User Authentication via LDAP

Motivation: Save the work of creating/managing Continuum users by using the existing LDAP server for user authentication.

Proposed LDAP function:

We would like to start from the simple case which only use the LDAP server to verify Login/Password.

1)modify the application.xml to enable LDAP feature, and provide the LDAP server connecting string.
2)When start the Continuum for the first time, create an Admin login just like what current Continuum 1.0 does.

3)The Admin user will create a Default group, any user who does not belong to any group will be assigned to the Default group. In our case, all of the LDAP user will be in the default group.
The Default group can also be a predefined group comes with Continuum installation just like the Admin and Guest group.

4)When a user login, if the login/passwd is not the admin login/password in the Continuum Database, it will go to the LDAP for the authentication. The user will be assigned to the default group if it passed the LDAP authentication.

5)When work in LDAP mode, the "User Management" function of Continuum will be disabled. There will be only one "Admin" user in the Continuum Database. All of the other users are on the LDAP server.

I thnk this LDAP solution has minor impact to the current structure and it does not conflict with the authentication function currently used in Continuum.

Frank Zhao

seems to be good.

just a little remark, why do you want to disable User Management? I think some installation will require ldap users and local users. We'll can add an other parameter in application.xml for ldap config : allow local users

Frank, When I we have this feature?

I'd be happy if Continuum supported JAAS Modules, or even forwarded authentication from Apache's mod_auth_ldap and similar modules. This may present an easier path to supporting other authentication methods.

reopening this one since its not supported anymore until we get that acegi provider integrated again in redback

providing we get continuum updated to use redback-alpha-3 readonly ldap support should exist in 1.1-beta-3

details details...

continuum 1.1-beta-3 uses now redback alpha-3 and support LDAP authentication.

We need to write a sample conf in application.xml (in comments)

sample conf is in the application.xml now

I've posted this to the user mailing list and haven't heard a reply. Was hoping someone here could point me in the right direction.

I've gone through the process of enabling the Ldap integration. It authenticates the admin that I've defined in the security.properties file successfully. It queries Ldap successfully for all users and logins them in as a guest with basically no access to see anything at this point. Which is as I would expect. However, I could not find in the redback or continuum documentation where I can set the role base to query for in the config. Is that even possible? Guess the question is, how do I assign the default continuum roles to my Ldap users?

there is no facility in place for pulling roles from ldap yet...it should be pretty simple to put into place but its implemented yet..the biggest hangup is that it needs to be writable which wasn't in the scope of this first ldap bit.

ideally when that bit gets implemented we'll have a mapping in place that lets you map roles from ldap to roles in the application.

this pass with ldap was strictly for user authentication so the role management is handled with the embedded derby database or whatever else you might have the users database pointing at

Why do you think the ldap roles have to be writeable? I think it would be completely sufficient to pull roles from ldap and do the changes with the normal ldap administration tools. In most organisations the admins of a system like continuum will not have direct write support to the ldap server anyway. Often changes to roles have to be done with a special web front end.

well maybe your right...I was just thinking in terms of retaining that functionality from the edit user page since its more dynamic what with role creations for each new project group, etc...

I think it is quite useful to distinguish between groups in ldap that represent organizational groups like a team and authorizational groups in continuum that mean the right to do something in the project. A good combination could be to reference organizational groups read only in ldap and use them to populate authorization groups that live in the continuum database.

So for example you could have a project crm in contiuum and give the team crm_team from ldap the necessary rights in continuum by populating the authorization group crm_project_admins.

This two level aproach to authorization is a very useful thing in big companies.

hi.
Im Ganesh . Im new to this Geoserver. I have one problem.. I am unable to authenticate user using LDAP in geoserver.Initially we are authenticating that user in windows LDAP (IIS Level), then for the same user we need to authenticate in Geoserver LDAP.Appreciate if any body share any information regarding this.
Thanks in advance..

Ganaesh.

Ganaesh, I think you're looking for http://jira.codehaus.org/browse/GEOS