Hi Stefan, Thanks for getting back to me on this issue. I see you are using a slightly different approach with https://docs.geoserver.org/latest/en/user/security/usergrouprole/roleservices.html than what I've configured.
I have been using the LDAP authentication provider which is documented here: https://docs.geoserver.org/latest/en/user/security/webadmin/auth.html#ldap-provider. In versions 2.15.2 and prior this has worked well. In the configuration, I included the roles from our internal LDAP server that were assigned to users that should have GeoServer administrator privileges ( UDEV-BDA-Dev in my case). GeoServer would look up the groups from my LDAP and like you describe, prepend "ROLE_" to the group and save it off in the "Granted Authorities" list. Logging would show GeoServer connecting to our LDAP server retrieving a list of groups I was part of, and granting me Authorities for each with "ROLE_" prepended to each group returned. This LDAP lookup stopped finding any roles from our configured LDAP server once I installed GeoServer 2.15.3. I'm providing the same "LDAP Authentication Provider" details to both versions 2.15.2 and 2.15.3, but get no group results from the LDAP query for any version after 2.15.2. I'm guessing something changed between these versions, but can't pinpoint what it is and how I need to update my configuration to get GeoServer to see the LDAP roles again. I did try your method, and created a role service in geoServer. Unfortunately GeoServer still doesn't appear to find any roles from my LDAP, when I login, I don't see the admin options in GeoServer, my user is only granted "ROLE_AUTHENTICATED" authority . I don't know how to debug this any further. Thanks, Brandon On Sun, May 2, 2021 at 3:53 AM Stefan Overkamp <overk...@posteo.de> wrote: > > Hi, > > in my configuration I have additional: > > <allGroupsSearchFilter>cn=*</allGroupsSearchFilter> > (defaults to cn=*) and > <user>cn=huhu,dc=geodaten,dc=de</user> > <password>GANZGEHEIM</password> > > Also, see > https://docs.geoserver.org/latest/en/user/security/usergrouprole/roleservices.html > > Groups are extracted from a specific LDAP node, configured as the Groups > search base. A role is mapped for every matching group. > The role will have a name that is built taking the Group common name (cn > attribute), transformed to upper case and with a ROLE_ prefix applied. > > There is no ROLE_ prefix in your example > > <adminGroup>UDEV-BDA-Dev</adminGroup> > <groupAdminGroup>UDEV-BDA-Dev</groupAdminGroup> > > > My configuration example: > > <org.geoserver.security.ldap.LDAPRoleServiceConfig> > <id>-ceba2b8:15ecc57126b:-445f</id> > <name>Geodaten Rollendienst</name> > <className>org.geoserver.security.ldap.LDAPRoleService</className> > <serverURL>ldaps://geodaten.de:636/dc=geodaten,dc=de</serverURL> > <groupSearchBase>ou=ogc_dienste</groupSearchBase> > <allGroupsSearchFilter>cn=*</allGroupsSearchFilter> > > <groupSearchFilter>member=cn={0},ou=user,dc=geodaten,dc=de</groupSearchFilter> > <userFilter>member=cn={0},ou=user,dc=geodaten,dc=de</userFilter> > <useTLS>false</useTLS> > <useNestedParentGroups>false</useNestedParentGroups> > <maxGroupSearchLevel>0</maxGroupSearchLevel> > <bindBeforeGroupSearch>true</bindBeforeGroupSearch> > <adminGroup>ROLE_ADMIN</adminGroup> > <groupAdminGroup>ROLE_GRUPPEN_ADMIN</groupAdminGroup> > <user>cn=huhu,dc=geodaten,dc=de</user> > <password>GANZGEHEIM</password> > </org.geoserver.security.ldap.LDAPRoleServiceConfig> > > Stefan > > > Am 29.04.2021 um 14:16 schrieb Brandon M: > > Hi GeoServer Users, > > We recently upgraded to a new version of GeoServer, 2.16.2 from 2.12.2 > (I know we are a little behind the curve). We have GeoServer > configured to use our internal LDAP for user login, and assign users > GeoServer ADMIN privileges based on their LDAP groups, which is > configured under Security -> Authentication -> LDAP Authentication > Provider section of the GeoServer console. The LDAP group lookup > performed by GeoServer stopped working when we upgraded, the LDAP > authentication still works as it did before the upgrade. > > I did some additional testing and found that this issue started in > version 2.15.3. I read the release notes for 2.15.3 and didn't see > anything that would explain why the lookup and handling of LDAP roles > would be any different between 2.15.2 and 2.15.3. The LDAP > Authentication setup page in GeoServer does have a new "Enable > Hierarchical groups search" option in version 2.15.3, which we did not > enable. > > I didn't notice anything in the GeoServer documentation for 2.15.3 > that would require us to change our LDAP configuration parameters. I > installed GeoServer version 2.18.* and it behaved the same, no LDAP > groups were returned for any of our LDAP accounts. > > GeoServer DEBUG logging details related to the same LDAP user login > appears to be the same between the 2.15.2 and 2.15.3 versions, the > only noticeable difference is the > "[ldap.BindingLdapAuthoritiesPopulator] - Roles from search: []" is > empty with any version after 2.15.2, here are some logging details: > > LDAP authentication logging with 2.15.2: > > 2021-04-27 17:05:25,676 DEBUG [ldap.LDAPSecurityProvider$1] - > Processing authentication request for user: tuser1 > 2021-04-27 17:05:25,780 DEBUG [ldap.GeoserverLdapBindAuthenticator] - > Retrieving user object using filter... > 2021-04-27 17:05:25,862 INFO [ldap.SpringSecurityLdapTemplate] - > Ignoring PartialResultException > 2021-04-27 17:05:25,863 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > Getting authorities for user CN=Test > User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com > 2021-04-27 17:05:25,877 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > Searching for roles for user 'tuser1', DN = 'CN=Test > User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com', with filter > member={0} in search base 'ou=groups,ou=udev' > 2021-04-27 17:05:25,898 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > Roles from search: [dl-All-Users, UDEV-All-Users, UDEV-Jenkins-Dev, > UDEV-Sudo-Users, dl-Workspaces, AWS-Console-Admin, UDEV-BDA-Dev] > 2021-04-27 17:05:25,913 DEBUG > [filter.GeoServerUserNamePasswordAuthenticationFilter$1] - > Authentication success. Updating SecurityContextHolder to contain: > org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4cc36d05: > Principal: > org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@39493be2: > Dn: CN=Test User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com; Username: > tuser1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; > CredentialsNonExpired: true; AccountNonLocked: true; Granted > Authorities: ROLE_UDEV-SUDO-USERS, ROLE_DL-ALL-USERS, > ROLE_AWS-CONSOLE-ADMIN, ROLE_UDEV-JENKINS-DEV, ROLE_DL-WORKSPACES, > ROLE_UDEV-ALL-USERS, ROLE_UDEV-BDA-DEV; Credentials: [PROTECTED]; > Authenticated: true; Details: > org.geoserver.security.filter.GeoServerWebAuthenticationDetails@ef30: > RemoteIpAddress: 10.0.0.1; SessionId: > 2C4C913D1A84AF86CE2009430A500B59; Granted Authorities: > ROLE_UDEV-SUDO-USERS, ROLE_AUTHENTICATED, ROLE_DL-ALL-USERS, > ROLE_AWS-CONSOLE-ADMIN, ROLE_UDEV-JENKINS-DEV, ROLE_ADMINISTRATOR, > ROLE_DL-WORKSPACES, ROLE_GROUP_ADMIN, ROLE_UDEV-ALL-USERS, > ROLE_UDEV-BDA-DEV > > LDAP authentication logging with 2.15.3: > > 2021-04-28 11:53:59,114 DEBUG [ldap.LDAPSecurityProvider$1] - > Processing authentication request for user: tuser1 > 2021-04-28 11:53:59,208 DEBUG [ldap.GeoserverLdapBindAuthenticator] - > Retrieving user object using filter... > 2021-04-28 11:53:59,249 INFO [ldap.SpringSecurityLdapTemplate] - > Ignoring PartialResultException > 2021-04-28 11:53:59,250 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > Getting authorities for user CN=Test > User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com > 2021-04-28 11:53:59,258 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > Searching for roles for user 'tuser1', DN = 'CN=Test > User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com', with filter > member={0} in search base 'ou=groups,ou=udev' > 2021-04-28 11:53:59,270 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > Roles from search: [] > 2021-04-28 11:53:59,288 DEBUG > [filter.GeoServerUserNamePasswordAuthenticationFilter$1] - > Authentication success. Updating SecurityContextHolder to contain: > org.springframework.security.authentication.UsernamePasswordAuthenticationToken@c764efec: > Principal: > org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@39493be2: > Dn: CN=Test User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com; Username: > tuser1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; > CredentialsNonExpired: true; AccountNonLocked: true; Not granted any > authorities; Credentials: [PROTECTED]; Authenticated: true; Details: > org.geoserver.security.filter.GeoServerWebAuthenticationDetails@3bcc: > RemoteIpAddress: 10.0.0.1; SessionId: > 7946087888C889D6616C47047EA8DC2E; Granted Authorities: > ROLE_AUTHENTICATED > > Here is the data\security\auth\udev\config.xml that contains the > details of our LDAP Authentication configuration for 2.16.2: > > <ldap> > <id>-178dde25:179184fe481:-7fff</id> > <name>udev</name> > > <className>org.geoserver.security.ldap.LDAPAuthenticationProvider</className> > <serverURL>ldap://udev.com:389/dc=udev,dc=com</serverURL> > <groupSearchBase>ou=groups,ou=udev</groupSearchBase> > <groupSearchFilter>member={0}</groupSearchFilter> > <userFilter>(sAMAccountName={1})</userFilter> > <useTLS>false</useTLS> > <useNestedParentGroups>false</useNestedParentGroups> > <maxGroupSearchLevel>10</maxGroupSearchLevel> > <nestedGroupSearchFilter>(member={0})</nestedGroupSearchFilter> > <bindBeforeGroupSearch>true</bindBeforeGroupSearch> > <adminGroup>UDEV-BDA-Dev</adminGroup> > <groupAdminGroup>UDEV-BDA-Dev</groupAdminGroup> > <userFormat>{0}@udev.com</userFormat> > </ldap> > > Let me know if there is any additional information needed to help > understand the problem. > > Thanks for any help! > > Brandon > > > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to this > list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > > > > -- > Dipl. Ing. Stefan Overkamp > overk...@posteo.de _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
