Hi GeoServer Users, We recently upgraded to a new version of GeoServer, 2.16.2 from 2.12.2 (I know we are a little behind the curve). We have GeoServer configured to use our internal LDAP for user login, and assign users GeoServer ADMIN privileges based on their LDAP groups, which is configured under Security -> Authentication -> LDAP Authentication Provider section of the GeoServer console. The LDAP group lookup performed by GeoServer stopped working when we upgraded, the LDAP authentication still works as it did before the upgrade.
I did some additional testing and found that this issue started in version 2.15.3. I read the release notes for 2.15.3 and didn't see anything that would explain why the lookup and handling of LDAP roles would be any different between 2.15.2 and 2.15.3. The LDAP Authentication setup page in GeoServer does have a new "Enable Hierarchical groups search" option in version 2.15.3, which we did not enable. I didn't notice anything in the GeoServer documentation for 2.15.3 that would require us to change our LDAP configuration parameters. I installed GeoServer version 2.18.* and it behaved the same, no LDAP groups were returned for any of our LDAP accounts. GeoServer DEBUG logging details related to the same LDAP user login appears to be the same between the 2.15.2 and 2.15.3 versions, the only noticeable difference is the "[ldap.BindingLdapAuthoritiesPopulator] - Roles from search: []" is empty with any version after 2.15.2, here are some logging details: LDAP authentication logging with 2.15.2: 2021-04-27 17:05:25,676 DEBUG [ldap.LDAPSecurityProvider$1] - Processing authentication request for user: tuser1 2021-04-27 17:05:25,780 DEBUG [ldap.GeoserverLdapBindAuthenticator] - Retrieving user object using filter... 2021-04-27 17:05:25,862 INFO [ldap.SpringSecurityLdapTemplate] - Ignoring PartialResultException 2021-04-27 17:05:25,863 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - Getting authorities for user CN=Test User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com 2021-04-27 17:05:25,877 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - Searching for roles for user 'tuser1', DN = 'CN=Test User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com', with filter member={0} in search base 'ou=groups,ou=udev' 2021-04-27 17:05:25,898 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - Roles from search: [dl-All-Users, UDEV-All-Users, UDEV-Jenkins-Dev, UDEV-Sudo-Users, dl-Workspaces, AWS-Console-Admin, UDEV-BDA-Dev] 2021-04-27 17:05:25,913 DEBUG [filter.GeoServerUserNamePasswordAuthenticationFilter$1] - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4cc36d05: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@39493be2: Dn: CN=Test User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com; Username: tuser1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_UDEV-SUDO-USERS, ROLE_DL-ALL-USERS, ROLE_AWS-CONSOLE-ADMIN, ROLE_UDEV-JENKINS-DEV, ROLE_DL-WORKSPACES, ROLE_UDEV-ALL-USERS, ROLE_UDEV-BDA-DEV; Credentials: [PROTECTED]; Authenticated: true; Details: org.geoserver.security.filter.GeoServerWebAuthenticationDetails@ef30: RemoteIpAddress: 10.0.0.1; SessionId: 2C4C913D1A84AF86CE2009430A500B59; Granted Authorities: ROLE_UDEV-SUDO-USERS, ROLE_AUTHENTICATED, ROLE_DL-ALL-USERS, ROLE_AWS-CONSOLE-ADMIN, ROLE_UDEV-JENKINS-DEV, ROLE_ADMINISTRATOR, ROLE_DL-WORKSPACES, ROLE_GROUP_ADMIN, ROLE_UDEV-ALL-USERS, ROLE_UDEV-BDA-DEV LDAP authentication logging with 2.15.3: 2021-04-28 11:53:59,114 DEBUG [ldap.LDAPSecurityProvider$1] - Processing authentication request for user: tuser1 2021-04-28 11:53:59,208 DEBUG [ldap.GeoserverLdapBindAuthenticator] - Retrieving user object using filter... 2021-04-28 11:53:59,249 INFO [ldap.SpringSecurityLdapTemplate] - Ignoring PartialResultException 2021-04-28 11:53:59,250 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - Getting authorities for user CN=Test User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com 2021-04-28 11:53:59,258 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - Searching for roles for user 'tuser1', DN = 'CN=Test User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com', with filter member={0} in search base 'ou=groups,ou=udev' 2021-04-28 11:53:59,270 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - Roles from search: [] 2021-04-28 11:53:59,288 DEBUG [filter.GeoServerUserNamePasswordAuthenticationFilter$1] - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@c764efec: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@39493be2: Dn: CN=Test User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com; Username: tuser1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.geoserver.security.filter.GeoServerWebAuthenticationDetails@3bcc: RemoteIpAddress: 10.0.0.1; SessionId: 7946087888C889D6616C47047EA8DC2E; Granted Authorities: ROLE_AUTHENTICATED Here is the data\security\auth\udev\config.xml that contains the details of our LDAP Authentication configuration for 2.16.2: <ldap> <id>-178dde25:179184fe481:-7fff</id> <name>udev</name> <className>org.geoserver.security.ldap.LDAPAuthenticationProvider</className> <serverURL>ldap://udev.com:389/dc=udev,dc=com</serverURL> <groupSearchBase>ou=groups,ou=udev</groupSearchBase> <groupSearchFilter>member={0}</groupSearchFilter> <userFilter>(sAMAccountName={1})</userFilter> <useTLS>false</useTLS> <useNestedParentGroups>false</useNestedParentGroups> <maxGroupSearchLevel>10</maxGroupSearchLevel> <nestedGroupSearchFilter>(member={0})</nestedGroupSearchFilter> <bindBeforeGroupSearch>true</bindBeforeGroupSearch> <adminGroup>UDEV-BDA-Dev</adminGroup> <groupAdminGroup>UDEV-BDA-Dev</groupAdminGroup> <userFormat>{0}@udev.com</userFormat> </ldap> Let me know if there is any additional information needed to help understand the problem. Thanks for any help! Brandon _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users