Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-4725

LDAP authorization fails - group to role mapping does not work

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.8.8, 1.9.4
    • Fix Version/s: 1.9.91
    • Component/s: Web UI - General
    • Security Level: Default (Default Security Scheme)
    • Labels:
    • Environment:
      OpenNMS 1.8.12
      CentOS 5.6
      PostgreSQL 9.0.4

      Description

      I had LDAP authentication and authorization working wonderfully in OpenNMS 1.6.x, and I'm now trying to duplicate that configuration in OpenNMS 1.8.12.

        • Note: I have since reproduced the problem in 1.9.90 as well (snapshot 20110606)

      Problem:
      --------

      I've got LDAP authentication working fine, but LDAP authorization is failing. I'm attempting to use the groupToRoleMap property of the UserGroupLdapAuthoritiesPopulator class to map AD group names to OpenNMS roles.

      Expected behavior
      -----------------
      The groupToRoleMap property should be taking my AD group membership (see log entry below, "Roles from search: [OpenNMS_Administrators]") and granting user "testuser" the roles ROLE_USER and ROLE_ADMIN, thus permitting the user to access administrative functions of the Web UI.

      Actual behavior
      ---------------
      I get the single granted authority ROLE_OPENNMS_ADMINISTRATORS, and OpenNMS WebUI says "Access Denied".

      Evidence
      ---------
      My test user:

      Name: (Test) OpenNMS User
      Windows account name: testuser
      Member of groups: OpenNMS_Administrators, Domain Users

      When I attempt to log in, debug entries in $OPENNMS_HOME/logs/daemon/misc.log appear to show that I am being granted roles that correspond directly to the AD group name, instead of using groupToRoleMap:

      -begin logs-
      DefaultSpringSecurityContextSource: Creating context with principal: 'cn=(Test) OpenNMS User, ou=Test, ou=Users, ou=HQ, dc=corp, dc=example, dc=com'

      DefaultLdapAuthoritiesPopulator: Getting authorities for user cn=(Test) OpenNMS User, ou=Test, ou=Users, ou=HQ, dc=corp, dc=example, dc=com

      DefaultLdapAuthoritiesPopulator: Searching for roles for user 'testuser', DN = 'cn=(Test) OpenNMS User, ou=Test, ou=Users, ou=HQ, dc=corp, dc=example, dc=com', with filter member=

      {0}

      in search base ''

      SpringSecurityLdapTemplate: Using filter: member=cn=\28Test\29 OpenNMS User, ou=Test, ou=Users, ou=HQ, dc=corp, dc=example, dc=com

      DefaultLdapAuthoritiesPopulator: Roles from search: [OpenNMS_Administrators]

      SpringSecurityLdapTemplate: Using filter: member=cn=\28Test\29 OpenNMS User, ou=Test, ou=Users, ou=HQ, dc=corp, dc=narsnet, dc=com

      LdapUserDetailsMapper: Mapping user details from context with DN: cn=(Test) OpenNMS User, ou=Test, ou=Users, ou=HQ, dc=corp, dc=example, dc=com

      AuthenticationProcessingFilter: Authentication success: org.springframework.security.providers.UsernamePasswordAuthenticationToken@320236f2: Principal: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@447ecd43: Username: testuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_OPENNMS_ADMINISTRATORS; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 10.1.1.1; SessionId: 1a0h38qdkkonpua0wpfokqosa; Granted Authorities: ROLE_OPENNMS_ADMINISTRATORS
      -end logs-

      Ultimately this results in an access denied:

      -begin logs-
      Previously Authenticated: org.springframework.security.providers.UsernamePasswordAuthenticationToken@320236f2: Principal: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@447ecd43: Username: testuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_OPENNMS_ADMINISTRATORS; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 10.1.1.1; SessionId: 1a0h38qdkkonpua0wpfokqosa; Granted Authorities: ROLE_OPENNMS_ADMINISTRATORS

      ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler
      org.springframework.security.AccessDeniedException: Access is denied
      -end logs-

      The relevant (sanitized) config snippet from my $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml is attached.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                seth Seth Leger
                Reporter:
                andye@narsnet.com Andy Ellsworth
              • Votes:
                2 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: