On 6/3/2014 8:57 AM, Jürgen Weber wrote:
Hi,
I tried roller-webapp-5.1.0-SNAPSHOT with LDAP Auth.
First <authentication-provider ref="ldapAuthProvider"/> must be enabled to
make LDAP work, which is above <!-- Uncomment & customize below beans if
using LDAP -->
There should be a comment here to enable the authentication-provider line
!!
? There is, line 66:
63 <!-- Read users from Roller API -->
64 <authentication-manager alias='rollerAuthenticationManager'>
65 <authentication-provider ref="rememberMeAuthenticationProvider"/>
66 <!-- Uncomment one of the three below, based on whether database,
LDAP, or
67 OpenID authentication is desired. -->
68 <authentication-provider user-service-ref="rollerUserService"/>
69 <!--authentication-provider ref="ldapAuthProvider"/>
70 <authentication-provider ref="openIDAuthProvider"/-->
71 </authentication-manager>
I
have enabled both <authentication-provider
user-service-ref="rollerUserService"/> <authentication-provider
ref="ldapAuthProvider"/> because the roller admin cannot be in our LDAP.
The "Roller Admin" is just a person -- it can be you -- and *you* can be
in the LDAP. The Roller admin doesn't have to have a username of "Admin"
or anything obvious like that, actually shouldn't.
Does this work, enabling both?
I hope not, that would be prone to security holes. Choose one
authentication method and go with it. While Roller offers multiple ways to
authenticate, it's the intention that you have only one method once you
choose it.
Anyway, the admin user can log in. An LDAP user gets
"The administrator of this site has disabled user registrations at this
time. Please contact the system administrators if you think this is
incorrect." Then I recreated the database. Now I can log in via LDAP, but
a
second user can't.
The log for the second user:
DEBUG 2014-06-03 14:41:35,142
AbstractAuthenticationProcessingFilter:successfulAuthentication -
Authentication success. Updating SecurityContextHolder to contain:
org.springframework.security.authentication.
UsernamePasswordAuthenticationToken@1c3a2503:
Principal:
org.springframework.security.ldap.userdetails.
LdapUserDetailsImpl@51c9fbaa:
Dn: cn=***********; Username: *******; Password: [PROTECTED]; Enabled:
true; AccountNonExpired: true; CredentialsNonExpired: true;
AccountNonLocked: true; Granted Authorities: editor; Credentials:
[PROTECTED]; Authenticated: true; Details:
org.springframework.security.web.authentication.
WebAuthenticationDetails@0:
RemoteIpAddress: *********; SessionId: **********; Granted Authorities:
editor
but in the browser he is shown the user disabled message from above.
I have users.registration.enabled=true
What can I do?
Hmm, I tested this. I think you need to register the user *first* within
LDAP, then when the user logs in he'll be taken to the Create a new blog
page. I think the error message you're getting is because you've enabled
more than one auth method. But we should document this in our Install
guide. I'll put in a JIRA ticket.
Further, the Blog Admin has a checkbox on the Server Admin settings page
(not the roller-custom.properties file) to "Allow new blogs" -- make sure
you have that checked.
Glen
Thanks, Juergen