OpenNMS authentication againts OpenLDAP

Adding multiple user for LDAP Authentication and assiginig permission in OpenNMS

Dear Team,

Task: “With one account, any user can login to their given system. A local admin account still needs to be present on all servers in the event of a LDAP failure. Each customer has their own group for their giver servers. No power access is to be given to customers.”

I am totally new to this NMS & LDAP stuff. I was asked to handle this project alone and I am totally depend on google and OpenNMS wiki space. I couldn’t find much details in the net on this regards. Ne

I tried to integrate OpenNMS with OpenLDAP and I managed to do this 50% and I got stuck at the point where I have to add multiple users/ customers for LDAP authentication and assigning permission to them in NMS. And one more point, I am not able to login using port 8980 but without port number (eg: http://my-server-ip/). Once I loedin I get “Access Denied” page in NMS.

In production we are using OpenNMS v 1.12 on Ubuntu 14.04, I am trying this on the same version in AWS EC2 instances.

I need you guys help to move forward from this point and complete this project.

Thanks.

I’ve setup login with AD, so I can’t speak specifically to OpenLDAP. But OpenNMS will auth with a local account if there is not a username match in your LDAP server.

Can you share the steps of your implementation? I want to see the config of the xml file in the NMS server

Here is an example How to authenticate against Microsoft Active Directory Services. It explains a use case where permissions and access to OpenNMS are controlled with two user groups, one for normal users and a second one for users with administrative permissions. Technically you need an additional account in LDAP which is called the bind user. This account is just used to query LDAP from OpenNMS.

Before you plan with integrating with external LDAP authentication I would strongly recommend to upgrade to a recent version. The version you are using is over 5 years old. You can see this here: https://www.opennms.com/version-history/. The error you get with the “Access Denied” and the port 8980 seems to me not related to LDAP. Do you run Apache or any remote proxy in front of your OpenNMS? If this is the case I would open a dedicated issue about it.

1 Like

In your example, you didn’t specify <!–Name of the LDAP group for normal users & admin users–!>

Is it not required or optional?

Multiple users login issue is fixed now, thanks Ronny. But now I’am having authorization issue.

cn= testuser1,ou=People,dc=springframework,dc=com

cn= adminuser1,ou=People,dc=springframework,dc=com

beans:keybeans:valueOpenNMS-Users</beans:value></beans:key>

       value>ROLE_USER</beans
      value>ROLE_ADMIN</beans
  
      value>OpenNMS-Admins</beans

value>ROLE_USER</beans
value>ROLE_ADMIN</beans

I am getting Access Denied message regardless whether admin login or user login. Is there any file I have specify this roles?

What happens here is, I have a group in Active Directory which is named “OpenNMS-Admins”. During the login, we check if the user is in the group “OpenNMS-Admins” we assign the OpenNMS roles “ROLE_USER” and “ROLE_ADMIN”.

I’ve added the content for the role to group mapping in “Step 6” of the article: How to authenticate against Microsoft Active Directory Services.

There should be a property file where we need to assign this roles, could you tell me that file’s location? I think we need to define the roles there

In the example it is all configured in the ${OPENNMS_HOME}/jetty-webapps/opennms/WEB-INF/spring-security.d/activeDirectory.xml.

  </beans:bean>
  <beans:bean id="authenticationSource" class="org.springframework.ldap.authentication.DefaultValuesAuthenticationSourceDecorator">
    <beans:property name="target" ref="springSecurityAuthenticationSource"/>
    <!-- Specify the DN of an unprivileged user for initial binding to the directory -->
    <beans:property name="defaultUser" value="cn= nms_bind_user,ou=People,dc=springframework,dc=com"/>
    <!-- Specify the unprivileged bind user's password here -->
    <beans:property name="defaultPassword" value="binduser123"/>
  </beans:bean>


  <beans:bean id="springSecurityAuthenticationSource" class="org.springframework.security.ldap.authentication.SpringSecurityAuthenticationSource">
  </beans:bean>

  <beans:bean id="externalAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <beans:constructor-arg ref="ldapAuthenticator"/>
    <beans:constructor-arg ref="userGroupLdapAuthoritiesPopulator"/>
  </beans:bean>

  <beans:bean id="ldapAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
    <beans:constructor-arg ref="contextSource"/>
    <beans:property name="userSearch" ref="userSearch"></beans:property>
  </beans:bean>
  <!-- userSearch (alt.: userDnPatterns) -->

