Using a generic account to authenticate a user.
BUG :
We are trying to authenticate an existing user through an LDAP directory.
Whether through the test button in the settings or with the normal connection
on the home page, LDAP returns us an error.
According to the logs, this is due to a right issue.
Indeed, the user to be authenticated does not have search rights in the
directory.
CURRENT BEHAVIOUR :
The sequence of requests is as follows:
STEP 1 :
conn=XXX fd=30 ACCEPT from IP=XXX
conn=XXX op=0 BIND dn="uid=YYY,ou=people,dc=majordc" method=128
conn=XXX op=0 BIND dn="uid=YYY,ou=People,dc=majordc" mech=SIMPLE bind_ssf=0
ssf=256
conn=XXX op=0 RESULT tag=97 err=0 qtime=0.000020 etime=0.000177 text=
- user BIND => OK
STEP 2 :
conn=XXX op=1 SRCH base="uid=YYY,ou=people,dc=majordc" scope=0 deref=3
filter="(objectClass=*)"
conn=XXX op=1 SEARCH RESULT tag=101 err=32 qtime=0.000014 etime=0.000289
nentries=0 text=
- SEARCH but with the user BIND => right issue
STEP 3 :
conn=XXX fd=30 closed
conn=XXX op=2 UNBIND
- AUTHENTIFICATION denied
The SEARCH should be executed by the technical account, in fact a user cannot
perform a global search.
But this is not the case according to the logs.
BEHAVIOUR EXPECTED BY LDAP:
BIND from a technical account (the same one used to search for groups)
SEARCH and BIND the user with the technical account
Do you have any advice to give us?
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
