#1 2022-11-24 00:54:49

ReportEnabler
Member
Registered: 2022-11-15

ldap users cannot authenticate

We used exec -c ldapimport.groovy to import our ldap users. Which seemed to work (they are listed below /external in the user tree)

But the cannot login. They receive
Error: Login attempt failed

We notice that in the apache-tomcat/logs/reportserver log file there is:

### PAM Configuration ###
Static PAM configuration: net.datenwerke.rs.authenticator.service.pam.UserPasswordPAMAuthoritative
Finalized PAM configuration: class net.datenwerke.rs.authenticator.service.pam.UserPasswordPAMAuthoritative

We checked
C:\infofabrik\reportserverenterprise-4.3.0.6079-1\apache-tomcat\webapps\reportserver\WEB-INF\classes

and we find our setting of:
rs.authenticator.pams = net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM:net.datenwerke.rs.authenticator.service.pam.UserPasswordPAM:net.datenwerke.rs.authenticator.service.pam.EveryoneIsRootPAM


It seems our PAM setting is being ignored.
Why is the setting being ignored?

thanks

Offline

#2 2022-11-24 10:49:49

eduardo
Administrator
Registered: 2016-11-01
Website

Re: ldap users cannot authenticate

Hi ReportEnabler,

in your logs you have:
Static PAM configuration: net.datenwerke.rs.authenticator.service.pam.UserPasswordPAMAuthoritative

while in your reportserver.properties you have:
rs.authenticator.pams = net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM:net.datenwerke.rs.authenticator.service.pam.UserPasswordPAM:net.datenwerke.rs.authenticator.service.pam.EveryoneIsRootPAM

these entries do not match. I think you have a second reportserver.properties file with this different setting. Check especially in your external configuration directory for a second reportserver.properties file

Regards,
Eduardo

Online

#3 2022-11-24 18:10:10

ReportEnabler
Member
Registered: 2022-11-15

Re: ldap users cannot authenticate

Hi Eduardo

There was a second file here (we have now renamed it):
C:\infofabrik\reportserverenterprise-4.3.0.6079-1\apps\reportserver\reportserver-conf\reportserver.properties
Is this from an earlier install attempt?

After a Tomcat restart the logs\reportserver-date file contains:

### PAM Configuration ###
Static PAM configuration: net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM:net.datenwerke.rs.authenticator.service.pam.UserPasswordPAM
Finalized PAM configuration: class net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM, class net.datenwerke.rs.authenticator.service.pam.UserPasswordPAM


24-Nov-2022 17:34:03.568 INFO [Thread-13] net.datenwerke.rs.search.service.search.SearchServiceImpl.rebuildIndex Rebuilding search index...
24-Nov-2022 17:34:07.943 INFO [Thread-13] net.datenwerke.gf.service.lateinit.LateInitStartup$1.run Startup completed
24-Nov-2022 17:34:10.890 INFO [ajp-nio-127.0.0.1-8009-exec-2] net.datenwerke.rs.passwordpolicy.service.BsiPasswordPolicyServiceImpl.getPolicy Password policy not active: Could not find config for security/passwordpolicy.cf


However ldap users still cannot login:
Error
Login attempt failed

We can't find any logged error explanations in the logs.

Offline

#4 2022-11-24 21:59:13

ReportEnabler
Member
Registered: 2022-11-15

Re: ldap users cannot authenticate

Update:
In the reportserver.properties file:

If rs.authenticator.pams = net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM:net.datenwerke.rs.authenticator.service.pam.UserPasswordPAM:net.datenwerke.rs.authenticator.service.pam.EveryoneIsRootPAM

Then anyone could access the server without requiring a login at all, but everyone gets full Admin rights (as is expected).

If rs.authenticator.pams = net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM:net.datenwerke.rs.authenticator.service.pam.UserPasswordPAM

Then ldap users could not login at all.

If rs.authenticator.pams = net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM

Then ldap users can login and so can the admin user.

(in all of the above cases the permission existed for Report Server Access)

We can close the 'case' - thanks for your help.

Offline

#5 2022-11-25 15:23:05

eduardo
Administrator
Registered: 2016-11-01
Website

Re: ldap users cannot authenticate

Hi ReportEnabler,

yes, using rs.authenticator.pams = net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM should work. If you need to allow local users as well, you can use the allowLocalUsers attribute: https://github.com/infofabrik/reportser … dap.cf#L57

Anyway, we raised ticket RS-6509 to check why this is not working with concatenated PAMS, as in
rs.authenticator.pams = net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM:net.datenwerke.rs.authenticator.service.pam.UserPasswordPAM

Regards,
Eduardo

Online

Board footer

Powered by FluxBB