  <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="ou=People" />

    <!-- More complex filters are possible depending on the layout of your directory -->
    <beans:constructor-arg index="1" value="(uid={0})" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>

  <beans:bean id="userGroupLdapAuthoritiesPopulator" class="org.opennms.web.springframework.security.UserGroupLdapAuthoritiesPopulator">
    <beans:constructor-arg ref="contextSource"/>
    <!-- Common LDAP container for the user and admin groups listed below -->
    <beans:constructor-arg value="ou=People" />
    <beans:property name="searchSubtree" value="true" />
    <beans:property name="convertToUpperCase" value="true" />
    <beans:property name="groupRoleAttribute" value="cn" />
    <beans:property name="groupSearchFilter" value="member={0}" />
    <beans:property name="groupToRoleMap">
      <beans:map>
        <beans:entry>
          <!-- Name of the LDAP group for normal (non-admin) OpenNMS users -->
          <beans:key><beans:value>OpenNMS-Users</beans:value></beans:key>
          <beans:list>
            <beans:value>ROLE_USER</beans:value>
            <beans:value>ROLE_ADMIN</beans:value>
          </beans:list>
        </beans:entry>
        <beans:entry>
          <!-- Name of the LDAP group for OpenNMS administrators -->
          <beans:key><beans:value>OpenNMS-Admins</beans:value></beans:key>
          <beans:list>
            <beans:value>ROLE_USER</beans:value>
            <beans:value>ROLE_ADMIN</beans:value>

What’s wrong with my configurationm?

I am following OpenNMS wiki space. Did you check this ?

https://wiki.opennms.org/wiki/Spring_Security_and_LDAP. They say to allow external authentication in the file /opt/noclandnms/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml and create an XML file for our LDAP configuration using /opt/noclandnms/jetty-webapps/opennms/WEB-INF$ cd spring-security.d/ldap.xml.disabled.

What I understood that the user authentication is working but failing in authorization. Below is the prt of the webauth.log. Anyone can figure out the cause?

2020-01-25 04:26:03,858 WARN  [qtp746682004-9706] LoggerListener: Security authorization failed due to: org.springframework.security.access.AccessDeniedException: Access is denied; authenticated principal: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@e230c624: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@e23346ec: Dn: cn=testuser1,ou=People,dc=springframework,dc=com; Username: testuser1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: ckr8yjtnsc7j1u0n7d8v52a8u; Not granted any authorities; secure object: FilterInvocation: URL: /coreweb/coreweb.nocache.js; configuration attributes: [ROLE_USER, ROLE_DASHBOARD]
2020-01-25 04:26:04,538 WARN  [qtp746682004-9703] LoggerListener: Security authorization failed due to: org.springframework.security.access.AccessDeniedException: Access is denied; authenticated principal: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@e230c624: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@e23346ec: Dn: cn=testuser1,ou=People,dc=springframework,dc=com; Username: testuser1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: ckr8yjtnsc7j1u0n7d8v52a8u; Not granted any authorities; secure object: FilterInvocation: URL: /images/left-menu-icons.png; configuration attributes: [ROLE_ANONYMOUS, ROLE_USER, ROLE_DASHBOARD]

I didn’t specify ROLE_ANONYMOUS in my xml file.

We can give you a working example for Active Directory, cause the LDAP structure is for all the same. For the reason you use OpenLDAP, it is not easy to give you concrete answers what you have to do to fix your problem. The configuration on OpenNMS depends on your LDAP structure you use in OpenLDAP. Here are the steps I would recommend to you to move forward:

  • Get familiar with ldapsearch, install it on the OpenNMS server you can double check you have access with your LDAP bind user to your LDAP server
  • Figure out a ldap search to identify users in your group for OpenNMS admins and OpenNMS normal users
  • This information is required in the authentication files for Spring which are in ${OPENNMS_HOME}/jetty-webapps/opennms/WEB-INF/spring-security.d. For a generic LDAP server copy ldap.xml.disabled to ldap.xml.
  • In a first step I would start with configuring your LDAP server, configure the bind user and a simple search which identifies just any user in your LDAP structure and test if you can login with the credentials.
  • As the second step create groups and put users in the group. Figure out what your LDAP structure is to identify the users in the group. Adjust the ldap.xml and set the groupToRoleMap and test if you get this to work.

