Hi Mauro,
Sorry for the late reply on this. The approach sounds good to me. A couple
of thoughts and suggestions.
Perhaps it makes sense to have a separate "ActiveDirectory" provider,
rather than overload the default ldap one with more options. Just a
suggestion, not sure how much of the existing provider is used in this
scheme.
Regardless of one or more providers, it would be good if we could update
the docs along with this patch. The relevant page being:
http://docs.geoserver.org/stable/en/user/security/auth/providers.html#ldap-authentication
-Justin
On Wed, Apr 24, 2013 at 10:32 AM, Mauro Bartolomeoli <
[email protected]> wrote:
> Hi all,
> these days I prepared a patch to add support for Windows ActiveDirectory
> as an LDAP option for the GeoServer LDAP Authentication provider.
> Before preparing a pull request I would like to collect opinions on the
> way I implemented it.
>
> Basically I was trying to solve http://jira.codehaus.org/browse/GEOS-5054,
> which affects ActiveDirectory usage, and in the meantime adding some
> features helping AD integration.
>
> You can find my patch here:
> https://github.com/mbarto/geoserver/tree/ldap_activedirectory
>
> Tests are still missing but I'm going to add them before making a pull
> request.
>
> My approach was:
> - redefine the Spring DefaultLdapAuthoritiesPopulator
> (BindingLdapAuthoritiesPopulator) if a new flag (bindBeforeGroupSearch) is
> checked to do searches on the LDAP server in a bound context (the default
> one doesn't); unfortunately I was not able to extend the original class
> since the method to be redefined is declared final
>
> - extend the Spring BindingAuthenticator to allow an alternative
> authentication and user data extraction method ; the default one binds
> using the dn of the user and extracts data from a simple lookup to that dn,
> the alternative one binds using the username directly and extracts user
> data using a filter (the filter is specified by the user instead of
> userDnPattern and triggers the alternative auth method)
>
> - the filter allows to extract data filtering by the userPrincipalName
> attribute, that is the login username in Microsoft world, this attribute is
> not part of the dn of the user
>
> - an optional userFormat can be used to transform the username given by
> the user to the effective username to be used for login (for example to add
> the ActiveDirectory domain extension automatically)
>
> - an optional adminGroup can be specified to map a specific
> ActiveDirectory group to GeoServer ADMIN role (the default ADMINISTRATOR
> role is usually the admin user name in the Windows world, so it's not
> available as a group name)
>
> I think some of these new options can be useful for other kind of LDAP
> servers too.
>
> I did tests with a Windows 2012 Server. I hope the same can work well on
> previous versions too. If someone is willing to do a quick test with 2008
> or 2003 it will be very appreciated.
>
> This is an example of configuration for the modified provider:
>
> <ldap>
> <id>-7a456489:13e36ec9187:-8000</id>
> <name>w2012</name>
>
> <className>org.geoserver.security.ldap.LDAPAuthenticationProvider</className>
> <serverURL>ldap://192.168.119.138/dc=w2012,dc=local</serverURL>
> <groupSearchBase>cn=Users</groupSearchBase>
> <groupSearchFilter>member={0}</groupSearchFilter>
> <useTLS>false</useTLS>
> <bindBeforeGroupSearch>true</bindBeforeGroupSearch>
> <userFilter>(userPrincipalName={0})</userFilter>
> <userFormat>{0}@W2012.local</userFormat> <!-- user @ domain -->
> <adminGroup>ADMIN</adminGroup>
> </ldap>
>
> Thanks
> Mauro Bartolomeoli
>
> --
> ==
> GeoServer training in Milan, 6th & 7th June 2013! Visit
> http://geoserver.geo-solutions.it for more information.
> ==
>
> Dott. Mauro Bartolomeoli
> @mauro_bart
> Senior Software Engineer
>
> GeoSolutions S.A.S.
> Via Poggio alle Viti 1187
> 55054 Massarosa (LU)
> Italy
> phone: +39 0584 962313
> fax: +39 0584 1660272
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
>
> -------------------------------------------------------
>
>
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
> _______________________________________________
> Geoserver-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>
>
--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
