I'm sure that I made LDAP roles work with a more recent version of
GeoServer at my previous job (unfortunately it's behind a firewall so I
can't check) -
My LDAPUserGroupService config contained:
<groupSearchBase>ou=groups,dc=galbraith,dc=co,dc=uk</groupSearchBase>
<groupNameAttribute>cn</groupNameAttribute>
<allGroupsSearchFilter>(objectClass=groupOfUniqueNames)</allGroupsSearchFilter>
<groupSearchFilter>(uniqueMember=uid={0},ou=users,dc=galbraith,dc=co,dc=uk)</groupSearchFilter>
<groupMembershipAttribute>uniqueMember</groupMembershipAttribute>
<userSearchBase>ou=users,dc=galbraith,dc=co,dc=uk</userSearchBase>
<userNameAttribute>uid</userNameAttribute>
<allUsersSearchFilter>(objectClass=inetOrgPerson)</allUsersSearchFilter>
<useTLS>false</useTLS>
<useNestedParentGroups>false</useNestedParentGroups>
<maxGroupSearchLevel>10</maxGroupSearchLevel>
<nestedGroupSearchFilter>(uniqueMember={0})</nestedGroupSearchFilter>
<bindBeforeGroupSearch>true</bindBeforeGroupSearch>
<rolePrefix>ROLE_</rolePrefix>
<convertToUpperCase>true</convertToUpperCase>
and my LDAPRoleServiceConfig
included
<groupSearchBase>ou=groups,dc=galbraith,dc=co,dc=uk</groupSearchBase>
<allGroupsSearchFilter>cn=*</allGroupsSearchFilter>
<groupSearchFilter>uniqueMember=uid={0},ou=users,dc=galbraith,dc=co,dc=uk</groupSearchFilter>
<useTLS>false</useTLS>
<useNestedParentGroups>false</useNestedParentGroups>
<maxGroupSearchLevel>10</maxGroupSearchLevel>
<nestedGroupSearchFilter>(member={0})</nestedGroupSearchFilter>
<bindBeforeGroupSearch>true</bindBeforeGroupSearch>
<adminGroup>ROLE_ADMINS</adminGroup>
<groupAdminGroup>ROLE_ADMINS</groupAdminGroup>
<rolePrefix>ROLE_</rolePrefix>
<convertToUpperCase>true</convertToUpperCase>
My notes also include in bold `You must make the new role service the
active one by changing the drop down on the `security->settings` page
https://docs.geoserver.org/latest/en/user/security/webadmin/settings.html#active-role-service
I can highly recommend using a cli tool like ldapsearch to test out your
queries to see what they should be, which is how I got to
`(uniqueMember=cn={0},ou=users,dc=galbraith,dc=co,dc=uk)` for my group
member search
Ian
On Thu, 29 Feb 2024 at 11:48, <[email protected]> wrote:
> "I dont know what I am doing"-Chapter 23:
>
>
--
Ian Turton
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
