ldapUserContextMapper.mapping[profile]=profile,RegisteredUser

but i have also changed the config in file config-security.properties to
define a synchronization of the ldap groups with geonetwork each night
(then all the groups of ldap will be created in the geonetwork db (in
table groups) )

ldap.sync.cron=0 23 12 * * ?
ldap.sync.startDelay=60000
ldap.sync.user.search.base=${ldap.base.search.base}
ldap.sync.user.search.filter=(objectClass=person)
ldap.sync.user.search.attribute=sAMAccountName
ldap.sync.group.search.base=cn=Users
ldap.sync.group.search.filter=(objectClass=group)
ldap.sync.group.search.attribute=distinguishedName
ldap.sync.group.search.pattern=(.*)

(this depends on your ldap config)

it is also possible to create the group ad hoc when the user is logging
in (ldap.privilege.create.nonexisting.groups=true in same file (the
config to retrieve the groups from ldap is still used from the sync config))

gruss juergen

On 29/04/15 08:47, joernahlers [via OSGeo.org] wrote:

hi,

i have the same Problem. The login works great, but the user group is only
the fallback and the group mapping for the active directory groups didn't
work. For the mapping i want to use the memberOf field.

This is my config-security-overrides.properties:

CN# Map user information to LDAP attributes and default values
ldapUserContextMapper.mapping[name]=givenName,
ldapUserContextMapper.mapping[surname]=sn,
ldapUserContextMapper.mapping[mail]=mail,data@anonymised.com
ldapUserContextMapper.mapping[organisation]=company,myorganization
ldapUserContextMapper.mapping[kind]=title,
ldapUserContextMapper.mapping[address]=streetAddress,
ldapUserContextMapper.mapping[zip]=postalCode,
ldapUserContextMapper.mapping[state]=,
ldapUserContextMapper.mapping[city]=l,
ldapUserContextMapper.mapping[country]=,
ldapUserContextMapper.mapping[privilege]=memberOf,
# If not set, the default profile is RegisteredUser
# Valid profiles are
http://geonetwork-opensource.org/manuals/trunk/eng/developer/apidocs/geonetwork/org/fao/geonet/constants/Geonet.Profile.html
ldapUserContextMapper.mapping[profile]=memberOf,Guest

# Map LDAP custom profiles to catalog profiles. Not used if
ldap.privilege.pattern is defined.
ldapUserContextMapper.profileMapping[CN=ADMINISTRATOREN,DC=my,DC=org]=Administrator

_______________________________________________
If you reply to this email, your message will be added to the discussion below:
http://osgeo-org.1560.x6.nabble.com/geonetwork-ldap-tp5188420p5203398.html

To unsubscribe from geonetwork ldap, visit http://osgeo-org.1560.x6.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5188420&code=ai5zb3JnQGZ6LWp1ZWxpY2guZGV8NTE4ODQyMHwtNDYwODM4MTE3

smime.p7s (6K) <http://osgeo-org.1560.x6.nabble.com/attachment/5203431/0/smime.p7s>

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/geonetwork-ldap-tp5188420p5203431.html
Sent from the GeoNetwork users mailing list archive at Nabble.com.

joernahlers · April 29, 2015, 11:48am

Hi juergen,

can you post your complete config-security.properties?

Gruss, joern

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/geonetwork-ldap-tp5188420p5203462.html
Sent from the GeoNetwork users mailing list archive at Nabble.com.