Hello everybody,
A quick note from a very new geoserver administrator: I successfully setup
Active Directory Auth on our geoserver according to this guide:
https://docs.geoserver.org/latest/en/user/security/tutorials/activedirectory/index.html
One thing it does not mention is that AD supports the
LDAP_MATCHING_RULE_IN_CHAIN extension - see
https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax .
This is an easy and efficient way to recursively detect group membership.
To explain: Suppose user U is a member of group A, and group A is a member of
group B. Suppose geoserver's LDAP authentication is configured with :Group to
use as ADMIN=B .
If you have the group search filter
member={0}
, then U will not be a member of B. But if you enter
member:1.2.840.113556.1.4.1941:={0}
then U will be a member of B, via A.
I am on an old geoserver version that does not allow recursive searches. I
understand that more recent versions do allow recursive searches, but this
extension is much lighter and faster, so it is the preferrable alternative for
AD.
I wanted to open a support ticket to adapt the documentation, but that age
directed me to discussing the ticket here, so here I am.
Hans
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
