Problem With FreeIPA LDAP Authentication

troubleshooting
authentication

#1

Hi All

We have deployed the FreeIPA server in a cluster and all authentication is been slowly migrated to a more centralized solution.

Since OpenNMS is the central performance monitoring tool a more centralized authentication scheme would be desired.

We have tried to integrate the LDAP interface of the OpenNMS but unfortunately, it fails.

The steps taken were:

  1. Remove comment for using “externalAuthenticationProvider”
<!-- use our custom authentication provider; to use RADIUS instead, change this to "radiusAuthenticationProvider" and uncomment below -->
  <authentication-manager alias="authenticationManager">
    <!-- If a user is pre-authenticated, make sure their user details are populated correctly. -->
    <authentication-provider ref="preauthAuthProvider" />
    <!-- Use our custom authentication provider -->
    <authentication-provider ref="hybridAuthenticationProvider" />
    <!-- To enable external (e.g. LDAP, RADIUS) authentication, uncomment the following.
         You must also rename and customize exactly ONE of the example files in the
         spring-security.d subdirectory. -->
    <!-- <authentication-provider ref="externalAuthenticationProvider" /> -->
  </authentication-manager>

Changed to

  <!-- use our custom authentication provider; to use RADIUS instead, change this to "radiusAuthenticationProvider" and uncomment below -->
  <authentication-manager alias="authenticationManager">
    <!-- If a user is pre-authenticated, make sure their user details are populated correctly. -->
    <authentication-provider ref="preauthAuthProvider" />
    <!-- Use our custom authentication provider -->
    <authentication-provider ref="hybridAuthenticationProvider" />
    <!-- To enable external (e.g. LDAP, RADIUS) authentication, uncomment the following.
         You must also rename and customize exactly ONE of the example files in the
         spring-security.d subdirectory. -->
    <authentication-provider ref="externalAuthenticationProvider" />
  </authentication-manager>
  1. Created an ldap.xml file, with the following:
<beans xmlns:beans="http://www.springframework.org/schema/beans" 
	xmlns="http://www.springframework.org/schema/security" 
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
	xsi:schemaLocation="http://www.springframework.org/schema/beans 
	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
	http://www.springframework.org/schema/security 
	http://www.springframework.org/schema/security/spring-security-3.1.xsd">
   <bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
      <constructor-arg ref="contextSource" />
      <property name="ignorePartialResultException" value="true" />
   </bean>
   <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
      <property name="urls">
         <list>
            <!-- List one or more of your enterprise's LDAP servers here -->
            <value>ldap://ipa1.example.com:389/</value>
            <value>ldap://ipa2.example.com:389/</value>
         </list>
      </property>
      <!-- An optional base DN. Every user and group below is relative to this. -->
      <property name="base" value="dc=seceng,dc=pccwglobal,dc=com" />
      <property name="authenticationSource" ref="authenticationSource" />
   </bean>
   <bean id="authenticationSource" class="org.springframework.ldap.authentication.DefaultValuesAuthenticationSourceDecorator">
      <property name="target" ref="springSecurityAuthenticationSource" />
      <!-- Specify the DN of an unprivileged user for initial binding to the directory -->
      <property name="defaultUser" value="CN=OPENNMSBINDUSERNAME" />
      <!-- Specify the unprivileged bind user's password here -->
      <property name="defaultPassword" value="BIND_PASSWORD" />
   </bean>
   <bean id="springSecurityAuthenticationSource" class="org.springframework.security.ldap.authentication.SpringSecurityAuthenticationSource" />
   <bean id="externalAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
      <constructor-arg ref="ldapAuthenticator" />
      <constructor-arg ref="userGroupLdapAuthoritiesPopulator" />
   </bean>
   <bean id="ldapAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <constructor-arg ref="contextSource" />
      <property name="userSearch" ref="userSearch" />
   </bean>
   <!-- userSearch (alt.: userDnPatterns) -->
   <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
      <constructor-arg index="0" value="cn=users,cn=accounts" />
      <!-- More complex filters are possible depending on the layout of your directory -->
      <constructor-arg index="1" value="(uid={0})" />
      <constructor-arg index="2" ref="contextSource" />
      <property name="searchSubtree" value="true" />
   </bean>
   <bean id="userGroupLdapAuthoritiesPopulator" class="org.opennms.web.springframework.security.UserGroupLdapAuthoritiesPopulator">
      <constructor-arg ref="contextSource" />
      <!-- Common LDAP container for the user and admin groups listed below -->
      <constructor-arg value="cn=groups,cn=accounts" />
      <property name="searchSubtree" value="true" />
      <property name="convertToUpperCase" value="true" />
      <property name="groupRoleAttribute" value="cn" />
      <property name="groupSearchFilter" value="member={0}" />
      <property name="groupToRoleMap">
         <map>
            <!-- If the is an empty string, the roles are applied to all users -->
            <!--
			<entry>
			<key><value></value></key>
			<list>
			<value>ROLE_USER</value>
			</list>
			</entry>
			-->
            <entry>
               <!-- Name of the LDAP group for normal (non-admin) OpenNMS users -->
               <key>
                  <value>opennms_users</value>
               </key>
               <list>
                  <value>ROLE_USER</value>
                  <!-- <value>ROLE_DASHBOARD</value> -->
               </list>
            </entry>
            <entry>
               <!-- Name of the LDAP group for OpenNMS administrators -->
               <key>
                  <value>opennms_admins</value>
               </key>
               <list>
                  <value>ROLE_USER</value>
                  <value>ROLE_ADMIN</value>
               </list>
            </entry>
         </map>
      </property>
   </bean>

</beans>

Any ideas why this is breaking?

Appreciate the help.


#2

Does your article How to use FreeIPA 4.X as a back-end authentication server to OpenNMS solves this problem?


#3

Yeap. I updated it with the latest running configuration and guidelines.