You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@roller.apache.org by Jürgen Weber <ju...@jwi.de> on 2014/06/03 14:57:48 UTC

Roller and LDAP Auth

Hi,
I tried roller-webapp-5.1.0-SNAPSHOT with LDAP Auth.

First <authentication-provider ref="ldapAuthProvider"/> must be enabled to
make LDAP work, which is above <!-- Uncomment & customize below beans if
using LDAP -->
There should be a comment here to enable the authentication-provider line
!! I
have enabled both <authentication-provider
user-service-ref="rollerUserService"/> <authentication-provider
ref="ldapAuthProvider"/> because the roller admin cannot be in our LDAP.
Does this work, enabling both?
Anyway, the admin user can log in. An LDAP user gets
"The administrator of this site has disabled user registrations at this
time. Please contact the system administrators if you think this is
incorrect." Then I recreated the database. Now I can log in via LDAP, but a
second user can't.
The log for the second user:
DEBUG 2014-06-03 14:41:35,142
AbstractAuthenticationProcessingFilter:successfulAuthentication -
Authentication success. Updating SecurityContextHolder to contain:
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1c3a2503:
Principal:
org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@51c9fbaa:
Dn: cn=***********; Username: *******; Password: [PROTECTED]; Enabled:
true; AccountNonExpired: true; CredentialsNonExpired: true;
AccountNonLocked: true; Granted Authorities: editor; Credentials:
[PROTECTED]; Authenticated: true; Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@0:
RemoteIpAddress: *********; SessionId: **********; Granted Authorities:
editor

but in the browser he is shown the user disabled message from above.
I have users.registration.enabled=true
What can I do?

Thanks, Juergen

Re: Roller and LDAP Auth

Posted by Glen Mazza <gl...@gmail.com>.
On 6/12/2014 5:06 AM, Jürgen Weber wrote:
> The "Uncomment & customize below beans if using LDAP" fails to mention that
> you have also to change **above** and enable <authentication-provider
> ref="ldapAuthProvider"/>
>

OK, but consider the audience.  LDAP configuration is for advanced and 
skilled users who would hopefully be able to understand such things 
(otherwise they shouldn't be configuring security...), we don't need to 
comment out the file so that a ten year old can understand it (you can 
end up insulting users' intelligences that way).  But we happily accept 
patches, Juergen, as you know Roller is a volunteer effort.


> Still, the second user gets "The administrator of this site has disabled
> user registrations at this time. Please contact the system administrators
> if you think this is incorrect."

You mean even if you aren't attempting two auth methods simultaneously 
you get that problem?  (Did you shut off the second auth method that you 
claimed you were using in the previous email?) Again, we don't support 
both standard password & ldap, too much complexity and too many security 
holes as a result.  Pick one method and go with it.

> I can remote debug Roller with Eclipse, but I don't know where to set
> breakpoints. Can you tell me some interesting lines to debug LDAP
> authentication?

Search the language files for the above warning message, from there find 
the property name for it (the "a" in "a=The administrator of this 
site..."), then search on that property name in the code and that will 
show you where the error message has been activated.  You can work from 
there, I did LDAP debugging before myself (it's not that difficult) but 
don't recall the breakpoint locations.

Regards,
Glen

>
> Thanks, Juergen
> Am 04.06.2014 12:12 schrieb "Glen Mazza" <gl...@gmail.com>:
>
>> On 6/3/2014 8:57 AM, Jürgen Weber wrote:
>>
>>> Hi,
>>> I tried roller-webapp-5.1.0-SNAPSHOT with LDAP Auth.
>>>
>>> First <authentication-provider ref="ldapAuthProvider"/> must be enabled to
>>> make LDAP work, which is above <!-- Uncomment & customize below beans if
>>> using LDAP -->
>>> There should be a comment here to enable the authentication-provider line
>>> !!
>>>
>> ?  There is, line 66:
>>
>> 63      <!-- Read users from Roller API -->
>> 64      <authentication-manager alias='rollerAuthenticationManager'>
>> 65      <authentication-provider ref="rememberMeAuthenticationProvider"/>
>> 66      <!-- Uncomment one of the three below, based on whether database,
>> LDAP, or
>> 67      OpenID authentication is desired. -->
>> 68      <authentication-provider user-service-ref="rollerUserService"/>
>> 69      <!--authentication-provider ref="ldapAuthProvider"/>
>> 70      <authentication-provider ref="openIDAuthProvider"/-->
>> 71      </authentication-manager>
>>
>>
>>
>>
>>   I
>>> have enabled both <authentication-provider
>>> user-service-ref="rollerUserService"/> <authentication-provider
>>> ref="ldapAuthProvider"/> because the roller admin cannot be in our LDAP.
>>>
>> The "Roller Admin" is just a person -- it can be you -- and *you* can be
>> in the LDAP.  The Roller admin doesn't have to have a username of "Admin"
>> or anything obvious like that, actually shouldn't.
>>
>>   Does this work, enabling both?
>> I hope not, that would be prone to security holes.  Choose one
>> authentication method and go with it.  While Roller offers multiple ways to
>> authenticate, it's the intention that you have only one method once you
>> choose it.
>>
>>   Anyway, the admin user can log in. An LDAP user gets
>>> "The administrator of this site has disabled user registrations at this
>>> time. Please contact the system administrators if you think this is
>>> incorrect." Then I recreated the database. Now I can log in via LDAP, but
>>> a
>>> second user can't.
>>> The log for the second user:
>>> DEBUG 2014-06-03 14:41:35,142
>>> AbstractAuthenticationProcessingFilter:successfulAuthentication -
>>> Authentication success. Updating SecurityContextHolder to contain:
>>> org.springframework.security.authentication.
>>> UsernamePasswordAuthenticationToken@1c3a2503:
>>> Principal:
>>> org.springframework.security.ldap.userdetails.
>>> LdapUserDetailsImpl@51c9fbaa:
>>> Dn: cn=***********; Username: *******; Password: [PROTECTED]; Enabled:
>>> true; AccountNonExpired: true; CredentialsNonExpired: true;
>>> AccountNonLocked: true; Granted Authorities: editor; Credentials:
>>> [PROTECTED]; Authenticated: true; Details:
>>> org.springframework.security.web.authentication.
>>> WebAuthenticationDetails@0:
>>> RemoteIpAddress: *********; SessionId: **********; Granted Authorities:
>>> editor
>>>
>>> but in the browser he is shown the user disabled message from above.
>>> I have users.registration.enabled=true
>>> What can I do?
>>>
>> Hmm, I tested this.  I think you need to register the user *first* within
>> LDAP, then when the user logs in he'll be taken to the Create a new blog
>> page.  I think the error message you're getting is because you've enabled
>> more than one auth method.  But we should document this in our Install
>> guide.  I'll put in a JIRA ticket.
>>
>> Further, the Blog Admin has a checkbox on the Server Admin settings page
>> (not the roller-custom.properties file) to "Allow new blogs" -- make sure
>> you have that checked.
>>
>> Glen
>>
>>   Thanks, Juergen
>>>

Re: Roller and LDAP Auth

Posted by Jürgen Weber <ju...@jwi.de>.
The "Uncomment & customize below beans if using LDAP" fails to mention that
you have also to change **above** and enable <authentication-provider
ref="ldapAuthProvider"/>

Still, the second user gets "The administrator of this site has disabled
user registrations at this time. Please contact the system administrators
if you think this is incorrect."

I can remote debug Roller with Eclipse, but I don't know where to set
breakpoints. Can you tell me some interesting lines to debug LDAP
authentication?

Thanks, Juergen
Am 04.06.2014 12:12 schrieb "Glen Mazza" <gl...@gmail.com>:

> On 6/3/2014 8:57 AM, Jürgen Weber wrote:
>
>> Hi,
>> I tried roller-webapp-5.1.0-SNAPSHOT with LDAP Auth.
>>
>> First <authentication-provider ref="ldapAuthProvider"/> must be enabled to
>> make LDAP work, which is above <!-- Uncomment & customize below beans if
>> using LDAP -->
>> There should be a comment here to enable the authentication-provider line
>> !!
>>
>
> ?  There is, line 66:
>
> 63      <!-- Read users from Roller API -->
> 64      <authentication-manager alias='rollerAuthenticationManager'>
> 65      <authentication-provider ref="rememberMeAuthenticationProvider"/>
> 66      <!-- Uncomment one of the three below, based on whether database,
> LDAP, or
> 67      OpenID authentication is desired. -->
> 68      <authentication-provider user-service-ref="rollerUserService"/>
> 69      <!--authentication-provider ref="ldapAuthProvider"/>
> 70      <authentication-provider ref="openIDAuthProvider"/-->
> 71      </authentication-manager>
>
>
>
>
>  I
>> have enabled both <authentication-provider
>> user-service-ref="rollerUserService"/> <authentication-provider
>> ref="ldapAuthProvider"/> because the roller admin cannot be in our LDAP.
>>
>
> The "Roller Admin" is just a person -- it can be you -- and *you* can be
> in the LDAP.  The Roller admin doesn't have to have a username of "Admin"
> or anything obvious like that, actually shouldn't.
>
>  Does this work, enabling both?
>>
>
> I hope not, that would be prone to security holes.  Choose one
> authentication method and go with it.  While Roller offers multiple ways to
> authenticate, it's the intention that you have only one method once you
> choose it.
>
>  Anyway, the admin user can log in. An LDAP user gets
>> "The administrator of this site has disabled user registrations at this
>> time. Please contact the system administrators if you think this is
>> incorrect." Then I recreated the database. Now I can log in via LDAP, but
>> a
>> second user can't.
>> The log for the second user:
>> DEBUG 2014-06-03 14:41:35,142
>> AbstractAuthenticationProcessingFilter:successfulAuthentication -
>> Authentication success. Updating SecurityContextHolder to contain:
>> org.springframework.security.authentication.
>> UsernamePasswordAuthenticationToken@1c3a2503:
>> Principal:
>> org.springframework.security.ldap.userdetails.
>> LdapUserDetailsImpl@51c9fbaa:
>> Dn: cn=***********; Username: *******; Password: [PROTECTED]; Enabled:
>> true; AccountNonExpired: true; CredentialsNonExpired: true;
>> AccountNonLocked: true; Granted Authorities: editor; Credentials:
>> [PROTECTED]; Authenticated: true; Details:
>> org.springframework.security.web.authentication.
>> WebAuthenticationDetails@0:
>> RemoteIpAddress: *********; SessionId: **********; Granted Authorities:
>> editor
>>
>> but in the browser he is shown the user disabled message from above.
>> I have users.registration.enabled=true
>> What can I do?
>>
>
> Hmm, I tested this.  I think you need to register the user *first* within
> LDAP, then when the user logs in he'll be taken to the Create a new blog
> page.  I think the error message you're getting is because you've enabled
> more than one auth method.  But we should document this in our Install
> guide.  I'll put in a JIRA ticket.
>
> Further, the Blog Admin has a checkbox on the Server Admin settings page
> (not the roller-custom.properties file) to "Allow new blogs" -- make sure
> you have that checked.
>
> Glen
>
>  Thanks, Juergen
>>
>>
>

