[Geoserver-users] Active Directory group roles

GeoServer GeoServer User
1

I am having trouble using Active Directory while still designating
certain users to have the ADMIN role in geoserver.

I am using Geoserver 2.5.0 and have been following the documentation at:
http://docs.geoserver.org/stable/en/user/security/tutorials/activedirectory/index.html

I am able to successfully authenticate users against Active Directory.
You can type in a username, password for a user and Geoserver logs them
in. However, I am not able to grant certain users the ADMIN role.

How should I be translating our Active Directory structure into the LDAP
setting fields?

We have created a group in ADS:
CN=Geobase Admins,OU=Application Groups,OU=COB
Groups,OU=Groups,DC=cob,DC=bloomington,DC=in,DC=gov

Members for this group show up in the group's member parameter as:
CN=username,OU=Showers,OU=ITS,OU=City
Hall,OU=Departments,DC=cob,DC=bloomington,DC=in,DC=gov

In the LDAP Authentication Provider screen, I am not certain if I am
getting the settings correct. I believe Geoserver is doing a search for
groups using a username as the filter. In order to get a search like
this to work in my LDAP client, I have to use:

Search Base:CN=GeobaseAdmins,OU=Application Groups,OU=COB
Groups,OU=Groups,dc=cob,dc=bloomington,dc=in,dc=gov

Search filter:member=CN=username,OU=Showers,OU=ITS,OU=City
Hall,OU=Departments,DC=cob,DC=bloomington,DC=in,DC=gov

I have tried entering this information into the LDAP setting fields in
many ways, yet, when I try the instructions in "Test a LDAP login", the
user I log in as does not have administrative functionality.

--
Cliff Ingham
City of Bloomington, Indiana
http://www.ohloh.net/accounts/inghamn

2

Hi Cliff,
can you share the configuration of the LDAPAuthenticationProvider you are using?

Mauro

···

2014-04-01 16:50 GMT+02:00 Cliff Ingham <inghamn@anonymised.com>:

I am having trouble using Active Directory while still designating
certain users to have the ADMIN role in geoserver.

I am using Geoserver 2.5.0 and have been following the documentation at:
http://docs.geoserver.org/stable/en/user/security/tutorials/activedirectory/index.html

I am able to successfully authenticate users against Active Directory.
You can type in a username, password for a user and Geoserver logs them
in. However, I am not able to grant certain users the ADMIN role.

How should I be translating our Active Directory structure into the LDAP
setting fields?

We have created a group in ADS:
CN=Geobase Admins,OU=Application Groups,OU=COB
Groups,OU=Groups,DC=cob,DC=bloomington,DC=in,DC=gov

Members for this group show up in the group’s member parameter as:
CN=username,OU=Showers,OU=ITS,OU=City
Hall,OU=Departments,DC=cob,DC=bloomington,DC=in,DC=gov

In the LDAP Authentication Provider screen, I am not certain if I am
getting the settings correct. I believe Geoserver is doing a search for
groups using a username as the filter. In order to get a search like
this to work in my LDAP client, I have to use:

Search Base:CN=GeobaseAdmins,OU=Application Groups,OU=COB
Groups,OU=Groups,dc=cob,dc=bloomington,dc=in,dc=gov

Search filter:member=CN=username,OU=Showers,OU=ITS,OU=City
Hall,OU=Departments,DC=cob,DC=bloomington,DC=in,DC=gov

I have tried entering this information into the LDAP setting fields in
many ways, yet, when I try the instructions in “Test a LDAP login”, the
user I log in as does not have administrative functionality.


Cliff Ingham
City of Bloomington, Indiana
http://www.ohloh.net/accounts/inghamn

Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

3

Hi Cliff, I don’t know if it’s simply a mistype, but I see that in your initial mail the group is named “Geobase Admins”, with a space in it, but in configuration you are missing the space.

Mauro

···

2014-04-01 17:40 GMT+02:00 Cliff Ingham <inghamn@anonymised.com>:

Sure. (I’ve changed the domain name of the server, to avoid embarrassment).

Again, the part for the authentication itself seems to be working.

