Dear all,
I am struggling to map the LDAP groups to GeoServer roles. I am using
GeoServer 2.3.2 and I followed the tutorial here:
http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html
The result is that I can log in to GeoServer as LDAP user, but no role
is assigned (except
ROLE_AUTHENTICATED).
I tried it twice:
First, I followed the tutorial step-by-step. I have configured the LDAP
connection, logged in as "bob", that was fine. Then I configured LDAP
groups mapping, added new role ROLE_ADMIN and configured it to be the
Administrator role as described in the tutorial. The result was, that I
was able to log in as "bill", but no administration rights were
available. As a side-effect, the "admin" user lost the administration
rights as well. (Note, that there are differences between the 2.3.2
version and the tutorial screenshots: In the "XML Role Service default",
"Settings" tab, the choice for "Group administrator role" is missing in
the screenshot. And, while the documentation speaks about
"ROLE_ADMINISTRATOR" and "ROLE_GROUP_ADMIN" roles, in 2.3.2 there are
"ADMIN" and "GROUP_ADMIN" roles instead.)
Second, I followed the tutorial regarding the configuration, but rather
created "ROLE_USER" role in GeoServer for testing. I configured some
layers to be readable for this role only and checked the configuration
with new GeoServer user with this role assigned. Then I logged in as
LDAP user "bob", (who is in the "user" LDAP group and hence shoud have
"ROLE_USER" GeoServer role assigned). "bob" can log-in, but cannot see
the restricted layers. (Yes, I did configure the "Group search base" and
"Group search filter" as described in the tutorial.) GeoServer log is
attached. Looking there, I see
Granted Authorities: ;
and
Granted Authorities: ROLE_AUTHENTICATED
so no LDAP groups were mapped.
Would you have any idea or hint?
Thank you very much in advance,
Michal
2013-06-13 18:02:49,497 DEBUG
[filter.GeoServerUserNamePasswordAuthenticationFilter$1] - Request is to
process authentication
2013-06-13 18:02:49,498 DEBUG [geoserver.security] - Bad credentials
org.springframework.security.authentication.BadCredentialsException: Bad
credentials
at
org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:137)
at
org.geoserver.security.auth.UsernamePasswordAuthenticationProvider.authenticate(UsernamePasswordAuthenticationProvider.java:81)
at
org.geoserver.security.GeoServerAuthenticationProvider.authenticate(GeoServerAuthenticationProvider.java:57)
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
at
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at
org.geoserver.security.filter.GeoServerUserNamePasswordAuthenticationFilter.doFilter(GeoServerUserNamePasswordAuthenticationFilter.java:115)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at
org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilter(GeoServerSecurityContextPersistenceFilter.java:46)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
at
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
at
org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:103)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:75)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:42)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:47)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:679)
2013-06-13 18:02:49,524 DEBUG
[filter.GeoServerUserNamePasswordAuthenticationFilter$1] - Authentication
success. Updating SecurityContextHolder to contain:
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@96c3616:
Principal:
org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@3eba9764: Dn:
uid=bob,ou=people,dc=acme,dc=org; Username: bob; Password: [PROTECTED];
Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true;
AccountNonLocked: true; Granted Authorities: ; Credentials: [PROTECTED];
Authenticated: true; Details:
org.geoserver.security.filter.GeoServerWebAuthenticationDetails@0:
RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 89C5753EF2EB593F49CEAC7C12D08D62;
Granted Authorities: ROLE_AUTHENTICATED
2013-06-13 18:02:49,525 DEBUG
[rememberme.GeoServerTokenBasedRememberMeServices] - Did not send remember-me
cookie (principal did not set parameter '_spring_security_remember_me')
2013-06-13 18:02:49,525 DEBUG
[rememberme.GeoServerTokenBasedRememberMeServices] - Remember-me login not
requested.
2013-06-13 18:02:49,525 DEBUG
[filter.GeoServerSecurityContextPersistenceFilter$1] - SecurityContextHolder
now cleared, as request processing completed
2013-06-13 18:02:49,530 TRACE [ows.OWSHandlerMapping] - No handler mapping
found for [/web]
2013-06-13 18:02:49,530 TRACE [ows.OWSHandlerMapping] - No handler mapping
found for [/web]
2013-06-13 18:02:49,530 TRACE [ows.OWSHandlerMapping] - No handler mapping
found for [/web]
2013-06-13 18:02:49,531 DEBUG
[filter.GeoServerSecurityContextPersistenceFilter$1] - SecurityContextHolder
now cleared, as request processing completed
2013-06-13 18:02:49,535 TRACE [ows.OWSHandlerMapping] - No handler mapping
found for [/web/]
2013-06-13 18:02:49,535 TRACE [ows.OWSHandlerMapping] - No handler mapping
found for [/web/]
2013-06-13 18:02:49,535 TRACE [ows.OWSHandlerMapping] - No handler mapping
found for [/web/]
2013-06-13 18:02:49,536 DEBUG [org.geoserver] - Thread 33 locking in mode READ
2013-06-13 18:02:49,536 DEBUG [org.geoserver] - Thread 33 got the lock in mode
READ
2013-06-13 18:02:49,542 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/css/blueprint/screen.css
to file (URI is not hierarchical), falling back to the inputstream for polling
2013-06-13 18:02:49,544 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/css/blueprint/print.css
to file (URI is not hierarchical), falling back to the inputstream for polling
2013-06-13 18:02:49,545 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/css/geoserver.css
to file (URI is not hierarchical), falling back to the inputstream for polling
2013-06-13 18:02:49,547 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/css/blueprint/ie.css
to file (URI is not hierarchical), falling back to the inputstream for polling
2013-06-13 18:02:49,549 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/js/jquery-1.2.6.min.js
to file (URI is not hierarchical), falling back to the inputstream for polling
2013-06-13 18:02:49,551 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/js/jquery.inline-info.js
to file (URI is not hierarchical), falling back to the inputstream for polling
2013-06-13 18:02:49,562 DEBUG [org.geoserver] - Thread 33 releasing the lock in
mode READ
2013-06-13 18:02:49,563 DEBUG
[filter.GeoServerSecurityContextPersistenceFilter$1] - SecurityContextHolder
now cleared, as request processing completed
2013-06-13 18:02:49,563 DEBUG [geoserver.filters] - Compressing output for
mimetype: text/html;charset=UTF-8
2013-06-13 18:02:55,694 TRACE [ows.OWSHandlerMapping] - No handler mapping
found for [/web/]
2013-06-13 18:02:55,695 TRACE [ows.OWSHandlerMapping] - No handler mapping
found for [/web/]
2013-06-13 18:02:55,695 TRACE [ows.OWSHandlerMapping] - No handler mapping
found for [/web/]
2013-06-13 18:02:55,696 DEBUG [org.geoserver] - Thread 50 locking in mode WRITE
2013-06-13 18:02:55,697 DEBUG [org.geoserver] - Thread 50 got the lock in mode
WRITE
2013-06-13 18:02:55,700 DEBUG [org.geoserver] - Thread 50 releasing the lock in
mode WRITE
2013-06-13 18:02:55,701 DEBUG
[filter.GeoServerSecurityContextPersistenceFilter$1] - SecurityContextHolder
now cleared, as request processing completed
2013-06-13 18:02:55,753 TRACE [ows.OWSHandlerMapping] - No handler mapping
found for [/web/]
2013-06-13 18:02:55,753 TRACE [ows.OWSHandlerMapping] - No handler mapping
found for [/web/]
2013-06-13 18:02:55,753 TRACE [ows.OWSHandlerMapping] - No handler mapping
found for [/web/]
2013-06-13 18:02:55,754 DEBUG [org.geoserver] - Thread 50 locking in mode WRITE
2013-06-13 18:02:55,754 DEBUG [org.geoserver] - Thread 50 got the lock in mode
WRITE
2013-06-13 18:02:55,760 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/css/blueprint/screen.css
to file (URI is not hierarchical), falling back to the inputstream for polling
2013-06-13 18:02:55,761 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/css/blueprint/print.css
to file (URI is not hierarchical), falling back to the inputstream for polling
2013-06-13 18:02:55,761 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/css/geoserver.css
to file (URI is not hierarchical), falling back to the inputstream for polling
2013-06-13 18:02:55,762 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/css/blueprint/ie.css
to file (URI is not hierarchical), falling back to the inputstream for polling
2013-06-13 18:02:55,763 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/js/jquery-1.2.6.min.js
to file (URI is not hierarchical), falling back to the inputstream for polling
2013-06-13 18:02:55,764 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/js/jquery.inline-info.js
to file (URI is not hierarchical), falling back to the inputstream for polling
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
