roller-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glen Mazza <glen.ma...@gmail.com>
Subject Re: Roller and LDAP Auth
Date Wed, 04 Jun 2014 10:11:29 GMT
On 6/3/2014 8:57 AM, J├╝rgen Weber wrote:
> Hi,
> I tried roller-webapp-5.1.0-SNAPSHOT with LDAP Auth.
>
> First <authentication-provider ref="ldapAuthProvider"/> must be enabled to
> make LDAP work, which is above <!-- Uncomment & customize below beans if
> using LDAP -->
> There should be a comment here to enable the authentication-provider line
> !!

?  There is, line 66:

63 	<!-- Read users from Roller API -->
64 	<authentication-manager alias='rollerAuthenticationManager'>
65 	<authentication-provider ref="rememberMeAuthenticationProvider"/>
66 	<!-- Uncomment one of the three below, based on whether database, 
LDAP, or
67 	OpenID authentication is desired. -->
68 	<authentication-provider user-service-ref="rollerUserService"/>
69 	<!--authentication-provider ref="ldapAuthProvider"/>
70 	<authentication-provider ref="openIDAuthProvider"/-->
71 	</authentication-manager>




> I
> have enabled both <authentication-provider
> user-service-ref="rollerUserService"/> <authentication-provider
> ref="ldapAuthProvider"/> because the roller admin cannot be in our LDAP.

The "Roller Admin" is just a person -- it can be you -- and *you* can be 
in the LDAP.  The Roller admin doesn't have to have a username of 
"Admin" or anything obvious like that, actually shouldn't.

> Does this work, enabling both?

I hope not, that would be prone to security holes.  Choose one 
authentication method and go with it.  While Roller offers multiple ways 
to authenticate, it's the intention that you have only one method once 
you choose it.

> Anyway, the admin user can log in. An LDAP user gets
> "The administrator of this site has disabled user registrations at this
> time. Please contact the system administrators if you think this is
> incorrect." Then I recreated the database. Now I can log in via LDAP, but a
> second user can't.
> The log for the second user:
> DEBUG 2014-06-03 14:41:35,142
> AbstractAuthenticationProcessingFilter:successfulAuthentication -
> Authentication success. Updating SecurityContextHolder to contain:
> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1c3a2503:
> Principal:
> org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@51c9fbaa:
> Dn: cn=***********; Username: *******; Password: [PROTECTED]; Enabled:
> true; AccountNonExpired: true; CredentialsNonExpired: true;
> AccountNonLocked: true; Granted Authorities: editor; Credentials:
> [PROTECTED]; Authenticated: true; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@0:
> RemoteIpAddress: *********; SessionId: **********; Granted Authorities:
> editor
>
> but in the browser he is shown the user disabled message from above.
> I have users.registration.enabled=true
> What can I do?

Hmm, I tested this.  I think you need to register the user *first* 
within LDAP, then when the user logs in he'll be taken to the Create a 
new blog page.  I think the error message you're getting is because 
you've enabled more than one auth method.  But we should document this 
in our Install guide.  I'll put in a JIRA ticket.

Further, the Blog Admin has a checkbox on the Server Admin settings page 
(not the roller-custom.properties file) to "Allow new blogs" -- make 
sure you have that checked.

Glen

> Thanks, Juergen
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message