Hi GeoServer Users,
We recently upgraded to a new version of GeoServer, 2.16.2 from 2.12.2
(I know we are a little behind the curve). We have GeoServer
configured to use our internal LDAP for user login, and assign users
GeoServer ADMIN privileges based on their LDAP groups, which is
configured under Security -> Authentication -> LDAP Authentication
Provider section of the GeoServer console. The LDAP group lookup
performed by GeoServer stopped working when we upgraded, the LDAP
authentication still works as it did before the upgrade.
I did some additional testing and found that this issue started in
version 2.15.3. I read the release notes for 2.15.3 and didn't see
anything that would explain why the lookup and handling of LDAP roles
would be any different between 2.15.2 and 2.15.3. The LDAP
Authentication setup page in GeoServer does have a new "Enable
Hierarchical groups search" option in version 2.15.3, which we did not
enable.
I didn't notice anything in the GeoServer documentation for 2.15.3
that would require us to change our LDAP configuration parameters. I
installed GeoServer version 2.18.* and it behaved the same, no LDAP
groups were returned for any of our LDAP accounts.
GeoServer DEBUG logging details related to the same LDAP user login
appears to be the same between the 2.15.2 and 2.15.3 versions, the
only noticeable difference is the
"[ldap.BindingLdapAuthoritiesPopulator] - Roles from search: []" is
empty with any version after 2.15.2, here are some logging details:
LDAP authentication logging with 2.15.2:
2021-04-27 17:05:25,676 DEBUG [ldap.LDAPSecurityProvider$1] -
Processing authentication request for user: tuser1
2021-04-27 17:05:25,780 DEBUG [ldap.GeoserverLdapBindAuthenticator] -
Retrieving user object using filter...
2021-04-27 17:05:25,862 INFO [ldap.SpringSecurityLdapTemplate] -
Ignoring PartialResultException
2021-04-27 17:05:25,863 DEBUG [ldap.BindingLdapAuthoritiesPopulator] -
Getting authorities for user CN=Test
User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com
2021-04-27 17:05:25,877 DEBUG [ldap.BindingLdapAuthoritiesPopulator] -
Searching for roles for user 'tuser1', DN = 'CN=Test
User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com', with filter
member={0} in search base 'ou=groups,ou=udev'
2021-04-27 17:05:25,898 DEBUG [ldap.BindingLdapAuthoritiesPopulator] -
Roles from search: [dl-All-Users, UDEV-All-Users, UDEV-Jenkins-Dev,
UDEV-Sudo-Users, dl-Workspaces, AWS-Console-Admin, UDEV-BDA-Dev]
2021-04-27 17:05:25,913 DEBUG
[filter.GeoServerUserNamePasswordAuthenticationFilter$1] -
Authentication success. Updating SecurityContextHolder to contain:
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4cc36d05:
Principal:
org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@39493be2:
Dn: CN=Test User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com; Username:
tuser1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
CredentialsNonExpired: true; AccountNonLocked: true; Granted
Authorities: ROLE_UDEV-SUDO-USERS, ROLE_DL-ALL-USERS,
ROLE_AWS-CONSOLE-ADMIN, ROLE_UDEV-JENKINS-DEV, ROLE_DL-WORKSPACES,
ROLE_UDEV-ALL-USERS, ROLE_UDEV-BDA-DEV; Credentials: [PROTECTED];
Authenticated: true; Details:
org.geoserver.security.filter.GeoServerWebAuthenticationDetails@ef30:
RemoteIpAddress: 10.0.0.1; SessionId:
2C4C913D1A84AF86CE2009430A500B59; Granted Authorities:
ROLE_UDEV-SUDO-USERS, ROLE_AUTHENTICATED, ROLE_DL-ALL-USERS,
ROLE_AWS-CONSOLE-ADMIN, ROLE_UDEV-JENKINS-DEV, ROLE_ADMINISTRATOR,
ROLE_DL-WORKSPACES, ROLE_GROUP_ADMIN, ROLE_UDEV-ALL-USERS,
ROLE_UDEV-BDA-DEV
LDAP authentication logging with 2.15.3:
2021-04-28 11:53:59,114 DEBUG [ldap.LDAPSecurityProvider$1] -
Processing authentication request for user: tuser1
2021-04-28 11:53:59,208 DEBUG [ldap.GeoserverLdapBindAuthenticator] -
Retrieving user object using filter...
2021-04-28 11:53:59,249 INFO [ldap.SpringSecurityLdapTemplate] -
Ignoring PartialResultException
2021-04-28 11:53:59,250 DEBUG [ldap.BindingLdapAuthoritiesPopulator] -
Getting authorities for user CN=Test
User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com
2021-04-28 11:53:59,258 DEBUG [ldap.BindingLdapAuthoritiesPopulator] -
Searching for roles for user 'tuser1', DN = 'CN=Test
User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com', with filter
member={0} in search base 'ou=groups,ou=udev'
2021-04-28 11:53:59,270 DEBUG [ldap.BindingLdapAuthoritiesPopulator] -
Roles from search: []
2021-04-28 11:53:59,288 DEBUG
[filter.GeoServerUserNamePasswordAuthenticationFilter$1] -
Authentication success. Updating SecurityContextHolder to contain:
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@c764efec:
Principal:
org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@39493be2:
Dn: CN=Test User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com; Username:
tuser1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
CredentialsNonExpired: true; AccountNonLocked: true; Not granted any
authorities; Credentials: [PROTECTED]; Authenticated: true; Details:
org.geoserver.security.filter.GeoServerWebAuthenticationDetails@3bcc:
RemoteIpAddress: 10.0.0.1; SessionId:
7946087888C889D6616C47047EA8DC2E; Granted Authorities:
ROLE_AUTHENTICATED
Here is the data\security\auth\udev\config.xml that contains the
details of our LDAP Authentication configuration for 2.16.2:
<ldap>
<id>-178dde25:179184fe481:-7fff</id>
<name>udev</name>
<className>org.geoserver.security.ldap.LDAPAuthenticationProvider</className>
<serverURL>ldap://udev.com:389/dc=udev,dc=com</serverURL>
<groupSearchBase>ou=groups,ou=udev</groupSearchBase>
<groupSearchFilter>member={0}</groupSearchFilter>
<userFilter>(sAMAccountName={1})</userFilter>
<useTLS>false</useTLS>
<useNestedParentGroups>false</useNestedParentGroups>
<maxGroupSearchLevel>10</maxGroupSearchLevel>
<nestedGroupSearchFilter>(member={0})</nestedGroupSearchFilter>
<bindBeforeGroupSearch>true</bindBeforeGroupSearch>
<adminGroup>UDEV-BDA-Dev</adminGroup>
<groupAdminGroup>UDEV-BDA-Dev</groupAdminGroup>
<userFormat>{0}@udev.com</userFormat>
</ldap>
Let me know if there is any additional information needed to help
understand the problem.
Thanks for any help!
Brandon
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
