Torsten Heinen created GEOS-5054:
------------------------------------
Summary: Role lookup fails on secured LDAP servers
Key: GEOS-5054
URL: https://jira.codehaus.org/browse/GEOS-5054
Project: GeoServer
Issue Type: Bug
Components: Security
Affects Versions: 2.2-beta1
Environment: Geoserver 2.2-beta-1, Active Directory based secured LDAP, Tomcat 7.0.26, Java 1.7
Reporter: Torsten Heinen
Assignee: Andrea Aime
Attachments: geoserver-ldap-roles.log
As described in http://thread.gmane.org/gmane.comp.gis.geoserver.user/32105, the LDAP role lookup seems to fail on LDAP servers that does not allow anonymous bind. However, the user lookup works fine. The LDAP error indicates that the anonymous lookup in the LDAP is not allowed. A probably similar problem has been discussed and solved in: http://stackoverflow.com/questions/5255158/spring-ldap-bind-for-successfull-connection
Configuration:
ServerURL: ldap://ldapserver:ldapport/dc=subdomain,dc=company,dc=com
User lookup pattern: cn={0}, ou=users, ou=path-to-users
Group search base: ou=groups,ou=path-to-groups
Group search filter: member={1}
Tomcat log:
{quote}
javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'OU=groups,OU=path-to-groups'
{quote}
Geoserver log:
{quote\
2012-04-18 13:56:47,874 DEBUG [userdetails.DefaultLdapAuthoritiesPopulator] - Getting authorities for user cn=testuser,ou=user,ou=path-to-users,dc=subdomain,dc=company,dc=com
2012-04-18 13:56:47,874 DEBUG [userdetails.DefaultLdapAuthoritiesPopulator] - Searching for roles for user 'testuser', DN = 'cn=testuser,ou=user,ou=path-to-users,dc=subdomain,dc=company,dc=com', with filter member={1} in search base 'OU=groups,OU=path-to-groups'
2012-04-18 13:56:47,874 DEBUG [ldap.SpringSecurityLdapTemplate] - Using filter: member=testuser
2012-04-18 13:56:47,875 INFO [core.LdapTemplate] - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2012-04-18 13:56:47,877 WARN [authentication.SpringSecurityAuthenticationSource] - No Authentication object set in SecurityContext - returning empty String as Principal
2012-04-18 13:56:47,877 WARN [authentication.SpringSecurityAuthenticationSource] - No Authentication object set in SecurityContext - returning empty String as Credentials
{quote}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira