Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Issues

Select view

Select search mode

 
7 of 7

LDAP authorization fails - group to role mapping does not work

Fixed

Description

I had LDAP authentication and authorization working wonderfully in OpenNMS 1.6.x, and I'm now trying to duplicate that configuration in OpenNMS 1.8.12.

  •  

    • Note: I have since reproduced the problem in 1.9.90 as well (snapshot 20110606)

Problem:

--------
I've got LDAP authentication working fine, but LDAP authorization is failing. I'm attempting to use the groupToRoleMap property of the UserGroupLdapAuthoritiesPopulator class to map AD group names to OpenNMS roles.

Expected behavior
----------------- The groupToRoleMap property should be taking my AD group membership (see log entry below, "Roles from search: [OpenNMS_Administrators]") and granting user "testuser" the roles ROLE_USER and ROLE_ADMIN, thus permitting the user to access administrative functions of the Web UI.

Actual behavior
--------------- I get the single granted authority ROLE_OPENNMS_ADMINISTRATORS, and OpenNMS WebUI says "Access Denied".

Evidence
--------- My test user:

Name: (Test) OpenNMS User
Windows account name: testuser
Member of groups: OpenNMS_Administrators, Domain Users

When I attempt to log in, debug entries in $OPENNMS_HOME/logs/daemon/misc.log appear to show that I am being granted roles that correspond directly to the AD group name, instead of using groupToRoleMap:

--begin logs--
DefaultSpringSecurityContextSource: Creating context with principal: 'cn=(Test) OpenNMS User, ou=Test, ou=Users, ou=HQ, dc=corp, dc=example, dc=com'

DefaultLdapAuthoritiesPopulator: Getting authorities for user cn=(Test) OpenNMS User, ou=Test, ou=Users, ou=HQ, dc=corp, dc=example, dc=com

DefaultLdapAuthoritiesPopulator: Searching for roles for user 'testuser', DN = 'cn=(Test) OpenNMS User, ou=Test, ou=Users, ou=HQ, dc=corp, dc=example, dc=com', with filter member={0} in search base ''

SpringSecurityLdapTemplate: Using filter: member=cn=\28Test\29 OpenNMS User, ou=Test, ou=Users, ou=HQ, dc=corp, dc=example, dc=com

DefaultLdapAuthoritiesPopulator: Roles from search: [OpenNMS_Administrators]

SpringSecurityLdapTemplate: Using filter: member=cn=\28Test\29 OpenNMS User, ou=Test, ou=Users, ou=HQ, dc=corp, dc=narsnet, dc=com

LdapUserDetailsMapper: Mapping user details from context with DN: cn=(Test) OpenNMS User, ou=Test, ou=Users, ou=HQ, dc=corp, dc=example, dc=com

AuthenticationProcessingFilter: Authentication success: org.springframework.security.providers.UsernamePasswordAuthenticationToken@320236f2: Principal: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@447ecd43: Username: testuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_OPENNMS_ADMINISTRATORS; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 10.1.1.1; SessionId: 1a0h38qdkkonpua0wpfokqosa; Granted Authorities: ROLE_OPENNMS_ADMINISTRATORS
--end logs--

Ultimately this results in an access denied:

--begin logs--
Previously Authenticated: org.springframework.security.providers.UsernamePasswordAuthenticationToken@320236f2: Principal: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@447ecd43: Username: testuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_OPENNMS_ADMINISTRATORS; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 10.1.1.1; SessionId: 1a0h38qdkkonpua0wpfokqosa; Granted Authorities: ROLE_OPENNMS_ADMINISTRATORS

ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.AccessDeniedException: Access is denied
--end logs--

The relevant (sanitized) config snippet from my $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml is attached.

Environment

OpenNMS 1.8.12 CentOS 5.6 PostgreSQL 9.0.4

Acceptance / Success Criteria

None

Attachments

1

Lucidchart Diagrams

Details

Assignee

Reporter

Labels

Components

Fix versions

Affects versions

Priority

PagerDuty

Created May 26, 2011 at 12:12 PM
Updated July 28, 2014 at 8:33 AM
Resolved August 15, 2011 at 12:57 PM

Activity

Show:

Andy EllsworthAugust 15, 2011 at 1:05 PM

Created to track the uppercase conversion issue.

Andy EllsworthAugust 15, 2011 at 12:57 PM

Seth's fixes did resolve this; another bug with case conversion for LDAP group names was masking his fix in my environment.

Andy EllsworthAugust 15, 2011 at 12:56 PM

OK, I think I figured this out. Seth's changes did fix this; I'm just hitting another bug layer.

Regarding my last comment, I did finally find where that "Checking <group> for an associated role" log message was being logged - it was in web.log (rather than spring.log) and I had to crank up debug logging for Web UI (main) to see it.

That ultimately yielded this log message, which showed why it was still broken in my environment:

2011-08-15 11:06:13,526 DEBUG [qtp1892465461-467 - /opennms/j_spring_security_check] UserGroupLdapAuthoritiesPopulator: Checking OpenNMS_Administrators for an associated role

The problem here is that I have specified

<beans:property name="convertToUpperCase" value="true" />

in my userGroupLdapAuthoritiesPopulator bean, and my map had:

<beans:entry>
<beans:key>
<beans:value>OPENNMS_ADMINISTRATORS</beans:value>
</beans:key>
<beans:list>
<beans:value>ROLE_ADMIN</beans:value>
<beans:value>ROLE_USER</beans:value>
</beans:list>
</beans:entry>

but web.log showed that the upper case conversion was not taking place. Thus, OpenNMS_Administrators != OPENNMS_ADMINISTRATORS, so no roles were being matched.

Changing my map to this:

<beans:entry>
<beans:key>
<beans:value>OpenNMS_Administrators</beans:value>
</beans:key>
<beans:list>
<beans:value>ROLE_ADMIN</beans:value>
<beans:value>ROLE_USER</beans:value>
</beans:list>
</beans:entry>

fixed the problem in my environment and allowed me to reap the benefits of Seth's fixes.

I'm opening a separate bug on the upper case conversion issue.

Andy EllsworthJuly 25, 2011 at 5:07 PM

I may be barking up the wrong tree here, but on my system, I never see the debug logs "Checking <group> for an associated role" and "Added role <role> based on group <group>". Looking at lines 112-121 from UserGroupLdapAuthoritiesPopulator.java in MASTER, it seems like I should be seeing these messages if things were working right:

for(String group : userRoles) {
final List<String> rolesForGroup = this.groupToRoleMap.get(group);
logger.debug("Checking " + group + " for an associated role");
if (rolesForGroup != null) {
for(String role : rolesForGroup) {
authorities.add(new GrantedAuthorityImpl(role));
logger.debug("Added role: " + role + " based on group " + group);
}
}
}

Andy EllsworthJuly 25, 2011 at 4:50 PM

Missed a log entry in the above example:

2011-07-25 15:31:48,377 DEBUG [qtp695186834-4061] AbstractSecurityInterceptor: Previously Authenticated: org.springframework.security.providers.UsernamePasswordAuthenticationToken@e9a46674: Principal: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@e498e6a: Username: testuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_OPENNMS_ADMINISTRATORS; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@fffd3270: RemoteIpAddress: 10.101.121.69; SessionId: lc12frpvd91ikec8pi6wv7fg; Granted Authorities: ROLE_OPENNMS_ADMINISTRATORS
2011-07-25 15:31:48,377 DEBUG [qtp695186834-4061] ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler