[Geoserver-devel] LDAP authentication and ActiveDirectory support

Hi all,
these days I prepared a patch to add support for Windows ActiveDirectory as an LDAP option for the GeoServer LDAP Authentication provider.
Before preparing a pull request I would like to collect opinions on the way I implemented it.

Basically I was trying to solve http://jira.codehaus.org/browse/GEOS-5054, which affects ActiveDirectory usage, and in the meantime adding some features helping AD integration.

You can find my patch here:
https://github.com/mbarto/geoserver/tree/ldap_activedirectory

Tests are still missing but I’m going to add them before making a pull request.

My approach was:

  • redefine the Spring DefaultLdapAuthoritiesPopulator (BindingLdapAuthoritiesPopulator) if a new flag (bindBeforeGroupSearch) is checked to do searches on the LDAP server in a bound context (the default one doesn’t); unfortunately I was not able to extend the original class since the method to be redefined is declared final

  • extend the Spring BindingAuthenticator to allow an alternative authentication and user data extraction method ; the default one binds using the dn of the user and extracts data from a simple lookup to that dn, the alternative one binds using the username directly and extracts user data using a filter (the filter is specified by the user instead of userDnPattern and triggers the alternative auth method)

  • the filter allows to extract data filtering by the userPrincipalName attribute, that is the login username in Microsoft world, this attribute is not part of the dn of the user

  • an optional userFormat can be used to transform the username given by the user to the effective username to be used for login (for example to add the ActiveDirectory domain extension automatically)

  • an optional adminGroup can be specified to map a specific ActiveDirectory group to GeoServer ADMIN role (the default ADMINISTRATOR role is usually the admin user name in the Windows world, so it’s not available as a group name)

I think some of these new options can be useful for other kind of LDAP servers too.

I did tests with a Windows 2012 Server. I hope the same can work well on previous versions too. If someone is willing to do a quick test with 2008 or 2003 it will be very appreciated.

This is an example of configuration for the modified provider:

-7a456489:13e36ec9187:-8000 w2012 org.geoserver.security.ldap.LDAPAuthenticationProvider ldap://[192.168.119.138/dc=w2012,dc=local](http://192.168.119.138/dc=w2012,dc=local) cn=Users member={0} false true (userPrincipalName={0}) {0}@W2012.local ADMIN

Thanks
Mauro Bartolomeoli

==
GeoServer training in Milan, 6th & 7th June 2013! Visit
http://geoserver.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


Hi Mauro,

Sorry for the late reply on this. The approach sounds good to me. A couple of thoughts and suggestions.

Perhaps it makes sense to have a separate “ActiveDirectory” provider, rather than overload the default ldap one with more options. Just a suggestion, not sure how much of the existing provider is used in this scheme.

Regardless of one or more providers, it would be good if we could update the docs along with this patch. The relevant page being:

http://docs.geoserver.org/stable/en/user/security/auth/providers.html#ldap-authentication

-Justin

···

On Wed, Apr 24, 2013 at 10:32 AM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Hi all,
these days I prepared a patch to add support for Windows ActiveDirectory as an LDAP option for the GeoServer LDAP Authentication provider.
Before preparing a pull request I would like to collect opinions on the way I implemented it.

Basically I was trying to solve http://jira.codehaus.org/browse/GEOS-5054, which affects ActiveDirectory usage, and in the meantime adding some features helping AD integration.

You can find my patch here:
https://github.com/mbarto/geoserver/tree/ldap_activedirectory

Tests are still missing but I’m going to add them before making a pull request.

My approach was:

  • redefine the Spring DefaultLdapAuthoritiesPopulator (BindingLdapAuthoritiesPopulator) if a new flag (bindBeforeGroupSearch) is checked to do searches on the LDAP server in a bound context (the default one doesn’t); unfortunately I was not able to extend the original class since the method to be redefined is declared final

  • extend the Spring BindingAuthenticator to allow an alternative authentication and user data extraction method ; the default one binds using the dn of the user and extracts data from a simple lookup to that dn, the alternative one binds using the username directly and extracts user data using a filter (the filter is specified by the user instead of userDnPattern and triggers the alternative auth method)

  • the filter allows to extract data filtering by the userPrincipalName attribute, that is the login username in Microsoft world, this attribute is not part of the dn of the user

  • an optional userFormat can be used to transform the username given by the user to the effective username to be used for login (for example to add the ActiveDirectory domain extension automatically)

  • an optional adminGroup can be specified to map a specific ActiveDirectory group to GeoServer ADMIN role (the default ADMINISTRATOR role is usually the admin user name in the Windows world, so it’s not available as a group name)

I think some of these new options can be useful for other kind of LDAP servers too.

I did tests with a Windows 2012 Server. I hope the same can work well on previous versions too. If someone is willing to do a quick test with 2008 or 2003 it will be very appreciated.

This is an example of configuration for the modified provider:

-7a456489:13e36ec9187:-8000 w2012 org.geoserver.security.ldap.LDAPAuthenticationProvider ldap://[192.168.119.138/dc=w2012,dc=local](http://192.168.119.138/dc=w2012,dc=local) cn=Users member={0} false true (userPrincipalName={0}) {0}@W2012.local ADMIN

Thanks
Mauro Bartolomeoli

==
GeoServer training in Milan, 6th & 7th June 2013! Visit
http://geoserver.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it



Try New Relic Now & We’ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

2013/4/30 Justin Deoliveira <jdeolive@anonymised.com>

Hi Mauro,

Sorry for the late reply on this. The approach sounds good to me. A couple
of thoughts and suggestions.

