Hi Justin,
another issue.
I have 2 user in my ldap.
admin with no role
and fizzi with GP_ADMIN role.
I logged in with fizzi and all works.
if i try to login with admin user the effective user logged is fizzi.
I log this...
LOGIN WITH ADMIN
10 apr 17:42:59 INFO [geoserver.security] -
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@anonymised.com:
Principal:
org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@anonymised.com6...:
Dn: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org; Username:
admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
CredentialsNonExpired: true; AccountNonLocked: true; Granted
Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details:
org.geoserver.security.filter.GeoServerWebAuthenticationDetails@anonymised.com..:
RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: qfsj4ceu9ffd; Not
granted any authorities
10 apr 17:42:59 INFO [geoserver.security] -
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@anonymised.com:
Principal:
org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@anonymised.com9...:
Dn: uid=fizzi,ou=people,dc=geoserver,dc=geosdi,dc=org; Username:
fizzi; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
CredentialsNonExpired: true; AccountNonLocked: true; Granted
Authorities: ROLE_GP_ADMIN; Credentials: [PROTECTED]; Authenticated:
true; Details:
org.geoserver.security.filter.GeoServerWebAuthenticationDetails@anonymised.com..:
RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: qfsj4ceu9ffd; Granted
Authorities: ROLE_GP_ADMIN
Opinion?
2012/4/10 Justin Deoliveira <jdeolive@anonymised.com>:
> Yeah, we should definitely expose the ability to set the role prefix on
> the
> ldap auth provider. Or perhaps to drop it all together.
>
> Francesco, can you open a jira issue for this? Thanks.
>
> -Justin
>
>
> On Tue, Apr 10, 2012 at 9:51 AM, Christian Mueller <mcrmcr21@anonymised.com>
> wrote:
>>
>>
>> Hi, Francesco and Justin
>>
>> I assume the problem is in the Spring DefaultLdapAuthoritiesPopulator
>> class, the implementation uses a role prefix "ROLE_". I had the same
>> problem
>> with the J2EE proxy authenticator, a J2EE role "admin" was mapped to
>> "ROLE_admin".
>> I disabled this prefix logic behind the scenes for the J2EE proxy
>> authenticator and do not modify the roles.
>>
>> Would be good to have a common strategy for all authentication
>> providers,
>> I would prefer not modifying role names provided by an external party.
>>
>> Christian
>>
>>
>>
>> 2012/4/10 Francesco Izzi <francesco.izzi@anonymised.com>
>>>
>>> Hi Justin,
>>>
>>> I'm still testing with ldap,
>>>
>>> I noticed that if in my ldap tree there is a group called
>>> "ROLE_GP_ADMIN" the Granted Authorities of Auth User: is
>>> ROLE_ROLE_GP_ADMIN.
>>>
>>> I try to create a role in my ldap named GP_ADMIN and all works.
>>>
>>> Any opinion ?
>>>
>>> 2012/4/6 Justin Deoliveira <jdeolive@anonymised.com>:
>>> > Hi Francesco,
>>> >
>>> > Role assignment with the ldap provider is explained here:
>>> >
>>> >
>>> >
>>> > http://docs.geoserver.org/latest/en/user/security/auth/providers.html#role-assignment
>>> >
>>> > Basically, for those groups in ldap your user is a part of will have
>>> > to
>>> > present in the role service. So say you are part of an ldap group
>>> > named
>>> > "foo". That is mapped to the role "ROLE_FOO" when you are
>>> > authenticated. So
>>> > "ROLE_FOO" needs to be defined in the role service as an
>>> > administrator
>>> > role
>>> > if you want to have full ui admin privileges. Explained here:
>>> >
>>> >
>>> >
>>> > http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html#map-ldap-groups-to-geoserver-roles
>>> >
>>> > The alternative is to ignore ldap groups and use a user group
>>> > service.
>>> > But
>>> > this means having to redefine users in your user group service that
>>> > are
>>> > in
>>> > your ldap server. But it gives you full control over the role
>>> > assignment.
>>> >
>>> > On Fri, Apr 6, 2012 at 3:58 AM, Francesco Izzi
>>> > <francesco.izzi@anonymised.com>
>>> > wrote:
>>> >>
>>> >> Hi Justin,
>>> >>
>>> >> i try to manage also ldap group.
>>> >>
>>> >> I set this for group binding:
>>> >>
>>> >> Group search base
>>> >> ou=groups
>>> >>
>>> >> Group search filter
>>> >> memberUid={0}
>>> >>
>>> >> The login working but the ldap user logged without any role.