Server URL: ldaps://localhost:636/dc=cob,dc=bloomington,dc=in,dc=gov
TLS: not checked
User lookup pattern:
Filter used to lookup user: userPrincipalName={0}
Format used for user login name: {0}@bloomington.in.gov

Here’s what I’ve got in there right now. I’ve also tried many
variations of these settings, as well.

Authorization

Use LDAP groups for authorization: checked
Bind user before searching for groups: checked
Group search base:CN=GeobaseAdmins,OU=Application Groups,OU=COB
Groups,OU=Groups
Group search filter: member=CN={0},OU=Showers,OU=ITS,OU=City
Hall,OU=Departments,DC=cob,DC=bloomington,DC=in,DC=gov
Group to use as ADMIN: GEOBASEADMINS
Group to use as GROUP_ADMIN:

On 04/01/2014 11:24 AM, Mauro Bartolomeoli wrote:

Hi Cliff,
can you share the configuration of the LDAPAuthenticationProvider you are
using?

Mauro

2014-04-01 16:50 GMT+02:00 Cliff Ingham <inghamn@anonymised.com>:

I am having trouble using Active Directory while still designating
certain users to have the ADMIN role in geoserver.

I am using Geoserver 2.5.0 and have been following the documentation at:

http://docs.geoserver.org/stable/en/user/security/tutorials/activedirectory/index.html

I am able to successfully authenticate users against Active Directory.
You can type in a username, password for a user and Geoserver logs them
in. However, I am not able to grant certain users the ADMIN role.

How should I be translating our Active Directory structure into the LDAP
setting fields?

We have created a group in ADS:
CN=Geobase Admins,OU=Application Groups,OU=COB
Groups,OU=Groups,DC=cob,DC=bloomington,DC=in,DC=gov

Members for this group show up in the group’s member parameter as:
CN=username,OU=Showers,OU=ITS,OU=City
Hall,OU=Departments,DC=cob,DC=bloomington,DC=in,DC=gov

In the LDAP Authentication Provider screen, I am not certain if I am
getting the settings correct. I believe Geoserver is doing a search for
groups using a username as the filter. In order to get a search like
this to work in my LDAP client, I have to use:

Search Base:CN=GeobaseAdmins,OU=Application Groups,OU=COB
Groups,OU=Groups,dc=cob,dc=bloomington,dc=in,dc=gov

Search filter:member=CN=username,OU=Showers,OU=ITS,OU=City
Hall,OU=Departments,DC=cob,DC=bloomington,DC=in,DC=gov

I have tried entering this information into the LDAP setting fields in
many ways, yet, when I try the instructions in “Test a LDAP login”, the
user I log in as does not have administrative functionality.


Cliff Ingham
City of Bloomington, Indiana
http://www.ohloh.net/accounts/inghamn

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

==
Meet us at GEO Business 2014! in London! Visit http://goo.gl/fES3aK
for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

4

Hi Cliff, I’m moving the discussion to the mailing list, I see that our last emails were private.
The error is quite strange, it seems it cannot locate the geoserver.log file. Are you using an external data dir? Deploying on a web container (like Tomcat) or the standalone binary?

···

Mauro

2014-04-01 20:12 GMT+02:00 Cliff Ingham <inghamn@anonymised.com>:

I do not have permission to report a bug in Jira, so I guess bugs get reported here.

