Hi Justin,
Yes, the LDAP provider was included in the provider chain (below the
default provider).
I managed to get a more detailed log for the test connection [1] and
the actual login attempt [2].
Maybe this helps?
Regards,
Torsten
[1] TEST CONNECTION
2012-04-12 11:56:40,306 DEBUG [util.AntPathRequestMatcher] - Checking
match of request : '/web/'; against '/web/**'
2012-04-12 11:56:40,306 DEBUG [web.FilterChainProxy] -
/web/?wicket:interface=:4:panel:panel:form:panel:testCx:test::IActivePageBehaviorListener:0:&wicket:ignoreIfNotActive=true&random=0.5301492270644904
at position 1 of 5 in additional filter chain; firing Filter:
'GeoServerSecurityContextPersistenceFilter'
2012-04-12 11:56:40,306 DEBUG
[context.HttpSessionSecurityContextRepository] - Obtained a valid
SecurityContext from SPRING_SECURITY_CONTEXT:
'org.springframework.security.core.context.SecurityContextImpl@6f128e6a:
Authentication:
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@6f128e6a:
Principal: Username: myadmin; Password: [PROTECTED]; Enabled: true;
AccountNonExpired: true; CredentialsNonExpired: true;
AccountNonLocked: true; [ ROLE_ADMINISTRATOR ] ; Credentials:
[PROTECTED]; Authenticated: true; Details:
org.geoserver.security.filter.GeoServerWebAuthenticationDetails@fffc7f0c:
RemoteIpAddress: 127.0.0.1; SessionId:
9C7DBFB5B20A9D08D4017C6A7CBBE4E3; Granted Authorities:
ROLE_ADMINISTRATOR, ROLE_AUTHENTICATED'
2012-04-12 11:56:40,306 DEBUG [web.FilterChainProxy] -
/web/?wicket:interface=:4:panel:panel:form:panel:testCx:test::IActivePageBehaviorListener:0:&wicket:ignoreIfNotActive=true&random=0.5301492270644904
at position 2 of 5 in additional filter chain; firing Filter:
'GeoServerRememberMeAuthenticationFilter'
2012-04-12 11:56:40,306 DEBUG
[rememberme.RememberMeAuthenticationFilter] - SecurityContextHolder
not populated with remember-me token, as it already contained:
'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@6f128e6a:
Principal: Username: myadmin; Password: [PROTECTED]; Enabled: true;
AccountNonExpired: true; CredentialsNonExpired: true;
AccountNonLocked: true; [ ROLE_ADMINISTRATOR ] ; Credentials:
[PROTECTED]; Authenticated: true; Details:
org.geoserver.security.filter.GeoServerWebAuthenticationDetails@fffc7f0c:
RemoteIpAddress: 127.0.0.1; SessionId:
9C7DBFB5B20A9D08D4017C6A7CBBE4E3; Granted Authorities:
ROLE_ADMINISTRATOR, ROLE_AUTHENTICATED'
2012-04-12 11:56:40,306 DEBUG [web.FilterChainProxy] -
/web/?wicket:interface=:4:panel:panel:form:panel:testCx:test::IActivePageBehaviorListener:0:&wicket:ignoreIfNotActive=true&random=0.5301492270644904
at position 3 of 5 in additional filter chain; firing Filter:
'GeoServerAnonymousAuthenticationFilter'
2012-04-12 11:56:40,307 DEBUG [web.FilterChainProxy] -
/web/?wicket:interface=:4:panel:panel:form:panel:testCx:test::IActivePageBehaviorListener:0:&wicket:ignoreIfNotActive=true&random=0.5301492270644904
at position 4 of 5 in additional filter chain; firing Filter:
'GeoServerExceptionTranslationFilter'
2012-04-12 11:56:40,307 DEBUG [web.FilterChainProxy] -
/web/?wicket:interface=:4:panel:panel:form:panel:testCx:test::IActivePageBehaviorListener:0:&wicket:ignoreIfNotActive=true&random=0.5301492270644904
at position 5 of 5 in additional filter chain; firing Filter:
'GeoServerSecurityInterceptorFilter'
2012-04-12 11:56:40,307 DEBUG [util.AntPathRequestMatcher] - Checking
match of request : '/web/'; against '/config/**'
2012-04-12 11:56:40,307 DEBUG [util.AntPathRequestMatcher] - Request
'/web/' matched by universal pattern '/**'
2012-04-12 11:56:40,307 DEBUG [intercept.FilterSecurityInterceptor] -
Secure object: FilterInvocation: URL:
/web/?wicket:interface=:4:panel:panel:form:panel:testCx:test::IActivePageBehaviorListener:0:&wicket:ignoreIfNotActive=true&random=0.5301492270644904;
Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]
2012-04-12 11:56:40,307 DEBUG [intercept.FilterSecurityInterceptor] -
Previously Authenticated:
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@6f128e6a:
Principal: Username: myadmin; Password: [PROTECTED]; Enabled: true;
AccountNonExpired: true; CredentialsNonExpired: true;
AccountNonLocked: true; [ ROLE_ADMINISTRATOR ] ; Credentials:
[PROTECTED]; Authenticated: true; Details:
org.geoserver.security.filter.GeoServerWebAuthenticationDetails@fffc7f0c:
RemoteIpAddress: 127.0.0.1; SessionId:
9C7DBFB5B20A9D08D4017C6A7CBBE4E3; Granted Authorities:
ROLE_ADMINISTRATOR, ROLE_AUTHENTICATED
2012-04-12 11:56:40,307 DEBUG [vote.AffirmativeBased] - Voter:
org.springframework.security.access.vote.RoleVoter@1337193d, returned:
0
2012-04-12 11:56:40,307 DEBUG [vote.AffirmativeBased] - Voter:
org.springframework.security.access.vote.AuthenticatedVoter@7e1ba08b,
returned: 1
2012-04-12 11:56:40,307 DEBUG [intercept.FilterSecurityInterceptor] -
Authorization successful
2012-04-12 11:56:40,307 DEBUG [intercept.FilterSecurityInterceptor] -
RunAsManager did not change Authentication object
2012-04-12 11:56:40,307 DEBUG [web.FilterChainProxy] -
/web/?wicket:interface=:4:panel:panel:form:panel:testCx:test::IActivePageBehaviorListener:0:&wicket:ignoreIfNotActive=true&random=0.5301492270644904
reached end of additional filter chain; proceeding with original chain
2012-04-12 11:56:40,307 DEBUG [servlet.DispatcherServlet] -
DispatcherServlet with name 'dispatcher' processing POST request for
[/repository/web/]
2012-04-12 11:56:40,308 DEBUG [handler.SimpleUrlHandlerMapping] -
Matching patterns for request [/web/] are [/web/**]
2012-04-12 11:56:40,308 DEBUG [handler.SimpleUrlHandlerMapping] - URI
Template variables for request [/web/] are {}
2012-04-12 11:56:40,308 DEBUG [handler.SimpleUrlHandlerMapping] -
Mapping [/web/] to HandlerExecutionChain with handler
[org.springframework.web.servlet.mvc.ServletWrappingController@37ef2806]
and 1 interceptor
2012-04-12 11:56:40,308 DEBUG [wicket.Session] - Getting page [path =
4:panel:panel:form:panel:testCx:test, versionNumber = 0]
2012-04-12 11:56:40,308 DEBUG [org.geoserver] - Thread 105 locking in mode WRITE
2012-04-12 11:56:40,308 DEBUG [org.geoserver] - Thread 105 got the
lock in mode WRITE
2012-04-12 11:56:40,309 DEBUG [wicket.RequestCycle] - replacing
request target
org.apache.wicket.request.target.component.listener.BehaviorRequestTarget@633597303[Page
class = org.geoserver.security.web.SecurityNamedServiceEditPage, id =
4, version = 0]->test->interface
org.apache.wicket.behavior.IBehaviorListener.IActivePageBehaviorListener
(request paramaters: [RequestParameters
componentPath=4:panel:panel:form:panel:testCx:test pageMapName=null
versionNumber=0 interfaceName=IActivePageBehaviorListener
