Hi Richard, Hi Brandon, I have recently tested ApacheDS with Geoserver main branch and I got roles working without problems. I have done a quick test in 2.15.2 to be sure my use case works there too.
Do you think it will be good enough to test with ApacheDS studio? https://directory.apache.org/studio/ Works on linux too (using AdoptOpenJDK). Would you like me to share my tests steps or could you provide a ldif file with your testing ldap database? I could do a quick test in my env if you would like. Regards, Zdenek Henek On Wed, May 12, 2021 at 9:57 AM Richard Duivenvoorde <rdmaili...@duif.net> wrote: > FYI: I'm in the same boat: > see: > > https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/d2bb87fd-7a89-0aa5-7a3f-e975aaeba967%40posteo.de/ > > My gutfeeling is that 'something' (recursive groups?) were added which > break old setups. > > We have not been able to make this work in newer Geoserver versions and > run an old version of Geoserver parallel just to have the secure maps > available via AD... > It's pretty hard to debug/develop this, as I would need an AD server (and > I'm totally not into Windows Server admin). > > IF anybody is able to use the AD authenticatie with Geoserver, please let > us know. > > Regards, > > Richard Duivenvoorde > > On 5/4/21 9:03 PM, Brandon M wrote: > > Hi Stefan, > > > > Thanks for getting back to me on this issue. I see you are using a > > slightly different approach with > > > https://docs.geoserver.org/latest/en/user/security/usergrouprole/roleservices.html > > than what I've configured. > > > > I have been using the LDAP authentication provider which is documented > > here: > https://docs.geoserver.org/latest/en/user/security/webadmin/auth.html#ldap-provider > . > > In versions 2.15.2 and prior this has worked well. In the > > configuration, I included the roles from our internal LDAP server that > > were assigned to users that should have GeoServer administrator > > privileges ( UDEV-BDA-Dev in my case). GeoServer would look up the > > groups from my LDAP and like you describe, prepend "ROLE_" to the > > group and save it off in the "Granted Authorities" list. Logging > > would show GeoServer connecting to our LDAP server retrieving a list > > of groups I was part of, and granting me Authorities for each with > > "ROLE_" prepended to each group returned. This LDAP lookup stopped > > finding any roles from our configured LDAP server once I installed > > GeoServer 2.15.3. I'm providing the same "LDAP Authentication > > Provider" details to both versions 2.15.2 and 2.15.3, but get no group > > results from the LDAP query for any version after 2.15.2. I'm > > guessing something changed between these versions, but can't pinpoint > > what it is and how I need to update my configuration to get GeoServer > > to see the LDAP roles again. > > > > I did try your method, and created a role service in geoServer. > > Unfortunately GeoServer still doesn't appear to find any roles from my > > LDAP, when I login, I don't see the admin options in GeoServer, my > > user is only granted "ROLE_AUTHENTICATED" authority . I don't know > > how to debug this any further. > > > > Thanks, > > Brandon > > > > On Sun, May 2, 2021 at 3:53 AM Stefan Overkamp <overk...@posteo.de> > wrote: > >> > >> Hi, > >> > >> in my configuration I have additional: > >> > >> <allGroupsSearchFilter>cn=*</allGroupsSearchFilter> > >> (defaults to cn=*) and > >> <user>cn=huhu,dc=geodaten,dc=de</user> > >> <password>GANZGEHEIM</password> > >> > >> Also, see > https://docs.geoserver.org/latest/en/user/security/usergrouprole/roleservices.html > >> > >> Groups are extracted from a specific LDAP node, configured as the > Groups search base. A role is mapped for every matching group. > >> The role will have a name that is built taking the Group common name > (cn attribute), transformed to upper case and with a ROLE_ prefix applied. > >> > >> There is no ROLE_ prefix in your example > >> > >> <adminGroup>UDEV-BDA-Dev</adminGroup> > >> <groupAdminGroup>UDEV-BDA-Dev</groupAdminGroup> > >> > >> > >> My configuration example: > >> > >> <org.geoserver.security.ldap.LDAPRoleServiceConfig> > >> <id>-ceba2b8:15ecc57126b:-445f</id> > >> <name>Geodaten