LDAP security role issue

3109
9
07-29-2010 11:15 AM
AamirSuleman
New Contributor II
I am using GPT 9.3.1 SP1 with Tomcat 5.5.17 and Java 5 R6. Followed the default installation taking the LDAP security mode with Apache Server Directory and Apache Server Studio. I am following the installation document's mentioned usernames and groups.

Although I can login as the administrator (gptadmin), I can't see the Administration and Repositories buttons. Which means I am being authenticated but not authorized. I am probably doing something wrong in the groups and metadataManagementGroup tags. I guess the metadataManagementGroup  is not required so I commented it. Here is the snippet from gpt.xml:

          <groups
              displayNameAttribute="cn"
              dynamicMemberOfGroupsAttribute=""
              dynamicMembersAttribute=""
              memberAttribute="uniquemember"
              memberSearchPattern="(&amp;(objectclass=groupOfUniqueNames)(uniquemember={0}))"
              searchDIT="ou=groups,ou=system">
      
        <!--
            <metadataManagementGroup
                name="gpt_publishers"
                groupDN="cn=gpt_publishers,ou=groups,ou=system"/>
            <metadataManagementGroup
                name="gpt_administrators"
                groupDN="cn=gpt_administrators,ou=groups,ou=system"/>
           -->
            </groups>
0 Kudos
9 Replies
CliveReece
Esri Contributor
You've probably already done this, but check (and recheck) all your <ldapAdapter> values in the gpt.xml file.  Pay close attention to the roles definition and make sure the groupDN is right:

<role
                  key="gptAdministrator"
                  inherits="gptPublisher"
                  groupDN="cn=gpt_admin,ou=Groups,ou=geoportal"/>

good luck
0 Kudos
EQUIPEIS
New Contributor
Hi,

i have the same problem. Authentifiat is ok but no button Administration and Repository on web page.
In <roles authenticatedUserRequiresRole="true"> : groupDN="cn=gpt_admin,ou=Groups,ou=geoportal"/> is right for all groups.

For exemple: groupDN="cn=***,ou=Group,dc=***,dc=***,dc=**"/>

user ID is "uid" and group "cn".   The LDAP server is install on linux system
The role or group is not recognize by GPT.10

Thank for you help
0 Kudos
CliveReece
Esri Contributor
My sympathies since I know how frustrating it can be when you can't find the error in the config file.  But since you are authenicating but not getting the right authorization (role) picked up, this *most likely* points to a config problem, and not likely an ldap service issue.

Below are the gpt.xml config file places to double-check.  Use Jxplorer or your favorite Ldap management tool to go to the right place in the ldap tree and make use of the "Copy DN" function to copy/paste the right ldap distinguished name into each needed location of the gpt.xml file.

Use your own ldap values for the bold values below (don't use verbatum).

1. <roles authenticatedUserRequiresRole="true"><role key="gptRegisteredUser" groupDN="cn=gpt_users,ou=groups,ou=system"/>
2. <role key="gptPublisher" ... groupDN="cn=gpt_publishers,ou=groups,ou=system"/>
3. <role key="gptAdministrator" ... groupDN="cn=gpt_administrators,ou=groups,ou=system"/>
4. <users ... searchDIT="ou=users,ou=system"> 
5. <groups ... searchDIT="ou=groups,ou=system">

good luck !
0 Kudos
EQUIPEIS
New Contributor
Hi, thanks

In my gpt.xml, the Base DN is right for all. I use Jxplorer and "Copy DN", and paste in gpt.xml.
My admin system says that my enterprise use a linux server for LDAP and POSIX configuration for user ID "uid" (it's like: name1 name2 name3)
GPT 10 want to read probably: "uid=name1,ou=people, cn=***,cn=***"

The value is not configurable in GPT10.

Thanks
0 Kudos
CliveReece
Esri Contributor
hmmm ...
Are the uid and cn the same value or not?
0 Kudos
CliveReece
Esri Contributor
EQUIPE-IS,
I spoke with another colleague about this. 
Since it sounds like your authentication is working but the configuration can't determine which groups a user belongs to, and because you're working on a POSIX setup we haven't encountered before, there may be several issues to resolve.

We determine group membership like this:
[INDENT]memberSearchPattern="(&amp;(objectclass=groupOfUniqueNames)(uniquemember={0}))"
searchDIT="ou=groups,ou=system"
[/INDENT]
This results in an LDAP query:
[INDENT]searchDIT="ou=groups,ou=system" ... (this starts the query from this LDAP node)
objectclass=groupOfUniqueNames ... (this restricts the search to group objects only.  The name of the objectclass varies with the LDAP implementation)
uniquemember={0} ... (further restricts the search to those groups that have a �??uniquemember�?� attribute equal to a value that we will substitute at {0}. The name of the attribute that holds the member values varies with the LDAP implementation.) [/INDENT]

When determining the groups to which the user belongs, we substitute {0} with the active user�??s distinguished name (dn). This is very likely the issue with POSIX.

