Details

    • Type: New Feature New Feature
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.1-beta-3
    • Component/s: Web interface
    • Labels:
      None
    • Complexity:
      Intermediate
    • Number of attachments :
      0

      Description

      Please add LDAP support for the user authentication in Continuum user management function.

        Issue Links

          Activity

          Hide
          Frank Zhao added a comment -

          Motivation: Save the work of creating/managing Continuum users by using the existing LDAP server for user authentication.

          Proposed LDAP function:

          We would like to start from the simple case which only use the LDAP server to verify Login/Password.

          1)modify the application.xml to enable LDAP feature, and provide the LDAP server connecting string.
          2)When start the Continuum for the first time, create an Admin login just like what current Continuum 1.0 does.

          3)The Admin user will create a Default group, any user who does not belong to any group will be assigned to the Default group. In our case, all of the LDAP user will be in the default group.
          The Default group can also be a predefined group comes with Continuum installation just like the Admin and Guest group.

          4)When a user login, if the login/passwd is not the admin login/password in the Continuum Database, it will go to the LDAP for the authentication. The user will be assigned to the default group if it passed the LDAP authentication.

          5)When work in LDAP mode, the "User Management" function of Continuum will be disabled. There will be only one "Admin" user in the Continuum Database. All of the other users are on the LDAP server.

          I thnk this LDAP solution has minor impact to the current structure and it does not conflict with the authentication function currently used in Continuum.

          Frank Zhao

          Show
          Frank Zhao added a comment - Motivation: Save the work of creating/managing Continuum users by using the existing LDAP server for user authentication. Proposed LDAP function: We would like to start from the simple case which only use the LDAP server to verify Login/Password. 1)modify the application.xml to enable LDAP feature, and provide the LDAP server connecting string. 2)When start the Continuum for the first time, create an Admin login just like what current Continuum 1.0 does. 3)The Admin user will create a Default group, any user who does not belong to any group will be assigned to the Default group. In our case, all of the LDAP user will be in the default group. The Default group can also be a predefined group comes with Continuum installation just like the Admin and Guest group. 4)When a user login, if the login/passwd is not the admin login/password in the Continuum Database, it will go to the LDAP for the authentication. The user will be assigned to the default group if it passed the LDAP authentication. 5)When work in LDAP mode, the "User Management" function of Continuum will be disabled. There will be only one "Admin" user in the Continuum Database. All of the other users are on the LDAP server. I thnk this LDAP solution has minor impact to the current structure and it does not conflict with the authentication function currently used in Continuum. Frank Zhao
          Hide
          Emmanuel Venisse added a comment -

          seems to be good.

          just a little remark, why do you want to disable User Management? I think some installation will require ldap users and local users. We'll can add an other parameter in application.xml for ldap config : allow local users

          Show
          Emmanuel Venisse added a comment - seems to be good. just a little remark, why do you want to disable User Management? I think some installation will require ldap users and local users. We'll can add an other parameter in application.xml for ldap config : allow local users
          Hide
          Dan Tran added a comment -

          Frank, When I we have this feature?

          Show
          Dan Tran added a comment - Frank, When I we have this feature?
          Hide
          Darren Hague added a comment -

          I'd be happy if Continuum supported JAAS Modules, or even forwarded authentication from Apache's mod_auth_ldap and similar modules. This may present an easier path to supporting other authentication methods.

          Show
          Darren Hague added a comment - I'd be happy if Continuum supported JAAS Modules, or even forwarded authentication from Apache's mod_auth_ldap and similar modules. This may present an easier path to supporting other authentication methods.
          Hide
          Jesse McConnell added a comment -

          plexus-security is being used to handle all this kinda behavior now and it should support the LDAP authentication now, currently leveraging acegi integration for all your authentication needs.

          Show
          Jesse McConnell added a comment - plexus-security is being used to handle all this kinda behavior now and it should support the LDAP authentication now, currently leveraging acegi integration for all your authentication needs.
          Hide
          Jesse McConnell added a comment -

          reopening this one since its not supported anymore until we get that acegi provider integrated again in redback

          Show
          Jesse McConnell added a comment - reopening this one since its not supported anymore until we get that acegi provider integrated again in redback
          Hide
          Jesse McConnell added a comment -

          providing we get continuum updated to use redback-alpha-3 readonly ldap support should exist in 1.1-beta-3

          Show
          Jesse McConnell added a comment - providing we get continuum updated to use redback-alpha-3 readonly ldap support should exist in 1.1-beta-3
          Hide
          Jesse McConnell added a comment -

          details details...

          Show
          Jesse McConnell added a comment - details details...
          Hide
          Emmanuel Venisse added a comment -

          continuum 1.1-beta-3 uses now redback alpha-3 and support LDAP authentication.

          We need to write a sample conf in application.xml (in comments)

          Show
          Emmanuel Venisse added a comment - continuum 1.1-beta-3 uses now redback alpha-3 and support LDAP authentication. We need to write a sample conf in application.xml (in comments)
          Hide
          Jesse McConnell added a comment -

          sample conf is in the application.xml now

          Show
          Jesse McConnell added a comment - sample conf is in the application.xml now
          Hide
          Preston Parkinson added a comment -

          I've posted this to the user mailing list and haven't heard a reply. Was hoping someone here could point me in the right direction.