Rollendienst</name> > >> <className>org.geoserver.security.ldap.LDAPRoleService</className> > >> <serverURL>ldaps://geodaten.de:636/dc=geodaten,dc=de</serverURL> > >> <groupSearchBase>ou=ogc_dienste</groupSearchBase> > >> <allGroupsSearchFilter>cn=*</allGroupsSearchFilter> > >> > > <groupSearchFilter>member=cn={0},ou=user,dc=geodaten,dc=de</groupSearchFilter> > >> <userFilter>member=cn={0},ou=user,dc=geodaten,dc=de</userFilter> > >> <useTLS>false</useTLS> > >> <useNestedParentGroups>false</useNestedParentGroups> > >> <maxGroupSearchLevel>0</maxGroupSearchLevel> > >> <bindBeforeGroupSearch>true</bindBeforeGroupSearch> > >> <adminGroup>ROLE_ADMIN</adminGroup> > >> <groupAdminGroup>ROLE_GRUPPEN_ADMIN</groupAdminGroup> > >> <user>cn=huhu,dc=geodaten,dc=de</user> > >> <password>GANZGEHEIM</password> > >> </org.geoserver.security.ldap.LDAPRoleServiceConfig> > >> > >> Stefan > >> > >> > >> Am 29.04.2021 um 14:16 schrieb Brandon M: > >> > >> Hi GeoServer Users, > >> > >> We recently upgraded to a new version of GeoServer, 2.16.2 from 2.12.2 > >> (I know we are a little behind the curve). We have GeoServer > >> configured to use our internal LDAP for user login, and assign users > >> GeoServer ADMIN privileges based on their LDAP groups, which is > >> configured under Security -> Authentication -> LDAP Authentication > >> Provider section of the GeoServer console. The LDAP group lookup > >> performed by GeoServer stopped working when we upgraded, the LDAP > >> authentication still works as it did before the upgrade. > >> > >> I did some additional testing and found that this issue started in > >> version 2.15.3. I read the release notes for 2.15.3 and didn't see > >> anything that would explain why the lookup and handling of LDAP roles > >> would be any different between 2.15.2 and 2.15.3. The LDAP > >> Authentication setup page in GeoServer does have a new "Enable > >> Hierarchical groups search" option in version 2.15.3, which we did not > >> enable. > >> > >> I didn't notice anything in the GeoServer documentation for 2.15.3 > >> that would require us to change our LDAP configuration parameters. I > >> installed GeoServer version 2.18.* and it behaved the same, no LDAP > >> groups were returned for any of our LDAP accounts. > >> > >> GeoServer DEBUG logging details related to the same LDAP user login > >> appears to be the same between the 2.15.2 and 2.15.3 versions, the > >> only noticeable difference is the > >> "[ldap.BindingLdapAuthoritiesPopulator] - Roles from search: []" is > >> empty with any version after 2.15.2, here are some logging details: > >> > >> LDAP authentication logging with 2.15.2: > >> > >> 2021-04-27 17:05:25,676 DEBUG [ldap.LDAPSecurityProvider$1] - > >> Processing authentication request for user: tuser1 > >> 2021-04-27 17:05:25,780 DEBUG [ldap.GeoserverLdapBindAuthenticator] - > >> Retrieving user object using filter... > >> 2021-04-27 17:05:25,862 INFO [ldap.SpringSecurityLdapTemplate] - > >> Ignoring PartialResultException > >> 2021-04-27 17:05:25,863 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > >> Getting authorities for user CN=Test > >> User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com > >> 2021-04-27 17:05:25,877 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > >> Searching for roles for user 'tuser1', DN = 'CN=Test > >> User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com', with filter > >> member={0} in search base 'ou=groups,ou=udev' > >> 2021-04-27 17:05:25,898 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > >> Roles from search: [dl-All-Users, UDEV-All-Users, UDEV-Jenkins-Dev, > >> UDEV-Sudo-Users, dl-Workspaces, AWS-Console-Admin, UDEV-BDA-Dev] > >> 2021-04-27 17:05:25,913 DEBUG > >> [filter.GeoServerUserNamePasswordAuthenticationFilter$1] - > >> Authentication success. Updating SecurityContextHolder to contain: > >> > org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4cc36d05 > : > >> Principal: > org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@39493be2 > : > >> Dn: CN=Test User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com; Username: > >> tuser1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; > >> CredentialsNonExpired: true; AccountNonLocked: true; Granted > >> Authorities: ROLE_UDEV-SUDO-USERS, ROLE_DL-ALL-USERS, > >> ROLE_AWS-CONSOLE-ADMIN, ROLE_UDEV-JENKINS-DEV, ROLE_DL-WORKSPACES, > >> ROLE_UDEV-ALL-USERS, ROLE_UDEV-BDA-DEV; Credentials: [PROTECTED]; > >> Authenticated: true; Details: > >> org.geoserver.security.filter.GeoServerWebAuthenticationDetails@ef30: > >> RemoteIpAddress: 10.0.0.1; SessionId: > >> 2C4C913D1A84AF86CE2009430A500B59; Granted Authorities: > >> ROLE_UDEV-SUDO-USERS, ROLE_AUTHENTICATED, ROLE_DL-ALL-USERS, > >> ROLE_AWS-CONSOLE-ADMIN, ROLE_UDEV-JENKINS-DEV, ROLE_ADMINISTRATOR, > >> ROLE_DL-WORKSPACES, ROLE_GROUP_ADMIN, ROLE_UDEV-ALL-USERS, > >> ROLE_UDEV-BDA-DEV > >> > >> LDAP authentication logging with 2.15.3: > >> > >> 2021-04-28 11:53:59,114 DEBUG [ldap.LDAPSecurityProvider$1] - > >> Processing authentication request for user: tuser1 > >> 2021-04-28 11:53:59,208 DEBUG [ldap.GeoserverLdapBindAuthenticator] - > >> Retrieving user object using filter... > >> 2021-04-28 11:53:59,249 INFO [ldap.SpringSecurityLdapTemplate] - > >> Ignoring PartialResultException > >> 2021-04-28 11:53:59,250 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > >> Getting authorities for user CN=Test > >> User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com > >> 2021-04-28 11:53:59,258 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > >> Searching for roles for user 'tuser1', DN = 'CN=Test > >> User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com', with filter > >> member={0} in search base 'ou=groups,ou=udev' > >> 2021-04-28 11:53:59,270 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > >> Roles from search: [] > >> 2021-04-28 11:53:59,288 DEBUG > >> [filter.GeoServerUserNamePasswordAuthenticationFilter$1] - > >> Authentication success. Updating SecurityContextHolder to contain: > >> > org.springframework.security.authentication.UsernamePasswordAuthenticationToken@c764efec > : > >> Principal: > org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@39493be2 > : > >> Dn: CN=Test User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com; Username: > >> tuser1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; > >> CredentialsNonExpired: true; AccountNonLocked: true; Not granted any > >> authorities; Credentials: [PROTECTED]; Authenticated: true; Details: > >> org.geoserver.security.filter.GeoServerWebAuthenticationDetails@3bcc: > >> RemoteIpAddress: 10.0.0.1; SessionId: > >> 7946087888C889D6616C47047EA8DC2E; Granted Authorities: > >> ROLE_AUTHENTICATED > >> > >> Here is the data\security\auth\udev\config.xml that contains the > >> details of our LDAP Authentication configuration for 2.16.2: > >> > >> <ldap> > >> <id>-178dde25:179184fe481:-7fff</id> > >> <name>udev</name> > >> > <className>org.geoserver.security.ldap.LDAPAuthenticationProvider</className> > >> <serverURL>ldap://udev.com:389/dc=udev,dc=com</serverURL> > >> <groupSearchBase>ou=groups,ou=udev</groupSearchBase> > >> <groupSearchFilter>member={0}</groupSearchFilter> > >> <userFilter>(sAMAccountName={1})</userFilter> > >> <useTLS>false</useTLS> > >> <useNestedParentGroups>false</useNestedParentGroups> > >> <maxGroupSearchLevel>10</maxGroupSearchLevel> > >> <nestedGroupSearchFilter>(member={0})</nestedGroupSearchFilter> > >> <bindBeforeGroupSearch>true</bindBeforeGroupSearch> > >> <adminGroup>UDEV-BDA-Dev</adminGroup> > >> <groupAdminGroup>UDEV-BDA-Dev</groupAdminGroup> > >> <userFormat>{0}@udev.com</userFormat> > >> </ldap> > >> > >> Let me know if there is any additional information needed to help > >> understand the problem. > >> > >> Thanks for any help! > >> > >> Brandon > >> > >> > >> _______________________________________________ > >> Geoserver-users mailing list > >> > >> Please make sure you read the following two resources before posting to > this list: > >> - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > >> - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > >> > >> If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > >> > >> > >> Geoserver-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/geoserver-users > >> > >> > >> > >> -- > >> Dipl. Ing. Stefan Overkamp > >> overk...@posteo.de > > > > > > _______________________________________________ > > Geoserver-users mailing list > > > > Please make sure you read the following two resources before posting to > this list: > > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > > > > Geoserver-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/geoserver-users > > > > > > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users >
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users