If you can’t figure things out and ask people here to help you, you might have to share ldapsearch outputs, insights how you have set up your LDAP structure and what you have configured in your ldap.xml.

@Indigo, I installed OpenLDAP and NMS on 2 separate servers in Amazon AWS EC2 instances and testing; both are running on Ubuntu Server 14.04. OpenNMS v1.12.6

  1. LDAP server is configured and tested, no issue with authentication. I used a tool call Ldap Explorer 2 to test it from outside even

  2. I installed ldap utility on my NMS server and tested by ldapsearch using binduser and other users in my directory, all success.

Below is the output for a user;

@mani-ldap-nms:~$ sudo ldapsearch -x -D 'cn=todd,ou=People,dc=springframework,dc=com' -W -b 'ou=People,dc=springframework,dc=com' -h 10.99.99.19
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=springframework,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# People, springframework.com
dn: ou=People,dc=springframework,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People

# testuser1, People, springframework.com
dn: cn=testuser1,ou=People,dc=springframework,dc=com
cn:: IHRlc3R1c2VyMQ==
gidNumber: 502
homeDirectory: /home/users/testuser1
sn: testuser1
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1007
uid: testuser1

# testadmin1, People, springframework.com
dn: cn=testadmin1,ou=People,dc=springframework,dc=com
cn:: IHRlc3RhZG1pbjE=
gidNumber: 501
homeDirectory: /home/users/testadmin1
sn: testadmin1
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1009
uid: testadmin1

# nms_bind_user, People, springframework.com
dn: cn=nms_bind_user,ou=People,dc=springframework,dc=com
gidNumber: 502
homeDirectory: /home/users/nms_bind_user
sn: nms_bind_user
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1010
uid: nms_bind_user
cn: nms_bind_user

# testuser2, People, springframework.com
dn: cn=testuser2,ou=People,dc=springframework,dc=com
cn:: IHRlc3R1c2VyMg==
gidNumber: 502
homeDirectory: /home/users/testuser2
sn: testuser2
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1011
uid: testuser2

# stephen, People, springframework.com
dn: cn=stephen,ou=People,dc=springframework,dc=com
cn: stephen
givenName: stephen
gidNumber: 503
homeDirectory: /home/users/sfinn
sn: finn
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1002
uid: sfinn

# maria, People, springframework.com
dn: cn=maria,ou=People,dc=springframework,dc=com
cn: maria
givenName: maria
gidNumber: 502
homeDirectory: /home/users/mbeltress
sn: beltress
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1003
uid: mbeltress

# todd, People, springframework.com
dn: cn=todd,ou=People,dc=springframework,dc=com
cn: todd
givenName: todd
gidNumber: 502
homeDirectory: /home/users/tbutt
sn: butt
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword:: e01ENX0xSnV5Z1lyakpWQm5GNk9hUUM3bWNRPT0=
uidNumber: 1004
uid: tbutt

# mani, People, springframework.com
dn: cn=mani,ou=People,dc=springframework,dc=com
cn: mani
givenName: mani
gidNumber: 503
homeDirectory: /home/users/mkanags
sn: kanags
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: mkanags

# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 9
mani-ldap-nms:~$
  1. This is my LDAP directory structure.
      ou=Groups
            cn=OpenNMS-Admins
            cn=OpenNMS-Users

       ou=People
            {I created all the users are under this ou and assigned some to OpenNMS-Admins and some to 
            OpenNMS-Users
  1. Below is my ldap.xml file ;
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

  <beans:bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
    <beans:constructor-arg ref="contextSource"/>
    <beans:property name="ignorePartialResultException" value="true"/>
  </beans:bean>
  <beans:bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
    <beans:property name="urls">
      <beans:list>
        <!-- List one or more of your enterprise's LDAP servers here -->
        <beans:value>ldap://10.99.99.19:389/</beans:value>
      </beans:list>
    </beans:property>
    <!-- An optional base DN. Every user and group below is relative to this. -->
    <beans:property name="base" value="dc=springframework,dc=com" />
    <beans:property name="authenticationSource" ref="authenticationSource" />
  </beans:bean>
  <beans:bean id="authenticationSource" class="org.springframework.ldap.authentication.DefaultValuesAuthenticationSourceDecorator">
    <beans:property name="target" ref="springSecurityAuthenticationSource"/>
    <!-- Specify the DN of an unprivileged user for initial binding to the directory -->
    <beans:property name="defaultUser" value="cn=nms_bind_user,ou=People,dc=springframework,dc=com"/>
    <!-- Specify the unprivileged bind user's password here -->
    <beans:property name="defaultPassword" value="binduser123"/>
  </beans:bean>