For POSIX the memberSearchPattern would probably look something like this:
[INDENT]memberSearchPattern="(&amp;(objectclass=posixGroup)(memberUid={0}))"[/INDENT]

But we may need to substitute the user�??s �??uid�?� attribute at {0} rather than their distinguished name.  There may also be issues with recursion (groups that are members of groups).  We also list the members of a group (for instance, when a an admin transfers ownership), this would also need some work.

It's also likely that we won't solve all these issues through configuration only.  We would likely need to make a few changes on the back-end.
0 Kudos
EQUIPEIS
New Contributor
Ok thanks,

i'll try with this exemple and if it doesn't work, i find another solution or wait the update version.
0 Kudos
EQUIPEIS
New Contributor
hello,
i work on this problem to connect geoportal to my group of ldap this week. And i don't find any issues.

Your comment is very good :"
POSIX the memberSearchPattern would probably look something like this:
memberSearchPattern="(&amp;(objectclass=posixGroup)(memberUid={0}))"
But we may need to substitute the user�??s �??uid�?� attribute at {0} rather than their distinguished name. There may also be issues with recursion (groups that are members of groups). We also list the members of a group (for instance, when a an admin transfers ownership), this would also need some work"

Because objectclass is posix Group and attribute is memberUid in my Ldap.
i try to find in this log the dn of the group but no result.
              
                displayNameAttribute="cn"
                dynamicMemberOfGroupsAttribute=""
                dynamicMembersAttribute=""
                memberAttribute="memberUid"
                memberSearchPattern="(&amp;(objectclass=posixGroup)(memberUid={0}))"
                searchDIT="ou=Group,dc=***,dc=***,dc=***">

Also, i try to configure the SSO with tomcat and it's the same issue.
Please do you have any suggestions ! and can i send you the log of access ldap to see if you find a solution ? thanks a lot
0 Kudos
EQUIPEIS
New Contributor
Hi, i post you my ldap log, do you have any comment, thank's a lot.


conn=1105064 fd=68 slot=68 connection from 10.*.*.* to 10.*.*.*
[11/Apr/2014:09:17:22 +0200] conn=1105064 op=0 BIND dn="uid=***,ou=people,dc=***,dc=***,dc=***" method=128 version=3
[11/Apr/2014:09:17:22 +0200] conn=1105064 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=***,ou=people,dc=***,dc=***,dc=***"
[11/Apr/2014:09:17:22 +0200] conn=1105064 op=1 SRCH base="uid=***,,dc=***,dc=***" scope=2 filter="(&(objectClass=person)(uid=***))" attrs=ALL
[11/Apr/2014:09:17:22 +0200] conn=1105064 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[11/Apr/2014:09:17:22 +0200] conn=1105065 fd=69 slot=69 connection from 10.*.*.* to 10.*.*.*
[11/Apr/2014:09:17:22 +0200] conn=1105065 op=0 BIND dn="uid=***,ou=people,dc=***,dc=***,dc=***" method=128 version=3
[11/Apr/2014:09:17:22 +0200] conn=1105065 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=***,ou=people,dc=***,dc=***,dc=***"
[11/Apr/2014:09:17:22 +0200] conn=1105065 op=1 UNBIND
[11/Apr/2014:09:17:22 +0200] conn=1105065 op=1 fd=69 closed - U1
[11/Apr/2014:09:17:22 +0200] conn=1105064 op=2 SRCH base="uid=***,ou=people,dc=***,dc=***,dc=***" scope=0 filter="(objectClass=*)" attrs=ALL
[11/Apr/2014:09:17:22 +0200] conn=1105064 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[11/Apr/2014:09:17:22 +0200] conn=1105064 op=3 SRCH base=",ou=group,dc=***,dc=***,dc=***" scope=2 filter="(&(objectClass=posixgroup)(memberUid=uid=***,ou=people,dc=***,dc=***,dc=***))" attrs="cn"
[11/Apr/2014:09:17:22 +0200] conn=1105064 op=3 RESULT err=0 tag=101 nentries=0 etime=0
[11/Apr/2014:09:17:22 +0200] conn=1105064 op=4 UNBIND
[11/Apr/2014:09:17:22 +0200] conn=1105064 op=4 fd=68 closed - U1
0 Kudos