Configuring LDAP Direct connection mode
54 views
Skip to first unread message
Assigned to lorenzo...@geosolutionsgroup.com by tobia....@geosolutionsgroup.com
facundo p
Mar 22, 2024, 2:21:54 PM3/22/24
to mapstore-developers
Hello all,
I have a question regarding how to configure the Direct connection mode when integrating Mapstore users with an LDAP service, I was wondering if maybe someone who had already used it could help me out.
When uncommenting the section that enables the Direct mode, there is a variable called memberPattern that is configurable from the ldap.properties file, and I haven't been able to find it mentioned in the documentation.
From what I understood, it could be a filter used to get all the groups a certain user is member in, but trying to configure a pattern there that would return said groups from my server results in an error 500 when trying to log in. I've attached the error below.
I've also tried a more generic filter like
ldap.memberPattern=(member={0})
like the default oprtion present in the groupFilter property, but that has not worked either.
Is my interpretation of this property incorrect? Does it have a different use? Let me know if there's anything i'm missing.
Thank you
Facundo Pedreira
Unidad de Información Geográfica
Intendencia de Montevideo
Lorenzo Natali
Mar 29, 2024, 6:49:40 AM3/29/24
to mapstore-developers
Hi,
From the code I see it is a regex used to extract the member names of a particular group from a Group, transforming the "cn=...." to the username only string.
This is probably the reason why you have the error.
Usage of memberPattern:
It is used
facundo p
Apr 2, 2024, 2:30:07 PM4/2/24
to mapstore-developers
Hello, thanks for the input.
I've tried a variety of regex that fit that purpose since then, but i keep on running into the same error. I get that same error regardless of if i try to obtain the string from a username with a CN or UID, so I think it may come from some place else. Here's an example of one of the regex i've tried that should get that string from a user DN in different formats, but returns that same error as before:
ldap.memberPattern=^.*cn=([^,]+).*$
The rest of the ldap properties configured should be working correctly, as before trying the direct mode I was using the synchronized mode with those same properties and it worked fine. Something else I've noticed is that my mapstore app doesn't seem to be connecting correctly to my configured geostore in the geostore-datasource-ovr.properties file when trying to use the LDAP direct connection mode, but that same configuration was working properly when working in LDAP synchronized mode. This includes maps that should be visible without the user having to log in, which were also visible in the synchronized mode.
If you think that may be related please let me know. Also, I don't know if you accidentaly cut off part of that last sentence, where you were beginning to say that it is used a certain way?
Thank you for your help, I will continue trying to debug this issue.
Lorenzo Natali
Apr 4, 2024, 4:48:36 AM4/4/24
to mapstore-developers
Hi,
it is a little hard to help you to find the problem without the full information or testing and it requires a lot of time,
Anyway looking better at your error I noticed that it was a Spel syntax check error it looks to happen during authentication
Looking down it looks to refer to these lines
it.geosolutions.geostore.core.dao.ldap.impl.UserGroupDAOImpl.matchFilters(UserGroupDAOImpl.java:238)
it.geosolutions.geostore.core.dao.ldap.impl.UserGroupDAOImpl.addEveryOne(UserGroupDAOImpl.java:215)
it.geosolutions.geostore.core.dao.ldap.impl.UserGroupDAOImpl.search(UserGroupDAOImpl.java:159)
it.geosolutions.geostore.core.dao.ldap.impl.UserGroupDAOImpl.findByName(UserGroupDAOImpl.java:136)
it.geosolutions.geostore.services.UserGroupServiceImpl.get(UserGroupServiceImpl.java:384)
it.geosolutions.geostore.services.rest.security.UserLdapAuthenticationProvider.synchronizeGroup(UserLdapAuthenticationProvider.java:241)
it.geosolutions.geostore.core.dao.ldap.impl.UserGroupDAOImpl.search(UserGroupDAOImpl.java:159)
it.geosolutions.geostore.core.dao.ldap.impl.UserGroupDAOImpl.findByName(UserGroupDAOImpl.java:136)
it.geosolutions.geostore.services.UserGroupServiceImpl.get(UserGroupServiceImpl.java:384)
it.geosolutions.geostore.services.rest.security.UserLdapAuthenticationProvider.synchronizeGroup(UserLdapAuthenticationProvider.java:241)
Looking at the code it looks to be happening when searching for the group everyone, just for adding it if it is not present, rising an error parsing the filter (parsing it as a spel expression), trying to extract from the object a property "CN" in an object.
Maybe your groups do not include the property "cn".
Just make sure to follow all the guidelines here and take into account that direct mode is still marked as experimental.
hope it helps.
Reply all
Reply to author
Forward
0 new messages