Hello LDAP and Active Directory users. While trying to authenticate against an ancient Active Directory (AD) I observe that my GeoServer 2.19.0 does not behave as expected. My users are scattered through different organisational units (OU) and thus I cannot use a fixed DN user lookup pattern. Instead, I use a generic user lookup filter as described in the tutorial <https://docs.geoserver.org/stable/en/user/security/tutorials/activedirector y/index.html> . I read that in the most common AD configurations a user's sAMAccountName is also part of his userPrincipalName. Unfortunately, our AD is configured in a way that the user's sAMAccountName IS NOT part of his userPrincipalName. Example user:
givenName = Max
sn = Mustermann
userPrincipalName = max.musterm...@domain.de
sAMAccountName = must_ma
According to the tutorial I use "Filter used to lookup user:
(|(userPrincipalName={0})(sAMAccountName={1}))" in conjunction with the
"Format used for user login name: {0}@domain.de". My user authentication
works well if I log in with the username "Max.Mustermann". But it does not
work in any way when logging in with "must_ma". Just using "Filter used to
lookup user: (sAMAccountName={1})" and omitting the "Format used for user
login name" does also not work. In contrast, with GeoNetwork it works like a
charm.
All our internal services use sAMAccountName for authentication and thus I
would like to keep it similar for GeoServer. I tried around for days and was
also digging into the code and my conclusion is: GeoServer's LDAP
Authentication Filter implies that sAMAccountName is always part of the
userPrincipalName. Otherwise, filtering by sAMAccountName does not work. Can
anybody confirm that? I found an old issue GEOS-6025
<https://osgeo-org.atlassian.net/browse/GEOS-6025> which does not yield any
insights. What are your experiences with such fancy AD configurations? After
collecting your information I would like to improve the tutorial and the
documentation because not mentioning this fact leads to a lot of frustration
on the user side.
Thanks!
Michi
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
