09-12-2017 09:59 PM - edited 09-12-2017 10:20 PM
Have setup LDAP connecting to customers AD.
Testing user logging in apollo-portal it fails with 403 Forbidden.
I believe the 'Initialized map service userDedicatedPSSsharmanc' entry indicates that the user was correctly authenticated against LDAP but the entry 'The remote server returned an error: (403) Forbidden'' indicates that apollo couldn't find the user in esp_consumer group and refused access to catalog (I think).
The user belongs to an users group which in turn belongs to esp_consumer.
I was able to replicate the same scenario on my local test VM and test AD.
esp_consumer group already exists
"CN=esp_consumer,CN=Users,DC=domain,DC=tld" (I know, it should have been in CN=Groups, not CN=users - my first foray into AD)
Created new group MyUsers
"CN=MyUsers,CN=Users,DC=Domain,DC=tld"
Launched apollo-portal, authentication tab, tried to login. I got the same outcome as shown for client.
I then added TestUser directly as a member of esp_consumer and it worked.
Current entries in my test spring-jaas-auth.conf file
apollo {
org.ldaptive.jaas.LdapLoginModule required
storePass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,DC=domain,DC=tld"
useStartTLS="false"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
userFilter="(sAMAccountName={user})";
org.ldaptive.jaas.LdapRoleAuthorizationModule required
useFirstPass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,dc=domain,dc=tld"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
roleFilter="(member={dn})"
roleAttribute="sAMAccountName";
};
I suspect needs another entry in the role lookup section ... yet to come up with the right setup.
thanks
Shaun
I also tried adding
roleNested=true
roleSubtree=true
with no success.
e.g.
apollo {
org.ldaptive.jaas.LdapLoginModule required
storePass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,DC=domain,DC=tld"
useStartTLS="false"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
userFilter="(sAMAccountName={user})";
org.ldaptive.jaas.LdapRoleAuthorizationModule required
useFirstPass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,dc=domain,dc=tld"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
roleNested=true
roleSubtree=true
roleFilter="(member={dn})"
roleAttribute="sAMAccountName";
};
Suspect a subtle variation on that is needed.
Solved! Go to Solution.
09-13-2017 06:59 PM - edited 09-13-2017 07:56 PM
Found it
Turns out to search AD nested groups have to add :1.2.840.113556.1.4.1941: to the role filter.
roleFilter="(member:1.2.840.113556.1.4.1941:={dn})"
Not sure if it is documented at Ldaptive.org (my access is currently blocked), but found it at https://stackoverflow.com/questions/6195812/ldap-nested-group-membership -> https://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx
My current spring-jaas-auth.conf entry:
apollo {
org.ldaptive.jaas.LdapLoginModule required
storePass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,DC=domain,DC=tld"
useStartTLS="false"
subtreeSearch="true"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
userFilter="(sAMAccountName={user})";
org.ldaptive.jaas.LdapRoleAuthorizationModule required
useFirstPass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,dc=domain,dc=tld"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
defaultRole="esp_anonymous"
roleFilter="(member:1.2.840.113556.1.4.1941:={dn})"
roleAttribute="sAMAccountName";
};
I also added defaultRole so if clients administrator fails to put an user in a required group they will at least get some limited anon access - though that does not seem to flow through to ApolloCatalogWMS.