componentId=null behaviorId=0 urlDepth=-1
parameters={panel:testCx:username=testuser,panel:testCx:test=1,random=0.5301492270644904,panel:userDnPattern=CN={0},OU=user,OU=e,OU=d,panel:testCx:password=!CLEARTEXTPASSWORD!,panel:serverURL=ldap://server:389/dc=c,dc=b,dc=a,panel:authorizationPanelContainer:authorizationPanel:userGroupServiceName=default,id44_hf_0=}
onlyProcessIfPathActive=true]) with [AjaxRequestTarget@1368398530
markupIdToComponent [{}], prependJavascript [[]], appendJavascript
[[]]
2012-04-12 11:56:40,324 DEBUG [wicket.Localizer] - Property found in
cache: 'LDAPAuthProviderPanel.connectionSuccessful'; Component:
'null'; value: 'Connection Successful'
2012-04-12 11:56:40,324 DEBUG [model.LoadableDetachableModel] - loaded
transient object Connection Successful for
StringResourceModel[key:LDAPAuthProviderPanel.connectionSuccessful,default:null,params:],
requestCycle [RequestCycle@43eb7ea1 thread=catalina-exec-8]
2012-04-12 11:56:40,324 DEBUG [feedback.FeedbackMessages] - Adding
feedback message [FeedbackMessage message = "Connection Successful",
reporter = test, level = INFO]
[2] LOGIN
2012-04-12 11:28:54,705 DEBUG [util.AntPathRequestMatcher] - Checking
match of request : '/j_spring_security_check'; against '/web/**'
2012-04-12 11:28:54,706 DEBUG [util.AntPathRequestMatcher] - Checking
match of request : '/j_spring_security_check'; against
'/gwc/rest/web/**'
2012-04-12 11:28:54,706 DEBUG [util.AntPathRequestMatcher] - Checking
match of request : '/j_spring_security_check'; against
'/j_spring_security_check'
2012-04-12 11:28:54,707 DEBUG [web.FilterChainProxy] -
/j_spring_security_check at position 1 of 2 in additional filter
chain; firing Filter: 'GeoServerSecurityContextPersistenceFilter'
2012-04-12 11:28:54,707 DEBUG
[context.HttpSessionSecurityContextRepository] - HttpSession returned
null object for SPRING_SECURITY_CONTEXT
2012-04-12 11:28:54,707 DEBUG
[context.HttpSessionSecurityContextRepository] - No SecurityContext
was available from the HttpSession:
org.apache.catalina.session.StandardSessionFacade@eae7ead. A new one
will be created.
2012-04-12 11:28:54,707 DEBUG [web.FilterChainProxy] -
/j_spring_security_check at position 2 of 2 in additional filter
chain; firing Filter: 'GeoServerUserNamePasswordAuthenticationFilter'
2012-04-12 11:28:54,707 DEBUG
[authentication.UsernamePasswordAuthenticationFilter] - Request is to
process authentication
2012-04-12 11:28:54,708 DEBUG [authentication.ProviderManager] -
Authentication attempt using
org.geoserver.security.auth.GeoServerRootAuthenticationProvider
2012-04-12 11:28:54,708 DEBUG [authentication.ProviderManager] -
Authentication attempt using
org.geoserver.security.auth.UsernamePasswordAuthenticationProvider
2012-04-12 11:28:54,709 DEBUG [dao.DaoAuthenticationProvider] - User
'testuser' not found
2012-04-12 11:28:54,709 DEBUG [authentication.ProviderManager] -
Authentication attempt using
org.geoserver.security.ldap.LDAPAuthenticationProvider
2012-04-12 11:28:54,709 DEBUG
[authentication.LdapAuthenticationProvider] - Processing
authentication request for user: testuser
2012-04-12 11:28:54,712 DEBUG [authentication.BindAuthenticator] -
Attempting to bind as cn=testuser,ou=user,dc=c,dc=b,dc=a
2012-04-12 11:28:54,713 DEBUG [support.AbstractContextSource] - Using
LDAP pooling.