Perhaps it makes sense to have a separate "ActiveDirectory" provider,
rather than overload the default ldap one with more options. Just a
suggestion, not sure how much of the existing provider is used in this
scheme.

I thought about that, but I think the new options (particularly the ones
dealing with roles extracting in a bounded context) could be useful for
other kind of LDAP servers too, not only for ActiveDirectory ones.

Regardless of one or more providers, it would be good if we could update
the docs along with this patch. The relevant page being:

http://docs.geoserver.org/stable/en/user/security/auth/providers.html#ldap-authentication

Sure, I will do that before making the pull request.

Thanks for the suggestions.

Mauro

--

GeoServer training in Milan, 6th & 7th June 2013! Visit
http://geoserver.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

2013/4/30 Justin Deoliveira <jdeolive@anonymised.com>

Hi Mauro,

Sorry for the late reply on this. The approach sounds good to me. A couple
of thoughts and suggestions.

Perhaps it makes sense to have a separate "ActiveDirectory" provider,
rather than overload the default ldap one with more options. Just a
suggestion, not sure how much of the existing provider is used in this
scheme.

Regardless of one or more providers, it would be good if we could update
the docs along with this patch. The relevant page being:

http://docs.geoserver.org/stable/en/user/security/auth/providers.html#ldap-authentication

-Justin

Hi Justin and all,
I prepared a pull request for this:
https://github.com/geoserver/geoserver/pull/232
If someone would like to have a look at it before merging, it would be
awesome.

I added some tests: tests were missing completely in the security ldap
module, so I needed to add a dependency to spring-ldap-test (with scope
test) to have a mock ldap server.
For the moment I added tests only for the new features added with this
request.
I also updated the docs a little bit to explain the new options and
illustrate how to connect to an ActiveDirectory server.

Thanks
Mauro Bartolomeoli

--

GeoServer training in Milan, 6th & 7th June 2013! Visit
http://geoserver.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

On Thu, May 9, 2013 at 11:01 AM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:

2013/4/30 Justin Deoliveira <jdeolive@anonymised.com>

Hi Mauro,

Sorry for the late reply on this. The approach sounds good to me. A
couple of thoughts and suggestions.

Perhaps it makes sense to have a separate "ActiveDirectory" provider,
rather than overload the default ldap one with more options. Just a
suggestion, not sure how much of the existing provider is used in this
scheme.

Regardless of one or more providers, it would be good if we could update
the docs along with this patch. The relevant page being:

http://docs.geoserver.org/stable/en/user/security/auth/providers.html#ldap-authentication

-Justin

Hi Justin and all,
I prepared a pull request for this:
https://github.com/geoserver/geoserver/pull/232
If someone would like to have a look at it before merging, it would be
awesome.

Nice work! I just looked over the pull request and it looks good to me.

Nice improvements.

I added some tests: tests were missing completely in the security ldap
module, so I needed to add a dependency to spring-ldap-test (with scope
test) to have a mock ldap server.
For the moment I added tests only for the new features added with this
request.
I also updated the docs a little bit to explain the new options and
illustrate how to connect to an ActiveDirectory server.

Awesome. Indeed i never got around to figuring out how to setup spring for
testing with ads. Thanks for doing that.

Thanks
Mauro Bartolomeoli

--

GeoServer training in Milan, 6th & 7th June 2013! Visit
http://geoserver.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

Hi Mauro, I'm testing this new feature in Geoserver 2.4-beta with a Windows
Server 2003 Domain Controller.
I followed documentation at this page:
http://docs.geoserver.org/latest/en/user/security/tutorials/activedirectory/index.html

I didn't read in documentation what to insert in the "User lookup pattern",
so I left it blank, but if I test connection I get "No user dn pattern
specified".

Other question: what are the options "Group to use as ADMIN" and "Group to
use as GROUP_ADMIN"?
Thanks for great job, bye.

Francesco Mazzi

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/LDAP-authentication-and-ActiveDirectory-support-tp5049416p5071244.html
Sent from the GeoServer - Dev mailing list archive at Nabble.com.

2013/8/7 fmazzi <fmazzi@anonymised.com>

Hi Mauro, I'm testing this new feature in Geoserver 2.4-beta with a Windows
Server 2003 Domain Controller.
I followed documentation at this page:

http://docs.geoserver.org/latest/en/user/security/tutorials/activedirectory/index.html

I didn't read in documentation what to insert in the "User lookup pattern",
so I left it blank, but if I test connection I get "No user dn pattern
specified".

Yes, it's a known bug of the current implementation: the "Test connection"
feature doesn't seem to work with ActiveDirectory. I will open a Jira
ticket about that. This should not prevent the real authentication to work.
Let me know if you can successfully authenticate users or if you have any
issue.

Other question: what are the options "Group to use as ADMIN" and "Group to
use as GROUP_ADMIN"?

They are the ActiveDirectory groups you want to bind to GeoServer system
roles ROLE_ADMINISTRATOR and ROLE_GROUP_ADMIN, so that users belonging to
those groups are automatically assigned administrative privileges.

Mauro

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Mauro Bartolomeoli-3 wrote

2013/8/7 fmazzi &lt;

fmazzi@anonymised.com

&gt;

Yes, it's a known bug of the current implementation: the "Test connection"
feature doesn't seem to work with ActiveDirectory. I will open a Jira
ticket about that. This should not prevent the real authentication to
work.
Let me know if you can successfully authenticate users or if you have any
issue.

Mauro, you are right, the real authentication works.
Thank you very much for quick help.

Francesco Mazzi

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/LDAP-authentication-and-ActiveDirectory-support-tp5049416p5071282.html
Sent from the GeoServer - Dev mailing list archive at Nabble.com.