  <beans:bean id="springSecurityAuthenticationSource" class="org.springframework.security.ldap.authentication.SpringSecurityAuthenticationSource">
  </beans:bean>

  <beans:bean id="externalAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <beans:constructor-arg ref="ldapAuthenticator"/>
    <beans:constructor-arg ref="userGroupLdapAuthoritiesPopulator"/>
  </beans:bean>

  <beans:bean id="ldapAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
    <beans:constructor-arg ref="contextSource"/>
    <beans:property name="userSearch" ref="userSearch"></beans:property>
  </beans:bean>
  <!-- userSearch (alt.: userDnPatterns) -->

  <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="ou=People" />

    <!-- More complex filters are possible depending on the layout of your directory -->
    <beans:constructor-arg index="1" value="(uid={0})" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>

  <beans:bean id="userGroupLdapAuthoritiesPopulator" class="org.opennms.web.springframework.security.UserGroupLdapAuthoritiesPopulator">
    <beans:constructor-arg ref="contextSource"/>
    <!-- Common LDAP container for the user and admin groups listed below -->
    <beans:constructor-arg value="ou=Groups" />
    <beans:property name="searchSubtree" value="true" />
    <beans:property name="convertToUpperCase" value="true" />
    <beans:property name="groupRoleAttribute" value="cn" />
    <beans:property name="groupSearchFilter" value="member={0}" />
    <beans:property name="groupToRoleMap">
      <beans:map>
        <beans:entry>
          <!-- Name of the LDAP group for normal (non-admin) OpenNMS users -->
          <beans:key><beans:value>OpenNMS-Users</beans:value></beans:key>
          <beans:list>
            <beans:value>ROLE_USER</beans:value>
            <!-- <beans:value>ROLE_DASHBOARD</beans:value> -->
          </beans:list>
        </beans:entry>
        <beans:entry>
          <!-- Name of the LDAP group for OpenNMS administrators -->
          <beans:key><beans:value>OpenNMS-Admins</beans:value></beans:key>
          <beans:list>
            <beans:value>ROLE_USER</beans:value>
            <beans:value>ROLE_ADMIN</beans:value>
          </beans:list>
        </beans:entry>
      </beans:map>
    </beans:property>
  </beans:bean>

</beans:beans>

Issues:

  1. If I login by _nms_bind_user, I am able to login but I get “Access Denied” message on page.
    Below is the webauth.log for this attempt;
2020-01-26 21:41:59,047 WARN  [qtp1049293929-388] LoggerListener: Security authorization failed due to: org.springframework.security.access.AccessDeniedException: Access is denied; authenticated principal: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1330bc54: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@1332571a: Dn: cn=nms_bind_user,ou=People,dc=springframework,dc=com; Username: nms_bind_user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 1qtw4cump5dhv7aa6rvqwltxm; Not granted any authorities; secure object: FilterInvocation: URL: /favicon.ico; configuration attributes: [ROLE_ANONYMOUS, ROLE_USER, ROLE_DASHBOARD]
  1. When I login by any other users, I get " Your log-in attempt failed, please try again Reason: Bad credentials"

Below is the webauth.log for this;

2020-01-26 20:36:24,078 WARN  [qtp2066575976-1990] SpringSecurityAuthenticationSource: No Authentication object set in SecurityContext - returning empty String as Principal
2020-01-26 20:36:24,078 WARN  [qtp2066575976-1990] SpringSecurityAuthenticationSource: No Authentication object set in SecurityContext - returning empty String as Principal
2020-01-26 20:36:24,081 WARN  [qtp2066575976-1990] LoggerListener: Authentication event AuthenticationFailureBadCredentialsEvent: rtc; details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; exception: Bad credentials