/geoserver/web/?wicket:bookmarkablePage=:org.geoserver.web.admin.LogPage

org.apache.wicket.WicketRuntimeException: Can’t instantiate page using constructor public org.geoserver.web.admin.LogPage(org.apache.wicket.PageParameters) and argument at org.apache.wicket.session.DefaultPageFactory.createPage(DefaultPageFactory.java:212) at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:65) at org.apache.wicket.request.target.component.BookmarkablePageRequestTarget.newPage(BookmarkablePageRequestTarget.java:298) at org.apache.wicket.request.target.component.BookmarkablePageRequestTarget.getPage(BookmarkablePageRequestTarget.java:320) at org.apache.wicket.request.target.component.BookmarkablePageRequestTarget.processEvents(BookmarkablePageRequestTarget.java:234) at org.apache.wicket.request.AbstractRequestCycleProcessor.processEvents(AbstractRequestCycleProcessor.java:92) at org.apache.wicket.RequestCycle.processEventsAndRespond(RequestCycle.java:1250) at org.apache.wicket.RequestCycle.step(RequestCycle.java:1329) at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1436) at org.apache.wicket.RequestCycle.request(RequestCycle.java:545) at org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:484) at org.apache.wicket.protocol.http.WicketServlet.doGet(WicketServlet.java:138) at javax.servlet.http.HttpServlet.service(HttpServlet.java:621) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at org.springframework.web.servlet.mvc.ServletWrappingController.handleRequestInternal(ServletWrappingController.java:159) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:923) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:852) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778) at javax.servlet.http.HttpServlet.service(HttpServlet.java:621) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.geoserver.filters.ThreadLocalsCleanupFilter.doFilter(ThreadLocalsCleanupFilter.java:27) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:74) at org.geoserver.wms.animate.AnimatorFilter.doFilter(AnimatorFilter.java:70) at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:70) at org.geoserver.filters.SpringDelegatingFilter.doFilter(SpringDelegatingFilter.java:45) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.geoserver.platform.AdvancedDispatchFilter.doFilter(AdvancedDispatchFilter.java:49) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311) at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72) at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72) at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.geoserver.security.filter.GeoServerAnonymousAuthenticationFilter.doFilter(GeoServerAnonymousAuthenticationFilter.java:53) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182) at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72) at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91) at org.geoserver.security.filter.GeoServerUserNamePasswordAuthenticationFilter.doFilter(GeoServerUserNamePasswordAuthenticationFilter.java:115) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68) at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:146) at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72) at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilter(GeoServerSecurityContextPersistenceFilter.java:52) at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72) at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) at org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:134) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:75) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:42) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:47) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilter.java:43) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.vfny.geoserver.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1008) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:1852) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:744) Caused by: java.lang.reflect.InvocationTargetException at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:408) at org.apache.wicket.session.DefaultPageFactory.createPage(DefaultPageFactory.java:188) … 102 more Caused by: java.lang.NullPointerException at java.io.File.(File.java:277) at org.geoserver.web.admin.LogPage.(LogPage.java:58) … 107 more

==
Meet us at GEO Business 2014! in London! Visit http://goo.gl/fES3aK
for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

On Tue, Apr 1, 2014 at 1:47 PM, Cliff Ingham <inghamn@anonymised.com> wrote:

I cannot change the log settings. The GeoServer Logs link crashes with
a NullPointerException.

Caused by: java.lang.NullPointerException at
java.io.File.(File.java:277) at
org.geoserver.web.admin.LogPage.(LogPage.java:58) … 107 more

I guess I’ll file a bug for that in Jira.

In the meantime, I’m only guessing as to what’s going on behind the scenes.

On 04/01/2014 01:12 PM, Mauro Bartolomeoli wrote:

Hi Cliff,

2014-04-01 18:56 GMT+02:00 Cliff Ingham <inghamn@anonymised.com>:

Alas, I’ve updated my previous settings to change the Group to use as
ADMIN to be ROLE_GEOBASEADMINS, but still no dice.

What is Geoserver selecting for, in this case? Is it attempting to find
the group? Is there a log in geoserver I can enable to see the LDAP
query and response?

Yes, you can try to grow Geoserver logging level to verbose and see if
there is any track in the log of the queries to LDAP (you can also send me
the log if you wish and I will try to help).
Basically what is done in this case is to extract all groups to which the
user belongs to, using your configuration settings and looking for one
corresponding to GEOBASEADMINS.
Another issue can be a wrong filter for membership search, I would try
with the simple member={0}, since {0} should be replaced by the full user
DN, you can also use {1} to mean the username instead.
Some more documentation here:
http://docs.geoserver.org/latest/en/user/webadmin/security/auth.html#ldap-provider

Mauro


Cliff Ingham
City of Bloomington, Indiana
http://www.ohloh.net/accounts/inghamn

5

Moving this discussion too back to the mailing list.

···

2014-04-01 20:26 GMT+02:00 Cliff Ingham <inghamn@anonymised.com>:

I’ve tried simply setting member={0}, but that does not work. And I’m
not really certain how that could. How does the system know our full DN
for users?

This is simple: when you authenticate geoserver gets the full user info (including his/her DN from the LDAP repository, then it can use that or the entered username to look for group membership). The fact that it doesn’t assign you admin role could be due to:

  • inability to search for membership for security reasons (but normally a logon user should be able to to those searches)
  • wrong search filter
  • some bugs in the code

We had recently some problems when the folder containing groups has subfolders inside. Could this be your case?

Thanks
Mauro Bartolomeoli

==
Meet us at GEO Business 2014! in London! Visit http://goo.gl/fES3aK
for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

6

I am using the war version, running on Tomcat. I have configured my
data dir to be outside of the web app, using the environment variable
set in CATALINA_OPTS.

Is the path the log file configured somewhere that I can change?

The webapp is
/srv/webapps/geoserver

and the data dir is
/srv/geoserver

Tomcat has full access to both directories.

On 04/02/2014 03:02 AM, Mauro Bartolomeoli wrote:

Hi Cliff, I'm moving the discussion to the mailing list, I see that our
last emails were private.
The error is quite strange, it seems it cannot locate the geoserver.log
file. Are you using an external data dir? Deploying on a web container
(like Tomcat) or the standalone binary?

Mauro

2014-04-01 20:12 GMT+02:00 Cliff Ingham <inghamn@anonymised.com>:

I do not have permission to report a bug in Jira, so I guess bugs get
reported here.

/geoserver/web/?wicket:bookmarkablePage=:org.geoserver.web.admin.LogPage

org.apache.wicket.WicketRuntimeException: Can't instantiate page using
constructor public
org.geoserver.web.admin.LogPage(org.apache.wicket.PageParameters) and
argument at
org.apache.wicket.session.DefaultPageFactory.createPage(DefaultPageFactory.java:212)
at
org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:65)
at
org.apache.wicket.request.target.component.BookmarkablePageRequestTarget.newPage(BookmarkablePageRequestTarget.java:298)
at
org.apache.wicket.request.target.component.BookmarkablePageRequestTarget.getPage(BookmarkablePageRequestTarget.java:320)
at
org.apache.wicket.request.target.component.BookmarkablePageRequestTarget.processEvents(BookmarkablePageRequestTarget.java:234)
at
org.apache.wicket.request.AbstractRequestCycleProcessor.processEvents(AbstractRequestCycleProcessor.java:92)
at
org.apache.wicket.RequestCycle.processEventsAndRespond(RequestCycle.java:1250)
at org.apache.wicket.RequestCycle.step(RequestCycle.java:1329) at
org.apache.wicket.RequestCycle.steps(RequestCycle.java:1436) at
org.apache.wicket.RequestCycle.request(RequestCycle.java:545) at
org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:484)
at
org.apache.wicket.protocol.http.WicketServlet.doGet(WicketServlet.java:138)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621) at
javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at
org.springframework.web.servlet.mvc.ServletWrappingController.handleRequestInternal(ServletWrappingController.java:159)
at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:923)
at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:852)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621) at
javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.geoserver.filters.ThreadLocalsCleanupFilter.doFilter(ThreadLocalsCleanupFilter.java:27)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:74)
at
org.geoserver.wms.animate.AnimatorFilter.doFilter(AnimatorFilter.java:70)
at
org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:70)
at
org.geoserver.filters.SpringDelegatingFilter.doFilter(SpringDelegatingFilter.java:45)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.geoserver.platform.AdvancedDispatchFilter.doFilter(AdvancedDispatchFilter.java:49)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
at
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
at
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
at
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.geoserver.security.filter.GeoServerAnonymousAuthenticationFilter.doFilter(GeoServerAnonymousAuthenticationFilter.java:53)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
at
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at
org.geoserver.security.filter.GeoServerUserNamePasswordAuthenticationFilter.doFilter(GeoServerUserNamePasswordAuthenticationFilter.java:115)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
at
org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:146)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
at
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at
org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilter(GeoServerSecurityContextPersistenceFilter.java:52)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
at
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
at
org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:134)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:75) at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:42) at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:47)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilter.java:43)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.vfny.geoserver.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1008)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at
org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:1852)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:744) Caused by:
java.lang.reflect.InvocationTargetException at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:408) at
org.apache.wicket.session.DefaultPageFactory.createPage(DefaultPageFactory.java:188)
... 102 more Caused by: java.lang.NullPointerException at
java.io.File.<init>(File.java:277) at
org.geoserver.web.admin.LogPage.<init>(LogPage.java:58) ... 107 more

