The "Uncomment & customize below beans if using LDAP" fails to mention that you have also to change **above** and enable <authentication-provider ref="ldapAuthProvider"/>
Still, the second user gets "The administrator of this site has disabled user registrations at this time. Please contact the system administrators if you think this is incorrect." I can remote debug Roller with Eclipse, but I don't know where to set breakpoints. Can you tell me some interesting lines to debug LDAP authentication? Thanks, Juergen Am 04.06.2014 12:12 schrieb "Glen Mazza" <glen.ma...@gmail.com>: > On 6/3/2014 8:57 AM, Jürgen Weber wrote: > >> Hi, >> I tried roller-webapp-5.1.0-SNAPSHOT with LDAP Auth. >> >> First <authentication-provider ref="ldapAuthProvider"/> must be enabled to >> make LDAP work, which is above <!-- Uncomment & customize below beans if >> using LDAP --> >> There should be a comment here to enable the authentication-provider line >> !! >> > > ? There is, line 66: > > 63 <!-- Read users from Roller API --> > 64 <authentication-manager alias='rollerAuthenticationManager'> > 65 <authentication-provider ref="rememberMeAuthenticationProvider"/> > 66 <!-- Uncomment one of the three below, based on whether database, > LDAP, or > 67 OpenID authentication is desired. --> > 68 <authentication-provider user-service-ref="rollerUserService"/> > 69 <!--authentication-provider ref="ldapAuthProvider"/> > 70 <authentication-provider ref="openIDAuthProvider"/--> > 71 </authentication-manager> > > > > > I >> have enabled both <authentication-provider >> user-service-ref="rollerUserService"/> <authentication-provider >> ref="ldapAuthProvider"/> because the roller admin cannot be in our LDAP. >> > > The "Roller Admin" is just a person -- it can be you -- and *you* can be > in the LDAP. The Roller admin doesn't have to have a username of "Admin" > or anything obvious like that, actually shouldn't. > > Does this work, enabling both? >> > > I hope not, that would be prone to security holes. Choose one > authentication method and go with it. While Roller offers multiple ways to > authenticate, it's the intention that you have only one method once you > choose it. > > Anyway, the admin user can log in. An LDAP user gets >> "The administrator of this site has disabled user registrations at this >> time. Please contact the system administrators if you think this is >> incorrect." Then I recreated the database. Now I can log in via LDAP, but >> a >> second user can't. >> The log for the second user: >> DEBUG 2014-06-03 14:41:35,142 >> AbstractAuthenticationProcessingFilter:successfulAuthentication - >> Authentication success. Updating SecurityContextHolder to contain: >> org.springframework.security.authentication. >> UsernamePasswordAuthenticationToken@1c3a2503: >> Principal: >> org.springframework.security.ldap.userdetails. >> LdapUserDetailsImpl@51c9fbaa: >> Dn: cn=***********; Username: *******; Password: [PROTECTED]; Enabled: >> true; AccountNonExpired: true; CredentialsNonExpired: true; >> AccountNonLocked: true; Granted Authorities: editor; Credentials: >> [PROTECTED]; Authenticated: true; Details: >> org.springframework.security.web.authentication. >> WebAuthenticationDetails@0: >> RemoteIpAddress: *********; SessionId: **********; Granted Authorities: >> editor >> >> but in the browser he is shown the user disabled message from above. >> I have users.registration.enabled=true >> What can I do? >> > > Hmm, I tested this. I think you need to register the user *first* within > LDAP, then when the user logs in he'll be taken to the Create a new blog > page. I think the error message you're getting is because you've enabled > more than one auth method. But we should document this in our Install > guide. I'll put in a JIRA ticket. > > Further, the Blog Admin has a checkbox on the Server Admin settings page > (not the roller-custom.properties file) to "Allow new blogs" -- make sure > you have that checked. > > Glen > > Thanks, Juergen >> >> >
