You are not logged in.
Pages: 1
We used exec -c ldapimport.groovy to import our ldap users. Which seemed to work (they are listed below /external in the user tree)
But the cannot login. They receive
Error: Login attempt failed
We notice that in the apache-tomcat/logs/reportserver log file there is:
### PAM Configuration ###
Static PAM configuration: net.datenwerke.rs.authenticator.service.pam.UserPasswordPAMAuthoritative
Finalized PAM configuration: class net.datenwerke.rs.authenticator.service.pam.UserPasswordPAMAuthoritative
We checked
C:\infofabrik\reportserverenterprise-4.3.0.6079-1\apache-tomcat\webapps\reportserver\WEB-INF\classes
and we find our setting of:
rs.authenticator.pams = net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM:net.datenwerke.rs.authenticator.service.pam.UserPasswordPAM:net.datenwerke.rs.authenticator.service.pam.EveryoneIsRootPAM
It seems our PAM setting is being ignored.
Why is the setting being ignored?
thanks
Offline
Hi ReportEnabler,
in your logs you have:
Static PAM configuration: net.datenwerke.rs.authenticator.service.pam.UserPasswordPAMAuthoritative
while in your reportserver.properties you have:
rs.authenticator.pams = net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM:net.datenwerke.rs.authenticator.service.pam.UserPasswordPAM:net.datenwerke.rs.authenticator.service.pam.EveryoneIsRootPAM
these entries do not match. I think you have a second reportserver.properties file with this different setting. Check especially in your external configuration directory for a second reportserver.properties file
Regards,
Eduardo
Offline
Hi Eduardo
There was a second file here (we have now renamed it):
C:\infofabrik\reportserverenterprise-4.3.0.6079-1\apps\reportserver\reportserver-conf\reportserver.properties
Is this from an earlier install attempt?
After a Tomcat restart the logs\reportserver-date file contains:
### PAM Configuration ###
Static PAM configuration: net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM:net.datenwerke.rs.authenticator.service.pam.UserPasswordPAM
Finalized PAM configuration: class net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM, class net.datenwerke.rs.authenticator.service.pam.UserPasswordPAM
24-Nov-2022 17:34:03.568 INFO [Thread-13] net.datenwerke.rs.search.service.search.SearchServiceImpl.rebuildIndex Rebuilding search index...
24-Nov-2022 17:34:07.943 INFO [Thread-13] net.datenwerke.gf.service.lateinit.LateInitStartup$1.run Startup completed
24-Nov-2022 17:34:10.890 INFO [ajp-nio-127.0.0.1-8009-exec-2] net.datenwerke.rs.passwordpolicy.service.BsiPasswordPolicyServiceImpl.getPolicy Password policy not active: Could not find config for security/passwordpolicy.cf
However ldap users still cannot login:
Error
Login attempt failed
We can't find any logged error explanations in the logs.
Offline
Update:
In the reportserver.properties file:
If rs.authenticator.pams = net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM:net.datenwerke.rs.authenticator.service.pam.UserPasswordPAM:net.datenwerke.rs.authenticator.service.pam.EveryoneIsRootPAM
Then anyone could access the server without requiring a login at all, but everyone gets full Admin rights (as is expected).
If rs.authenticator.pams = net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM:net.datenwerke.rs.authenticator.service.pam.UserPasswordPAM
Then ldap users could not login at all.
If rs.authenticator.pams = net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM
Then ldap users can login and so can the admin user.
(in all of the above cases the permission existed for Report Server Access)
We can close the 'case' - thanks for your help.
Offline
Hi ReportEnabler,
yes, using rs.authenticator.pams = net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM should work. If you need to allow local users as well, you can use the allowLocalUsers attribute: https://github.com/infofabrik/reportser … dap.cf#L57
Anyway, we raised ticket RS-6509 to check why this is not working with concatenated PAMS, as in
rs.authenticator.pams = net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM:net.datenwerke.rs.authenticator.service.pam.UserPasswordPAM
Regards,
Eduardo
Offline
Pages: 1