>>> >>
>>> >> I see in the log:
>>> >>
>>> >> 06 apr 11:54:20 WARN
>>> >> [authentication.SpringSecurityAuthenticationSource] - No
>>> >> Authentication object set in SecurityContext - returning empty
>>> >> String
>>> >> as Principal
>>> >> 06 apr 11:54:20 WARN
>>> >> [authentication.SpringSecurityAuthenticationSource] - No
>>> >> Authentication object set in SecurityContext - returning empty
>>> >> String
>>> >> as Credentials
>>> >>
>>> >>
>>> >>
>>> >> 2012/4/5 Francesco Izzi <francesco.izzi@anonymised.com>:
>>> >> > Yep Justin,
>>> >> >
>>> >> > works !!!
>>> >> >
>>> >> >
>>> >> > Thanks,
>>> >> >
>>> >> > 2012/4/5 Justin Deoliveira <jdeolive@anonymised.com>:
>>> >> >> Hi Francesco,
>>> >> >>
>>> >> >> It is a bit weird but the root domain components are actually
>>> >> >> specified
>>> >> >> as
>>> >> >> part of the server url... so try the following instead:
>>> >> >>
>>> >> >> url: ldap://150.145.133.83/dc=geoserver,dc=geosdi,dc=org
>>> >> >>
>>> >> >> Also, the user lookup is a template for a lookup, and generally
>>> >> >> not
>>> >> >> a
>>> >> >> fixed
>>> >> >> user... but i guess it could be. The idea is to specify this:
>>> >> >>
>>> >> >> user: uid={0},ou=people,dc=geoserver,dc=geosdi,dc=org
>>> >> >>
>>> >> >> Where {0} is replaced with the username being logged in. The
>>> >> >> abobe
>>> >> >> would
>>> >> >> ignore the username specified and always log in as admin...
>>> >> >> perhaps
>>> >> >> that is
>>> >> >> intended.
>>> >> >>
>>> >> >> Also, there is a tutorial here that might be worth going
>>> >> >> through.
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html
>>> >> >>
>>> >> >> Hope that helps, let me know how it goes.
>>> >> >>
>>> >> >> -Justin
>>> >> >>
>>> >> >>
>>> >> >> On Thu, Apr 5, 2012 at 7:02 AM, Francesco Izzi
>>> >> >> <francesco.izzi@anonymised.com>
>>> >> >> wrote:
>>> >> >>>
>>> >> >>> Hi Justing,
>>> >> >>>
>>> >> >>> i see your work, very impressed.
>>> >> >>>
>>> >> >>> I try to configure an ldap provider but i have always :
>>> >> >>>
>>> >> >>> javax.naming.InvalidNameException: [LDAP: error code 34 -
>>> >> >>> invalid
>>> >> >>> DN]
>>> >> >>>
>>> >> >>> my configuration parameter:
>>> >> >>>
>>> >> >>> name: ldap-geosdi
>>> >> >>> url: ldap://150.145.133.83/
>>> >> >>> user lookup pattern: dc=geoserver,dc=geosdi,dc=org
>>> >> >>>
>>> >> >>> user: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org
>>> >> >>> pass: myPass
>>> >> >>>
>>> >> >>> the stack trace:
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> org.apache.wicket.util.io.SerializableChecker$WicketNotSerializableException:
>>> >> >>> Unable to serialize class: com.sun.jndi.ldap.LdapCtx
>>> >> >>> Field hierarchy is:
>>> >> >>> 3
>>> >> >>> [class=org.geoserver.security.web.SecurityNamedServiceNewPage,
>>> >> >>> path=3]
>>> >> >>> private java.lang.Object
>>> >> >>> org.apache.wicket.MarkupContainer.children
>>> >> >>> [class=[Ljava.lang.Object;]
>>> >> >>> protected org.apache.wicket.util.collections.MiniMap
>>> >> >>>
>>> >> >>>
>>> >> >>> org.apache.wicket.markup.html.link.BookmarkablePageLink.parameters[8]
>>> >> >>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel,
>>> >> >>> path=3:feedback]
>>> >> >>> private java.lang.Object
>>> >> >>> org.apache.wicket.MarkupContainer.children
>>> >> >>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel$1,
>>> >> >>> path=3:feedback:feedbackul]
>>> >> >>> private java.lang.Object
>>> >> >>> org.apache.wicket.MarkupContainer.children
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView,
>>> >> >>> path=3:feedback:feedbackul:messages]
>>> >> >>> private java.lang.Object
>>> >> >>> org.apache.wicket.MarkupContainer.children
>>> >> >>> [class=org.apache.wicket.markup.html.list.ListItem,
>>> >> >>> path=3:feedback:feedbackul:messages:0]
>>> >> >>> java.lang.Object org.apache.wicket.Component.data
>>> >> >>> [class=[Ljava.lang.Object;]
>>> >> >>> java.lang.Object
>>> >> >>> org.apache.wicket.Component.data[0][1]
>>> >> >>> [class=org.apache.wicket.AttributeModifier]
>>> >> >>> private final org.apache.wicket.model.IModel
>>> >> >>> org.apache.wicket.AttributeModifier.replaceModel
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1]
>>> >> >>> final
>>> >> >>> org.apache.wicket.feedback.FeedbackMessage
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1.val$message
>>> >> >>> [class=org.apache.wicket.feedback.FeedbackMessage]
>>> >> >>> private final java.io.Serializable
>>> >> >>> org.apache.wicket.feedback.FeedbackMessage.message
>>> >> >>> [class=javax.naming.InvalidNameException]
>>> >> >>> protected java.lang.Object
>>> >> >>> javax.naming.NamingException.resolvedObj
>>> >> >>> [class=com.sun.jndi.ldap.LdapCtx] <----- field that is not
>>> >> >>> serializable
>>> >> >>> at
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> org.apache.wicket.util.io.SerializableChecker.check(SerializableChecker.java:346)
>>> >> >>>
>>> >> >>> Suggestion?