Re: Roller and LDAP Auth

Posted by Glen Mazza <gl...@gmail.com>.
On 6/3/2014 8:57 AM, Jürgen Weber wrote:
> Hi,
> I tried roller-webapp-5.1.0-SNAPSHOT with LDAP Auth.
>
> First <authentication-provider ref="ldapAuthProvider"/> must be enabled to
> make LDAP work, which is above <!-- Uncomment & customize below beans if
> using LDAP -->
> There should be a comment here to enable the authentication-provider line
> !!

?  There is, line 66:

63 	<!-- Read users from Roller API -->
64 	<authentication-manager alias='rollerAuthenticationManager'>
65 	<authentication-provider ref="rememberMeAuthenticationProvider"/>
66 	<!-- Uncomment one of the three below, based on whether database, 
LDAP, or
67 	OpenID authentication is desired. -->
68 	<authentication-provider user-service-ref="rollerUserService"/>
69 	<!--authentication-provider ref="ldapAuthProvider"/>
70 	<authentication-provider ref="openIDAuthProvider"/-->
71 	</authentication-manager>




> I
> have enabled both <authentication-provider
> user-service-ref="rollerUserService"/> <authentication-provider
> ref="ldapAuthProvider"/> because the roller admin cannot be in our LDAP.

The "Roller Admin" is just a person -- it can be you -- and *you* can be 
in the LDAP.  The Roller admin doesn't have to have a username of 
"Admin" or anything obvious like that, actually shouldn't.

> Does this work, enabling both?

I hope not, that would be prone to security holes.  Choose one 
authentication method and go with it.  While Roller offers multiple ways 
to authenticate, it's the intention that you have only one method once 
you choose it.

> Anyway, the admin user can log in. An LDAP user gets
> "The administrator of this site has disabled user registrations at this
> time. Please contact the system administrators if you think this is
> incorrect." Then I recreated the database. Now I can log in via LDAP, but a
> second user can't.
> The log for the second user:
> DEBUG 2014-06-03 14:41:35,142
> AbstractAuthenticationProcessingFilter:successfulAuthentication -
> Authentication success. Updating SecurityContextHolder to contain:
> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1c3a2503:
> Principal:
> org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@51c9fbaa:
> Dn: cn=***********; Username: *******; Password: [PROTECTED]; Enabled:
> true; AccountNonExpired: true; CredentialsNonExpired: true;
> AccountNonLocked: true; Granted Authorities: editor; Credentials:
> [PROTECTED]; Authenticated: true; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@0:
> RemoteIpAddress: *********; SessionId: **********; Granted Authorities:
> editor
>
> but in the browser he is shown the user disabled message from above.
> I have users.registration.enabled=true
> What can I do?

Hmm, I tested this.  I think you need to register the user *first* 
within LDAP, then when the user logs in he'll be taken to the Create a 
new blog page.  I think the error message you're getting is because 
you've enabled more than one auth method.  But we should document this 
in our Install guide.  I'll put in a JIRA ticket.

Further, the Blog Admin has a checkbox on the Server Admin settings page 
(not the roller-custom.properties file) to "Allow new blogs" -- make 
sure you have that checked.

Glen

> Thanks, Juergen
>