2012-04-12 11:28:54,713 DEBUG [support.AbstractContextSource] - Trying
provider Urls: ldap://server:389/dc=c,dc=b,dc=a
2012-04-12 11:28:54,713 DEBUG
[ldap.DefaultSpringSecurityContextSource] - Removing pooling flag for
user cn=testuser,ou=user,dc=c,dc=b,dc=a
2012-04-12 11:28:54,771 DEBUG [support.AbstractContextSource] - Got
Ldap context on server 'ldap://server:389/dc=c,dc=b,dc=a'
2012-04-12 11:28:54,771 DEBUG [authentication.BindAuthenticator] -
Retrieving attributes...
2012-04-12 11:28:54,830 DEBUG
[authentication.UsernamePasswordAuthenticationFilter] - Authentication
request failed:
org.springframework.security.core.userdetails.UsernameNotFoundException:
User testuser not found in usergroupservice: default
2012-04-12 11:28:54,830 DEBUG
[authentication.UsernamePasswordAuthenticationFilter] - Updated
SecurityContextHolder to contain null Authentication
2012-04-12 11:28:54,830 DEBUG
[authentication.UsernamePasswordAuthenticationFilter] - Delegating to
authentication failure
handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@430cd4b8
2012-04-12 11:28:54,830 DEBUG
[rememberme.GeoServerTokenBasedRememberMeServices] - Interactive login
attempt was unsuccessful.
2012-04-12 11:28:54,830 DEBUG
[rememberme.GeoServerTokenBasedRememberMeServices] - Cancelling cookie
2012-04-12 11:28:54,830 DEBUG
[authentication.SimpleUrlAuthenticationFailureHandler] - Redirecting
to
/web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=true
2012-04-12 11:28:54,831 DEBUG [web.DefaultRedirectStrategy] -
Redirecting to
'/repository/web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=true'
2012-04-12 11:28:54,831 DEBUG
[context.HttpSessionSecurityContextRepository] - SecurityContext is
empty or contents are anonymous - context will not be stored in
HttpSession.
On Thu, Apr 12, 2012 at 5:21 AM, Justin Deoliveira <jdeol...@opengeo.org> wrote:
> Hi Torsten,
>
> On the Authentication page did you set the ldap authentication provider as
> active? ie moved to the selected list?
>
> -Justin
>
> On Wed, Apr 11, 2012 at 11:35 AM, thegis <the...@googlemail.com> wrote:
>>
>> Hi List!
>>
>> I’ve tried to use the new LDAP authentication feature to connect
>> Geoserver to our active directory based LDAP server as described in
>> [1]. After some trial and error, I successfully tested the connection
>> with the “Test Connection” button and following settings:
>>
>> ServerURL: ldap://server:port/dc=z,dc=y,dc=x
>> User lookup pattern: cn={0}, ou=users, ou=b,ou=a (Note that we had to
>> use “cn={0}” instead of “uid={0}”)
>> Group search base: ou=groups,ou=e,ou=d
>> Group search filter: member={0}
>>
>> However, when testing the login on the home page as described in [2]
>> with the same username/password, Geoserver redirects to
>>
>> “geoserver/web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=true”.
>> There is no error in the log or UI but the login obviously didn’t
>> work. It would surely help to show the log messages from Spring, but I
>> couldn’t enable them (editing e.g. VERBOSE_LOGGING.properties didn’t
>> work).
>>
>> I also noticed, that the Users/Groups tab in [3] does not show any
>> users or groups. Shouldn’t they get populated with the LDAP
>> users/groups?
>>
>> Any ideas what’s wrong?
>>
>> Regards,
>> Torsten
>>
>> [1]
>> http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html#configure-the-ldap-authentication-provider
>> [2]
>> http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html#test-a-ldap-login
>> [3]
>> http://localhost:8080/geoserver/web/?wicket:bookmarkablePage=:org.geoserver.security.web.UserGroupRoleServicesPage
>>
>>
>> ------------------------------------------------------------------------------
>> Better than sec? Nothing is better than sec when it comes to
>> monitoring Big Data applications. Try Boundary one-second
>> resolution app monitoring today. Free.
>> http://p.sf.net/sfu/Boundary-dev2dev
>> _______________________________________________
>> Geoserver-users mailing list
>> Geoserver-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
>
>
>
> --
> Justin Deoliveira
> OpenGeo - http://opengeo.org
> Enterprise support for open source geospatial.
>
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
