[Geoserver-devel] [jira] (GEOS-5054) Role lookup fails on secured LDAP servers

Torsten Heinen created GEOS-5054:
------------------------------------

             Summary: Role lookup fails on secured LDAP servers
                 Key: GEOS-5054
                 URL: https://jira.codehaus.org/browse/GEOS-5054
             Project: GeoServer
          Issue Type: Bug
          Components: Security
    Affects Versions: 2.2-beta1
         Environment: Geoserver 2.2-beta-1, Active Directory based secured LDAP, Tomcat 7.0.26, Java 1.7
            Reporter: Torsten Heinen
            Assignee: Andrea Aime
         Attachments: geoserver-ldap-roles.log

As described in http://thread.gmane.org/gmane.comp.gis.geoserver.user/32105, the LDAP role lookup seems to fail on LDAP servers that does not allow anonymous bind. However, the user lookup works fine. The LDAP error indicates that the anonymous lookup in the LDAP is not allowed. A probably similar problem has been discussed and solved in: http://stackoverflow.com/questions/5255158/spring-ldap-bind-for-successfull-connection

Configuration:

ServerURL: ldap://ldapserver:ldapport/dc=subdomain,dc=company,dc=com
User lookup pattern: cn={0}, ou=users, ou=path-to-users
Group search base: ou=groups,ou=path-to-groups
Group search filter: member={1}

Tomcat log:
{quote}
javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'OU=groups,OU=path-to-groups'
{quote}

Geoserver log:
{quote\
2012-04-18 13:56:47,874 DEBUG [userdetails.DefaultLdapAuthoritiesPopulator] - Getting authorities for user cn=testuser,ou=user,ou=path-to-users,dc=subdomain,dc=company,dc=com
2012-04-18 13:56:47,874 DEBUG [userdetails.DefaultLdapAuthoritiesPopulator] - Searching for roles for user 'testuser', DN = 'cn=testuser,ou=user,ou=path-to-users,dc=subdomain,dc=company,dc=com', with filter member={1} in search base 'OU=groups,OU=path-to-groups'
2012-04-18 13:56:47,874 DEBUG [ldap.SpringSecurityLdapTemplate] - Using filter: member=testuser
2012-04-18 13:56:47,875 INFO [core.LdapTemplate] - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2012-04-18 13:56:47,877 WARN [authentication.SpringSecurityAuthenticationSource] - No Authentication object set in SecurityContext - returning empty String as Principal
2012-04-18 13:56:47,877 WARN [authentication.SpringSecurityAuthenticationSource] - No Authentication object set in SecurityContext - returning empty String as Credentials
{quote}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira