LDAP - portal partial login - user member of group which is member of esp_consumer
Have setup LDAP connecting to customers AD.
Testing user logging in apollo-portal it fails with 403 Forbidden.
I believe the 'Initialized map service userDedicatedPSSsharmanc' entry indicates that the user was correctly authenticated against LDAP but the entry 'The remote server returned an error: (403) Forbidden'' indicates that apollo couldn't find the user in esp_consumer group and refused access to catalog (I think).
The user belongs to an users group which in turn belongs to esp_consumer.
I was able to replicate the same scenario on my local test VM and test AD.
esp_consumer group already exists
"CN=esp_consumer,CN=Users,DC=domain,DC=tld" (I know, it should have been in CN=Groups, not CN=users - my first foray into AD)
Created new group MyUsers
"CN=MyUsers,CN=Users,DC=Domain,DC=tld"
- Added MyUsers group as member of esp_consumer group
- Created new user TestUser
"CN=TestUser,CN=Users,DC=domain,DC=tld" - Added TestUser as member of MyUsers group
Launched apollo-portal, authentication tab, tried to login. I got the same outcome as shown for client.
I then added TestUser directly as a member of esp_consumer and it worked.
Current entries in my test spring-jaas-auth.conf file
apollo {
org.ldaptive.jaas.LdapLoginModule required
storePass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,DC=domain,DC=tld"
useStartTLS="false"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
userFilter="(sAMAccountName={user})";
org.ldaptive.jaas.LdapRoleAuthorizationModule required
useFirstPass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,dc=domain,dc=tld"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
roleFilter="(member={dn})"
roleAttribute="sAMAccountName";
};
I suspect needs another entry in the role lookup section ... yet to come up with the right setup.
thanks
Shaun
I also tried adding
roleNested=true
roleSubtree=true
with no success.
e.g.
apollo {
org.ldaptive.jaas.LdapLoginModule required
storePass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,DC=domain,DC=tld"
useStartTLS="false"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
userFilter="(sAMAccountName={user})";
org.ldaptive.jaas.LdapRoleAuthorizationModule required
useFirstPass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,dc=domain,dc=tld"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
roleNested=true
roleSubtree=true
roleFilter="(member={dn})"
roleAttribute="sAMAccountName";
};
Suspect a subtle variation on that is needed.
Re: LDAP - portal partial login - user member of group which is member of esp_consumer
Found it 
Turns out to search AD nested groups have to add :1.2.840.113556.1.4.1941: to the role filter.
roleFilter="(member:1.2.840.113556.1.4.1941:={dn})"
Not sure if it is documented at Ldaptive.org (my access is currently blocked), but found it at https://stackoverflow.com/questions/6195812/ldap-nested-group-membership -> https://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx
My current spring-jaas-auth.conf entry:
apollo {
org.ldaptive.jaas.LdapLoginModule required
storePass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,DC=domain,DC=tld"
useStartTLS="false"
subtreeSearch="true"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
userFilter="(sAMAccountName={user})";
org.ldaptive.jaas.LdapRoleAuthorizationModule required
useFirstPass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,dc=domain,dc=tld"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
defaultRole="esp_anonymous"
roleFilter="(member:1.2.840.113556.1.4.1941:={dn})"
roleAttribute="sAMAccountName";
};
I also added defaultRole so if clients administrator fails to put an user in a required group they will at least get some limited anon access - though that does not seem to flow through to ApolloCatalogWMS.