2020-01-26 20:37:24,686 WARN  [qtp2066575976-2784] LoggerListener: Security authorization failed due to: org.springframework.security.access.AccessDeniedException: Access is denied; authenticated principal: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa86552: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 18ute2ebztqc97q67aponvskr; Granted Authorities: ROLE_ANONYMOUS; secure object: FilterInvocation: URL: /frontPage.htm; configuration attributes: [ROLE_USER, ROLE_DASHBOARD]

2020-01-26 20:37:37,160 WARN  [qtp2066575976-2890] SpringSecurityAuthenticationSource: No Authentication object set in SecurityContext - returning empty String as Principal
2020-01-26 20:37:37,160 WARN  [qtp2066575976-2890] SpringSecurityAuthenticationSource: No Authentication object set in SecurityContext - returning empty String as Principal
2020-01-26 20:37:37,164 WARN  [qtp2066575976-2890] LoggerListener: Authentication event AuthenticationFailureBadCredentialsEvent: mani; details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 18ute2ebztqc97q67aponvskr; exception: Bad credentials
2020-01-26 20:38:13,872 WARN  [qtp2066575976-2338] SpringSecurityAuthenticationSource: No Authentication object set in SecurityContext - returning empty String as Principal
2020-01-26 20:38:13,873 WARN  [qtp2066575976-2338] SpringSecurityAuthenticationSource: No Authentication object set in SecurityContext - returning empty String as Principal
2020-01-26 20:38:13,883 WARN  [qtp2066575976-2338] LoggerListener: Authentication event AuthenticationFailureBadCredentialsEvent: rtc; details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; exception: Bad credentials
2020-01-26 20:38:13,892 WARN  [qtp2066575976-2784] SpringSecurityAuthenticationSource: No Authentication object set in SecurityContext - returning empty String as Principal
2020-01-26 20:38:13,892 WARN  [qtp2066575976-2784] SpringSecurityAuthenticationSource: No Authentication object set in SecurityContext - returning empty String as Principal
2020-01-26 20:38:13,901 WARN  [qtp2066575976-2784] LoggerListener: Authentication event AuthenticationFailureBadCredentialsEvent: rtc; details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; exception: Bad credentials
2020-01-26 20:38:13,905 WARN  [qtp2066575976-1990] SpringSecurityAuthenticationSource: No Authentication object set in SecurityContext - returning empty String as Principal
2020-01-26 20:38:13,905 WARN  [qtp2066575976-1990] SpringSecurityAuthenticationSource: No Authentication object set in SecurityContext - returning empty String as Principal
2020-01-26 20:38:13,910 WARN  [qtp2066575976-1990] LoggerListener: Authentication event AuthenticationFailureBadCredentialsEvent: rtc; details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; exception: Bad credentials

Hope this will help you to figure out the issue.

Just checking - do you have OpenNMS users with the same username as your LDAP users?

You mean in the OpenNMS local database as the local users? If is that your question “No”

I just created a user account with the same as it is in my ldap, but still not luck. LDAP credentials not not working. As I mentioned in my previous post, all the users are able to quesry the LDAP server by ldapsearch. What I understood from the logs that users are trying to login as ANONYMUS user

Hi there,

It is authenticating but failing in Authorization part. After I logedin using ldap credential I am getting “Access Denied” on page even for OpenNMS-Admin users.

Hi, some hints which might help, there are many ways the authentification/authorization might take with sometimes “strange” behaviour if it’s not known how it works:

  • Do you use access-lists in OpenNMS? Maybe the problem is originated there.

  • Do you use upper/lower case in userid’s?
    If yes, did you check that upper/lowercase is the same for local users and for LDAP-Users?

  • Do you have different passwords for local users and LDAP users?

  • Are local users assigned to the same groups as the LDAP users?

  • are those groups defined in opennms at all?
    I didn’t check all of you provided config files, but in our configuration (using LDAP against AD)

  • the logon userid will first be checked against the local userid (with matching uppercase/lowercase!)

  • if there is a corresponding local userid, the password will be checked against the local password

  • if the local password check fails, the userid/password will be checked against LDAP, which in our case ignores upper-/lowercase

  • if there is no corresponding local userid (with matching uppercase/lowercase!), userid/password will be checked directly against LDAP, which in our case ignores upper-/lowercase

  • if you use access lists, the users must match with upper/lowercase to the definitions in the access lists

Knowing this it should be clear why it is important to check all the questions above. Depending on how your users are defined you might take another way every time you test something, and you don’t know where or why it is failing.

1 Like