On Tue, Apr 1, 2014 at 1:47 PM, Cliff Ingham <inghamn@anonymised.com>wrote:

I cannot change the log settings. The GeoServer Logs link crashes with
a NullPointerException.

Caused by: java.lang.NullPointerException at
java.io.File.<init>(File.java:277) at
org.geoserver.web.admin.LogPage.<init>(LogPage.java:58) ... 107 more

I guess I'll file a bug for that in Jira.

In the meantime, I'm only guessing as to what's going on behind the
scenes.

On 04/01/2014 01:12 PM, Mauro Bartolomeoli wrote:

Hi Cliff,

2014-04-01 18:56 GMT+02:00 Cliff Ingham <inghamn@anonymised.com>:

Alas, I've updated my previous settings to change the Group to use as
ADMIN to be ROLE_GEOBASEADMINS, but still no dice.

What is Geoserver selecting for, in this case? Is it attempting to

find

the group? Is there a log in geoserver I can enable to see the LDAP
query and response?

Yes, you can try to grow Geoserver logging level to verbose and see if
there is any track in the log of the queries to LDAP (you can also send

me

the log if you wish and I will try to help).
Basically what is done in this case is to extract all groups to which

the

user belongs to, using your configuration settings and looking for one
corresponding to GEOBASEADMINS.
Another issue can be a wrong filter for membership search, I would try
with the simple member={0}, since {0} should be replaced by the full

user

DN, you can also use {1} to mean the username instead.
Some more documentation here:

http://docs.geoserver.org/latest/en/user/webadmin/security/auth.html#ldap-provider

Mauro

--
--
Cliff Ingham
City of Bloomington, Indiana
http://www.ohloh.net/accounts/inghamn

7

On 04/02/2014 03:07 AM, Mauro Bartolomeoli wrote:

Moving this discussion too back to the mailing list.

2014-04-01 20:26 GMT+02:00 Cliff Ingham <inghamn@anonymised.com>:

I've tried simply setting member={0}, but that does not work. And I'm
not really certain how that could. How does the system know our full DN
for users?

This is simple: when you authenticate geoserver gets the full user info
(including his/her DN from the LDAP repository, then it can use that or the
entered username to look for group membership). The fact that it doesn't
assign you admin role could be due to:
- inability to search for membership for security reasons (but normally a
logon user should be able to to those searches)
- wrong search filter
- some bugs in the code

We're using Active Directory and non-default directory structure. I
still cannot figure out how geoserver would actually know the DN for a
user. It would not get it from the bind operation. We bind with just a
plain email address and password. This bind process does not return any
data about the user entry.

You would need to do a search for the user to get the full DN. And
geoserver does not seem to have a configuration asking for the search
base and filter for users.

We had recently some problems when the folder containing groups has
subfolders inside. Could this be your case?

We do, in fact, have lots of nested folders in our "Application Groups"
folder.

Thanks
Mauro Bartolomeoli

8

Hi Cliff,

···

We’re using Active Directory and non-default directory structure. I
still cannot figure out how geoserver would actually know the DN for a
user. It would not get it from the bind operation. We bind with just a
plain email address and password. This bind process does not return any
data about the user entry.

Ok, just to explain the whole process: after binding the user with username@bloomington.in.gov and the given password, a search is done with the filter userPrincipalName={0} and then if one and only one user is found the DN of that user is extracted.

Mauro

==
Meet us at GEO Business 2014! in London! Visit http://goo.gl/fES3aK
for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it