          I've gone through the process of enabling the Ldap integration. It authenticates the admin that I've defined in the security.properties file successfully. It queries Ldap successfully for all users and logins them in as a guest with basically no access to see anything at this point. Which is as I would expect. However, I could not find in the redback or continuum documentation where I can set the role base to query for in the config. Is that even possible? Guess the question is, how do I assign the default continuum roles to my Ldap users?

          Show
          Preston Parkinson added a comment - I've posted this to the user mailing list and haven't heard a reply. Was hoping someone here could point me in the right direction. I've gone through the process of enabling the Ldap integration. It authenticates the admin that I've defined in the security.properties file successfully. It queries Ldap successfully for all users and logins them in as a guest with basically no access to see anything at this point. Which is as I would expect. However, I could not find in the redback or continuum documentation where I can set the role base to query for in the config. Is that even possible? Guess the question is, how do I assign the default continuum roles to my Ldap users?
          Hide
          Jesse McConnell added a comment -

          there is no facility in place for pulling roles from ldap yet...it should be pretty simple to put into place but its implemented yet..the biggest hangup is that it needs to be writable which wasn't in the scope of this first ldap bit.

          ideally when that bit gets implemented we'll have a mapping in place that lets you map roles from ldap to roles in the application.

          this pass with ldap was strictly for user authentication so the role management is handled with the embedded derby database or whatever else you might have the users database pointing at

          Show
          Jesse McConnell added a comment - there is no facility in place for pulling roles from ldap yet...it should be pretty simple to put into place but its implemented yet..the biggest hangup is that it needs to be writable which wasn't in the scope of this first ldap bit. ideally when that bit gets implemented we'll have a mapping in place that lets you map roles from ldap to roles in the application. this pass with ldap was strictly for user authentication so the role management is handled with the embedded derby database or whatever else you might have the users database pointing at
          Hide
          Christian Schneider added a comment -

          Why do you think the ldap roles have to be writeable? I think it would be completely sufficient to pull roles from ldap and do the changes with the normal ldap administration tools. In most organisations the admins of a system like continuum will not have direct write support to the ldap server anyway. Often changes to roles have to be done with a special web front end.

          Show
          Christian Schneider added a comment - Why do you think the ldap roles have to be writeable? I think it would be completely sufficient to pull roles from ldap and do the changes with the normal ldap administration tools. In most organisations the admins of a system like continuum will not have direct write support to the ldap server anyway. Often changes to roles have to be done with a special web front end.
          Hide
          Jesse McConnell added a comment -

          well maybe your right...I was just thinking in terms of retaining that functionality from the edit user page since its more dynamic what with role creations for each new project group, etc...

          Show
          Jesse McConnell added a comment - well maybe your right...I was just thinking in terms of retaining that functionality from the edit user page since its more dynamic what with role creations for each new project group, etc...
          Hide
          Christian Schneider added a comment -

          I think it is quite useful to distinguish between groups in ldap that represent organizational groups like a team and authorizational groups in continuum that mean the right to do something in the project. A good combination could be to reference organizational groups read only in ldap and use them to populate authorization groups that live in the continuum database.

          So for example you could have a project crm in contiuum and give the team crm_team from ldap the necessary rights in continuum by populating the authorization group crm_project_admins.

          This two level aproach to authorization is a very useful thing in big companies.

          Show
          Christian Schneider added a comment - I think it is quite useful to distinguish between groups in ldap that represent organizational groups like a team and authorizational groups in continuum that mean the right to do something in the project. A good combination could be to reference organizational groups read only in ldap and use them to populate authorization groups that live in the continuum database. So for example you could have a project crm in contiuum and give the team crm_team from ldap the necessary rights in continuum by populating the authorization group crm_project_admins. This two level aproach to authorization is a very useful thing in big companies.
          Hide
          ganesh LV added a comment -

          hi.
          Im Ganesh . Im new to this Geoserver. I have one problem.. I am unable to authenticate user using LDAP in geoserver.Initially we are authenticating that user in windows LDAP (IIS Level), then for the same user we need to authenticate in Geoserver LDAP.Appreciate if any body share any information regarding this.
          Thanks in advance..

          Ganaesh.

          Show
          ganesh LV added a comment - hi. Im Ganesh . Im new to this Geoserver. I have one problem.. I am unable to authenticate user using LDAP in geoserver.Initially we are authenticating that user in windows LDAP (IIS Level), then for the same user we need to authenticate in Geoserver LDAP.Appreciate if any body share any information regarding this. Thanks in advance.. Ganaesh.
          Hide
          Brett Porter added a comment -

          Ganaesh, I think you're looking for http://jira.codehaus.org/browse/GEOS

          Show
          Brett Porter added a comment - Ganaesh, I think you're looking for http://jira.codehaus.org/browse/GEOS

            People

            • Assignee:
              Jesse McConnell
              Reporter:
              Frank Zhao
            • Votes:
              11 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: