Hi all,
these days I prepared a patch to add support for Windows ActiveDirectory as
an LDAP option for the GeoServer LDAP Authentication provider.
Before preparing a pull request I would like to collect opinions on the way
I implemented it.
Basically I was trying to solve http://jira.codehaus.org/browse/GEOS-5054,
which affects ActiveDirectory usage, and in the meantime adding some
features helping AD integration.
You can find my patch here:
https://github.com/mbarto/geoserver/tree/ldap_activedirectory
Tests are still missing but I'm going to add them before making a pull
request.
My approach was:
- redefine the Spring DefaultLdapAuthoritiesPopulator
(BindingLdapAuthoritiesPopulator) if a new flag (bindBeforeGroupSearch) is
checked to do searches on the LDAP server in a bound context (the default
one doesn't); unfortunately I was not able to extend the original class
since the method to be redefined is declared final
- extend the Spring BindingAuthenticator to allow an alternative
authentication and user data extraction method ; the default one binds
using the dn of the user and extracts data from a simple lookup to that dn,
the alternative one binds using the username directly and extracts user
data using a filter (the filter is specified by the user instead of
userDnPattern and triggers the alternative auth method)
- the filter allows to extract data filtering by the userPrincipalName
attribute, that is the login username in Microsoft world, this attribute is
not part of the dn of the user
- an optional userFormat can be used to transform the username given by
the user to the effective username to be used for login (for example to add
the ActiveDirectory domain extension automatically)
- an optional adminGroup can be specified to map a specific
ActiveDirectory group to GeoServer ADMIN role (the default ADMINISTRATOR
role is usually the admin user name in the Windows world, so it's not
available as a group name)
I think some of these new options can be useful for other kind of LDAP
servers too.
I did tests with a Windows 2012 Server. I hope the same can work well on
previous versions too. If someone is willing to do a quick test with 2008
or 2003 it will be very appreciated.
This is an example of configuration for the modified provider:
<ldap>
<id>-7a456489:13e36ec9187:-8000</id>
<name>w2012</name>
<className>org.geoserver.security.ldap.LDAPAuthenticationProvider</className>
<serverURL>ldap://192.168.119.138/dc=w2012,dc=local</serverURL>
<groupSearchBase>cn=Users</groupSearchBase>
<groupSearchFilter>member={0}</groupSearchFilter>
<useTLS>false</useTLS>
<bindBeforeGroupSearch>true</bindBeforeGroupSearch>
<userFilter>(userPrincipalName={0})</userFilter>
<userFormat>{0}@W2012.local</userFormat> <!-- user @ domain -->
<adminGroup>ADMIN</adminGroup>
</ldap>
Thanks
Mauro Bartolomeoli
--
==
GeoServer training in Milan, 6th & 7th June 2013! Visit
http://geoserver.geo-solutions.it for more information.
==
Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
