Hello everybody, A quick note from a very new geoserver administrator: I successfully setup Active Directory Auth on our geoserver according to this guide: https://docs.geoserver.org/latest/en/user/security/tutorials/activedirectory/index.html One thing it does not mention is that AD supports the LDAP_MATCHING_RULE_IN_CHAIN extension - see https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax . This is an easy and efficient way to recursively detect group membership.
To explain: Suppose user U is a member of group A, and group A is a member of group B. Suppose geoserver's LDAP authentication is configured with :Group to use as ADMIN=B . If you have the group search filter member={0} , then U will not be a member of B. But if you enter member:1.2.840.113556.1.4.1941:={0} then U will be a member of B, via A. I am on an old geoserver version that does not allow recursive searches. I understand that more recent versions do allow recursive searches, but this extension is much lighter and faster, so it is the preferrable alternative for AD. I wanted to open a support ticket to adapt the documentation, but that age directed me to discussing the ticket here, so here I am. Hans
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users