[GIS] GeoServer LDAP Authentication ‘Test Connection’ succeeds, but login fails

Question

I am attempting to use Active Directory for GeoServer authentication. When I click the 'Test Connection' button on the Admin > Authentication > Providers > LDAP settings page, it says "Connection Successful." However, when I log out of Geoserver, and try to log in with the same credentials, I get an "invalid username/password combination" error.

My LDAP settings are as follows, where ADserver=my Active Directory server, and domain=my company domain:

Server URL: ldap://ADserver/dc=domain,dc=com
TLS: [Not checked]
User lookup pattern: [empty]
Filter used to lookup user: (userPrincipalName={0})
Format used for user login name: {0}@domain.com
Use LDAP groups for authorization: [Not checked]
User Group Service: default

And I have selected this Authentication Provider in my Provider Chain.

Why does the Test Connection succeed, but actually logging in fails?

Answer 1

I got a solution working on GeoServer 2.7.2 that was very similar to @xcer however I didnt need to add an extra Group, as adding the users to the default User Group Service seemed to be enough for me.

In short:

1. I added an LDAP authentication provider (much the same as in the question above) with User Group Server pointing to `default'. Connection tested OK.
2. Under menu section 'Users, Groups, Roles' I opened tab 'Users/Groups' and proceeded to add each user manually with a random password and ADMIN role.
3. In the Provider Chain, I also had default listed first, and my ad-ldap authentication provider listed second.

I found that this:

1. Enabled me to log in using either password (ie the one via Active Directory / LDAP, as well as the manual password I provided for each user).
2. Once I logged in (using either password), the permissions that got applied were the ones in the default User Group Provider that can be added and modified manually via the interface.

Not sure if this was the intended way to get it working - it would have been a better solution overall if I could just apply permissions via LDAP groups. But after battling with Geoserver for 3 hours solid that was the best that I could manage.