>>> >> >>>
>>> >> >>>
>>> >> >>> Regard,
>>> >> >>>
>>> >> >>> 2012/4/4 Justin Deoliveira <jdeolive@anonymised.com>:
>>> >> >>> > Ok, build should be back to normal now. Thanks for the
>>> >> >>> > patience
>>> >> >>> > everyone.
>>> >> >>> >
>>> >> >>> > On Wed, Apr 4, 2012 at 2:51 AM, Justin Deoliveira
>>> >> >>> > <jdeolive@anonymised.com>
>>> >> >>> > wrote:
>>> >> >>> >>
>>> >> >>> >> OK... good news i found the leak. Was a matter of making
>>> >> >>> >> sure
>>> >> >>> >> the
>>> >> >>> >> wicket
>>> >> >>> >> tester instance is destroyed in test tear down. Bad news is
>>> >> >>> >> the
>>> >> >>> >> build
>>> >> >>> >> is
>>> >> >>> >> still failing because of some issues in the jdbc security
>>> >> >>> >> module.
>>> >> >>> >> Those
>>> >> >>> >> tests arent actually supposed to be running, i put them in a
>>> >> >>> >> profile to
>>> >> >>> >> explicitly be run. Again... will have to pick this
>>> >> >>> >> up tomorrow.
>>> >> >>> >> And
>>> >> >>> >> again...
>>> >> >>> >> apologies for inconvenience.
>>> >> >>> >>
>>> >> >>> >> On Wed, Apr 4, 2012 at 8:26 AM, Justin Deoliveira
>>> >> >>> >> <jdeolive@anonymised.com>
>>> >> >>> >> wrote:
>>> >> >>> >>>
>>> >> >>> >>> Hi all,
>>> >> >>> >>>
>>> >> >>> >>>
>>> >> >>> >>> The security work has been committed. The settings on the
>>> >> >>> >>> build
>>> >> >>> >>> server
>>> >> >>> >>> (256M of heap for tests) have brought out a memory leak. I
>>> >> >>> >>> run
>>> >> >>> >>> with
>>> >> >>> >>> 512m
>>> >> >>> >>> locally (the default defined in the root pom) so I didn't
>>> >> >>> >>> see
>>> >> >>> >>> this
>>> >> >>> >>> before. I
>>> >> >>> >>> spent a while looking for the leak tonight but haven't come
>>> >> >>> >>> up
>>> >> >>> >>> with
>>> >> >>> >>> anything
>>> >> >>> >>> yet. I will have to pick this back up tomorrow, it will be
>>> >> >>> >>> my
>>> >> >>> >>> top
>>> >> >>> >>> priority.
>>> >> >>> >>>
>>> >> >>> >>> For now i have upped the test heap on the server to 512m as
>>> >> >>> >>> a
>>> >> >>> >>> temporary
>>> >> >>> >>> measure to try and get the build back. Hopefully that fixes
>>> >> >>> >>> it.
>>> >> >>> >>>
>>> >> >>> >>> Again I will pick this back up first thing tomorrow. I
>>> >> >>> >>> apologize
>>> >> >>> >>> for
>>> >> >>> >>> the inconvenience.
>>> >> >>> >>>
>>> >> >>> >>> -Justin
>>> >> >>> >>>
>>> >> >>> >>> --
>>> >> >>> >>> Justin Deoliveira
>>> >> >>> >>> OpenGeo - http://opengeo.org
>>> >> >>> >>> Enterprise support for open source geospatial.
