Hexagon Geospatial
MENU

ERDAS APOLLO & ECW/JP2

Wondering how others have configured their ERDAS APOLLO server or what data they are crawling? The ERDAS APOLLO Discussion board is a place to find information, share ideas and more. Join the community, connect, contribute and share.
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Super Contributor
Posts: 388
Registered: ‎10-12-2015
Accepted Solution

LDAP - portal partial login - user member of group which is member of esp_consumer

[ Edited ]

 

Have setup LDAP connecting to customers AD.

Testing user logging in apollo-portal it fails with 403 Forbidden.

portal-login-error.png

I believe the 'Initialized map service userDedicatedPSSsharmanc' entry indicates that the user was correctly authenticated against LDAP but the entry 'The remote server returned an error: (403) Forbidden'' indicates that apollo couldn't find the user in esp_consumer group and refused access to catalog (I think).

 

The user belongs to an users group which in turn belongs to esp_consumer.

 

I was able to replicate the same scenario on my local test VM and test AD.

 

  • esp_consumer group already exists

    "CN=esp_consumer,CN=Users,DC=domain,DC=tld" (I know, it should have been in CN=Groups, not CN=users - my first foray into AD)

  • Created new group MyUsers 

    "CN=MyUsers,CN=Users,DC=Domain,DC=tld"

  • Added MyUsers group as member of esp_consumer group
  • Created new user TestUser
    "CN=TestUser,CN=Users,DC=domain,DC=tld"
  • Added TestUser as member of MyUsers group

Launched apollo-portal, authentication tab, tried to login. I got the same outcome as shown for client.

portal-login-error-reproduce.png

 

I then added TestUser directly as a member of esp_consumer and it worked.

portal-login-success-directly-in-esp_consumer.png

 

Current entries in my test spring-jaas-auth.conf file

apollo {
org.ldaptive.jaas.LdapLoginModule required
storePass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,DC=domain,DC=tld"
useStartTLS="false"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
userFilter="(sAMAccountName={user})";
org.ldaptive.jaas.LdapRoleAuthorizationModule required
useFirstPass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,dc=domain,dc=tld"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
roleFilter="(member={dn})"
roleAttribute="sAMAccountName";
};

 

I suspect needs another entry in the role lookup section ... yet to come up with the right setup.

 

thanks

Shaun

 

I also tried adding 

roleNested=true
roleSubtree=true

with no success.

e.g. 

apollo {
org.ldaptive.jaas.LdapLoginModule required
storePass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,DC=domain,DC=tld"
useStartTLS="false"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
userFilter="(sAMAccountName={user})";
org.ldaptive.jaas.LdapRoleAuthorizationModule required
useFirstPass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,dc=domain,dc=tld"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
roleNested=true
roleSubtree=true
roleFilter="(member={dn})"
roleAttribute="sAMAccountName";
};

 

Suspect a subtle variation on that is needed.

 

Super Contributor
Posts: 388
Registered: ‎10-12-2015

Re: LDAP - portal partial login - user member of group which is member of esp_consumer

[ Edited ]

 Found it Man Frustrated

 

Turns out to search AD nested groups have to add :1.2.840.113556.1.4.1941: to the role filter.

 roleFilter="(member:1.2.840.113556.1.4.1941:={dn})"

 

Not sure if it is documented at Ldaptive.org (my access is currently blocked), but found it at https://stackoverflow.com/questions/6195812/ldap-nested-group-membership -> https://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx

 

My current spring-jaas-auth.conf entry:

apollo {
org.ldaptive.jaas.LdapLoginModule required
storePass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,DC=domain,DC=tld"
useStartTLS="false"
subtreeSearch="true"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
userFilter="(sAMAccountName={user})";
org.ldaptive.jaas.LdapRoleAuthorizationModule required
useFirstPass="true"
ldapUrl="ldap://10.0.2.5:389"
baseDn="CN=Users,dc=domain,dc=tld"
bindDn="CN=TestAdmin,CN=Users,DC=domain,DC=tld"
bindCredential="xxxxxxx"
defaultRole="esp_anonymous"
roleFilter="(member:1.2.840.113556.1.4.1941:={dn})"
roleAttribute="sAMAccountName";
};

 

I also added defaultRole so if clients administrator fails to put an user in a required group they will at least get some limited anon access - though that does not seem to flow through to ApolloCatalogWMS.

Do you need immediate support?
If you encounter a critical issue and need immediate assistance please submit a Service Request through our Support Portal.