Hello,

we're trying to get Geoserver authentiate via an AD, but the problem is that we cannot contact the AD directly (Firewall). Our company has installed a so called LDAP proxy, which uses a second functional account looking up login credentials at a provided LDAP_AUTH_URL which is a DN to the user entries in the AD.
Now my question: Is there any way to use Geoserver with a second user instead of letting Geoserver directly bind to the LDAP with the user credentials?

Thanks for your help,
Thomas

Hi Thomas,
I don’t think this is currently possible, but let me try to understand what you need: you are asking to use a fixed set of credentials to bind Geoserver to the LDAP proxy and then do some “search / lookup” on the ldap proxy with the real credentials to authenticate?
If this is not the case, can you try to explain exactly the authentication flow you need?

Mauro

Thanks for the fast replay! It is exactly what we were trying to do. I’m aware of the 2 options with LDAP… a direct binding to the LDAP with the provided login credentials, or using a second functional account which logs in and compares the login credentials with the one in the LDAP. Unfortunately our company does only allow the second case, even I would also prefer a direct binding…

Thomas

2013/7/2 <Thomas.Wanderer@anonymised.com>

Thanks for the fast replay! It is exactly what we were trying to do. I’m
aware of the 2 options with LDAP… a direct binding to the LDAP with the
provided login credentials, or using a second functional account which logs
in and compares the login credentials with the one in the LDAP.
Unfortunately our company does only allow the second case, even I would
also prefer a direct binding…****

** **

Thomas****

**

Well, then a change to the code is needed to realize your desidered
behaviour. I think you would need to specify:
- the fixed account credentials used to bind
- the filter to use for authentication (I think we could reuse the "filter
used to lookup user" that is present on 2.4); do you have an example of
filter that you use for authentication on the ldap proxy?

It's not trivial, but not that hard to implement.
If you wish to add have it implemented I think you have some options:
- try to create a patch yourself and issue a pull request
- sponsor someone to implement it for you

Mauro

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Yes, we have the following setup:

The functional account which makes the bind:

AuthLDAPBindDN “CN=ldapagent,OU=Benutzer,OU=_,DC=,DC=,DC=”

AuthLDAPBindPassword ********

And we have the server URL with filter:

AuthLDAPURL “ldap://ldap-proxy..de:389/DC=,DC=,DC=?sAMAccountName?sub?(objectClass=user)”

Actually one would only need 2 additional fields for the functional account/password in the LDAP Auth setup, but we do not have the resources right now for patching Geoserver. I would fin both LDAP Auth mechanisms nice being supported in the future,

Thomas