Hello LDAP and Active Directory users.
While trying to authenticate against an ancient Active Directory (AD) I observe that my GeoServer 2.19.0 does not behave as expected. My users are scattered through different organisational units (OU) and thus I cannot use a fixed DN user lookup pattern. Instead, I use a generic user lookup filter as described in the tutorial. I read that in the most common AD configurations a user’s sAMAccountName is also part of his userPrincipalName. Unfortunately, our AD is configured in a way that the user’s sAMAccountName IS NOT part of his userPrincipalName. Example user:
givenName = Max
sn = Mustermann
userPrincipalName = Max.Mustermann@anonymised.com
sAMAccountName = must_ma
According to the tutorial I use “Filter used to lookup user: (|(userPrincipalName={0})(sAMAccountName={1}))” in conjunction with the “Format used for user login name: {0}@domain.de”. My user authentication works well if I log in with the username “Max.Mustermann”. But it does not work in any way when logging in with “must_ma”. Just using “Filter used to lookup user: (sAMAccountName={1})” and omitting the “Format used for user login name” does also not work. In contrast, with GeoNetwork it works like a charm.
All our internal services use sAMAccountName for authentication and thus I would like to keep it similar for GeoServer. I tried around for days and was also digging into the code and my conclusion is: GeoServer’s LDAP Authentication Filter implies that sAMAccountName is always part of the userPrincipalName. Otherwise, filtering by sAMAccountName does not work. Can anybody confirm that? I found an old issue GEOS-6025 which does not yield any insights. What are your experiences with such fancy AD configurations? After collecting your information I would like to improve the tutorial and the documentation because not mentioning this fact leads to a lot of frustration on the user side.
Thanks!
Michi