>>> >> >>> >>>
>>> >> >>> >>
>>> >> >>> >>
>>> >> >>> >>
>>> >> >>> >> --
>>> >> >>> >> Justin Deoliveira
>>> >> >>> >> OpenGeo - http://opengeo.org
>>> >> >>> >> Enterprise support for open source geospatial.
>>> >> >>> >>
>>> >> >>> >
>>> >> >>> >
>>> >> >>> >
>>> >> >>> > --
>>> >> >>> > Justin Deoliveira
>>> >> >>> > OpenGeo - http://opengeo.org
>>> >> >>> > Enterprise support for open source geospatial.
>>> >> >>> >
>>> >> >>> >
>>> >> >>> >
>>> >> >>> >
>>> >> >>> >
>>> >> >>> >
>>> >> >>> > ------------------------------------------------------------------------------
>>> >> >>> > Better than sec? Nothing is better than sec when it comes to
>>> >> >>> > monitoring Big Data applications. Try Boundary one-second
>>> >> >>> > resolution app monitoring today. Free.
>>> >> >>> > http://p.sf.net/sfu/Boundary-dev2dev
>>> >> >>> > _______________________________________________
>>> >> >>> > Geoserver-devel mailing list
>>> >> >>> > Geoserver-devel@lists.sourceforge.net
>>> >> >>> > https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>> >> >>> >
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> --
>>> >> >>> Francesco Izzi
>>> >> >>> CNR - IMAA
>>> >> >>> geoSDI
>>> >> >>> Direzione Tecnologie e Sviluppo
>>> >> >>>
>>> >> >>> C.da S. Loja
>>> >> >>> 85050 Tito Scalo - POTENZA (PZ)
>>> >> >>> Italia
>>> >> >>>
>>> >> >>> phone: +39 0971427305
>>> >> >>> fax: +39 0971 427271
>>> >> >>> mob: +39 3203126609
>>> >> >>> mail: francesco.izzi@anonymised.com
>>> >> >>> skype: neofx8080
>>> >> >>>
>>> >> >>> web: http://www.geosdi.org
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> --
>>> >> >> Justin Deoliveira
>>> >> >> OpenGeo - http://opengeo.org
>>> >> >> Enterprise support for open source geospatial.
>>> >> >>
>>> >> >
>>> >> >
>>> >> >
>>> >> > --
>>> >> > Francesco Izzi
>>> >> > CNR - IMAA
>>> >> > geoSDI
>>> >> > Direzione Tecnologie e Sviluppo
>>> >> >
>>> >> > C.da S. Loja
>>> >> > 85050 Tito Scalo - POTENZA (PZ)
>>> >> > Italia
>>> >> >
>>> >> > phone: +39 0971427305
>>> >> > fax: +39 0971 427271
>>> >> > mob: +39 3203126609
>>> >> > mail: francesco.izzi@anonymised.com
>>> >> > skype: neofx8080
>>> >> >
>>> >> > web: http://www.geosdi.org
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Francesco Izzi
>>> >> CNR - IMAA
>>> >> geoSDI
>>> >> Direzione Tecnologie e Sviluppo
>>> >>
>>> >> C.da S. Loja
>>> >> 85050 Tito Scalo - POTENZA (PZ)
>>> >> Italia
>>> >>
>>> >> phone: +39 0971427305
>>> >> fax: +39 0971 427271
>>> >> mob: +39 3203126609
>>> >> mail: francesco.izzi@anonymised.com
>>> >> skype: neofx8080
>>> >>
>>> >> web: http://www.geosdi.org
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Justin Deoliveira
>>> > OpenGeo - http://opengeo.org
>>> > Enterprise support for open source geospatial.
>>> >
>>>
>>>
>>>
>>> --
>>> Francesco Izzi
>>> CNR - IMAA
>>> geoSDI
>>> Direzione Tecnologie e Sviluppo
>>>
>>> C.da S. Loja
>>> 85050 Tito Scalo - POTENZA (PZ)
>>> Italia
>>>
>>> phone: +39 0971427305
>>> fax: +39 0971 427271
>>> mob: +39 3203126609
>>> mail: francesco.izzi@anonymised.com
>>> skype: neofx8080
>>>
>>> web: http://www.geosdi.org
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Better than sec? Nothing is better than sec when it comes to
>>> monitoring Big Data applications. Try Boundary one-second
>>> resolution app monitoring today. Free.
>>> http://p.sf.net/sfu/Boundary-dev2dev
>>> _______________________________________________
>>> Geoserver-devel mailing list
>>> Geoserver-devel@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>
>>
>
>
>
> --
> Justin Deoliveira
> OpenGeo - http://opengeo.org
> Enterprise support for open source geospatial.
>
--
Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo
C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia
phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080
web: http://www.geosdi.org