LDAP Users Have Been Successfully Authenticated but No ROLES Have Been Assigned

Problem

After configuring the LDAP authentication based on Manta Flow Server Authentication and Authorization and restarting Manta Server, a login attempt using LDAP credentials (e.g., demouser4) yields error message 403 “You do not have enough rights for this page.”

LDAP Configuration

No alt text provided

No alt text provided

No alt text provided

No alt text provided

Login Error

No alt text provided

Also note that <MANTA_SERVER_HOME>/logs/manta-dataflow.log shows that the user demouser4 has been successfully authenticated but no ROLES have been assigned to the user.

Request from host '0:0:0:0:0:0:0:1' (direct origin http://"server_name":8080) to authenticate user with username 'demouser4' using LDAP authentication method received.
2021-10-06 11:32:14.474 [http-nio-8080-exec-1] INFO eu.profinit.manta.platform.web.core.security.AuthenticationManagerDecorator [Context: guest - 2021-10-06T11:31:17.550-0400] User with username 'demouser4' was successfully authenticated using LDAP authentication method. The following application roles were assigned to the user: [].

Root Cause

This happens when the user associated with the group that is used in the group search base and group search filter from the LDAP configuration in Manta Admin UI is not fully qualified with a unique DN.

In this case, the group demogroup4 has memberUid=demo4user but demouser4 is not fully qualified with its full DN.

No alt text provided

Resolution

When configuring the group search filter, ensure that the entities representing users in that group are fully qualified with a full DN instead of just the cn entry.

For example, the user demouser3 is defined as memberUid attribute in membergroup3 and has a fully qualified DN

memberUid: uid=demouser3,ou=Users,ou=getmanta,dc=maxcrc,dc=com.

No alt text providedNo alt text provided

When the user demouser3 logs in to Manta dataflow viewer, the user is not only authenticated but also authorized and the appropriate ROLES are assigned to the user.

No alt text provided

Also note that <MANTA_SERVER_HOME>/logs/manta-dataflow.log now shows the user demouser3 as successfully authenticated and the appropriate ROLES have been assigned.

Request from host '0:0:0:0:0:0:0:1' (direct origin http://localhost:8080) to authenticate user with username 'demouser3' using LDAP authentication method received.
2021-10-06 11:53:59.829 [http-nio-8080-exec-9] INFO eu.profinit.manta.platform.web.core.security.AuthenticationManagerDecorator [Context: guest - 2021-10-06T11:31:17.550-0400] User with username 'demouser3' was successfully authenticated using LDAP authentication method. The following application roles were assigned to the user: [ROLE_USER, ROLE_VIEWER_CATALOG, ROLE_VIEWER_DATAFLOW].

Conclusion

When using LDAP, there are two ways groups can be created, using Group or Group of Unique Names.

No alt text provided

It is recommended that the groups be created using Group of Unique Names, as this entry automatically registers each unique user under the uniqueMember attribute while Group only has the memberUid attribute, and its value may not necessarily be unique.

Group of unique names:

No alt text provided

Group:

No alt text provided

If Group has to be used to configure LDAP in Manta Admin UI, then the memberUid attribute has to be manually edited to fully qualify the user DN.