Re: [Geoserver-users] GeoServer AD Integration

[Mauro Bartolomeoli]

Hi Vera,
the only way that comes to my mind to limit login of LDAP users, is to work
on the "filter used to lookup user", that for an AD configuration is
usually something like:

(|(userPrincipalName={0})(sAMAccountName={1}))

Only users matching this filter will be able to login, so one strategy
could be to use some user attribute to enable / disable users login and use
that attribute in the filter:

(&(|(userPrincipalName={0})(sAMAccountName={1}))(canLogin=true))

But this cannot be used to restrict based on group membership, because this
information is not in the user entity.

I don't know if you can "workaround" your scenario by adding an ad-hoc
attribute to your users.

Mauro

Il giorno dom 22 mar 2020 alle ore 03:01 Vera Green 
ha scritto:

> Hello,
> We have integrated our GeoServer with active directory (AD) as per this
> documentation
> 
> .
> We are attempting to RESTRICT GeoServer access through the use of an
> active directory GROUP.
>
> Goal:
>
>- KEEP default/basic users and local user functionality as is. These
>users are created locally on GeoServer and authenticate using the basic
>method.  (Working)
>- UPDATE the AD-LDAP authentication to:
>   - automatically synchronize users between GeoServer and AD (Working)
>   - restrict AD users to the AD group: portal_user group:
>  - Only users in this group will be available in the GeoServer
>  user list (working).
>  - Only users in this AD group can log in to GeoServer (ISSUE:
>  ALL AD Users can log in)
>
>
> *Details On Issue:*
>
> AD-LDAP has been configured to synchronize with AD and restrict to the
> portal_user group.
>
> HOWEVER ... by doing a different test I realized still any AD user can
> log in. The configuration I put in place was apparently only for setting
> roles and permissions once the user has logged in, but not to restrict or
> limit who can log in.
>
> I tested other different LDAP filters trying to restrict *Portal_User* group
> only but it was worse (I got errors when trying to log in).
>
>
> Thanks in advance for any suggestions.
>
> Please reply all.
>
> Vera
> ___
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines:
> http://geoserver.org/comm/userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>
>
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>


-- 

Regards,

Mauro Bartolomeoli

==
GeoServer Professional Services from the experts! Visit http://goo.gl/it488V
for more information.
==

Dott. Mauro Bartolomeoli
@mauro_bart
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
Italy

mobile: +39 393 904 1756
phone: +39 0584 962313
fax:  +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

---

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE
2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
precisa che ogni circostanza inerente alla presente email (il suo
contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is
addressed and may contain information that is privileged, confidential or
otherwise protected from disclosure. We remind that - as provided by
European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
e-mail or the information herein by anyone other than the intended
recipient is prohibited. If you have received this email by mistake, please
notify us immediately by telephone or e-mail.
___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net

Re: [Geoserver-users] GeoServer AD Integration

[Jim Hughes]

Hi Vera,

I haven't tried to do exactly what you are attempting, so I can't offer 
direct help.


That said, just as sanity check, have you read through the security part 
of the GeoServer docs 
(https://docs.geoserver.org/latest/en/user/security/index.html)? It is 
fairly thorough.


You could skip straight to the Auth chain 
(https://docs.geoserver.org/latest/en/user/security/auth/chain.html) and 
web UI pieces 
(https://docs.geoserver.org/latest/en/user/security/auth/web.html).


As a guess, you may want to look through the data directory for 
ROLE_AUTHENTICATED to get a sense of a what an authenticated users ought 
to be able to do.


Cheers,

Jim

On 3/25/2020 3:24 PM, Vera Green wrote:

Hello,
If you have any related experience/advice we would appreciate it.
thanks much,
Vera

On Sat, Mar 21, 2020 at 8:01 PM Vera Green > wrote:


Hello,
We have integrated our GeoServer with active directory (AD) as per
this documentation

.
We are attempting to RESTRICT GeoServer access through the use of
an active directory GROUP.

Goal:

  * KEEP default/basic users and local user functionality as is.
These users are created locally on GeoServer and authenticate
using the basic method. (Working)
  * UPDATE the AD-LDAP authentication to:
  o automatically synchronize users between GeoServer and AD
(Working)
  o restrict AD users to the AD group: portal_user group:
  + Only users in this group will be available in the
GeoServer user list (working).
  + Only users in this AD group can log in to GeoServer
(ISSUE: ALL AD Users can log in)


*_Details On Issue:_*

AD-LDAP has been configured to synchronize with AD and restrict to
the portal_user group.

HOWEVER ... by doing a different test I realized still any AD user
can log in. The configuration I put in place was apparently only
for setting roles and permissions once the user has logged in, but
not to restrict or limit who can log in.

I tested other different LDAP filters trying to restrict
/Portal_User/ group only but it was worse (I got errors when
trying to log in).


Thanks in advance for any suggestions.

Please reply all.

Vera



___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Re: [Geoserver-users] GeoServer AD Integration

[Vera Green]

Hello,
If you have any related experience/advice we would appreciate it.
thanks much,
Vera

On Sat, Mar 21, 2020 at 8:01 PM Vera Green  wrote:

> Hello,
> We have integrated our GeoServer with active directory (AD) as per this
> documentation
> 
> .
> We are attempting to RESTRICT GeoServer access through the use of an
> active directory GROUP.
>
> Goal:
>
>- KEEP default/basic users and local user functionality as is. These
>users are created locally on GeoServer and authenticate using the basic
>method.  (Working)
>- UPDATE the AD-LDAP authentication to:
>   - automatically synchronize users between GeoServer and AD (Working)
>   - restrict AD users to the AD group: portal_user group:
>  - Only users in this group will be available in the GeoServer
>  user list (working).
>  - Only users in this AD group can log in to GeoServer (ISSUE:
>  ALL AD Users can log in)
>
>
> *Details On Issue:*
>
> AD-LDAP has been configured to synchronize with AD and restrict to the
> portal_user group.
>
> HOWEVER ... by doing a different test I realized still any AD user can
> log in. The configuration I put in place was apparently only for setting
> roles and permissions once the user has logged in, but not to restrict or
> limit who can log in.
>
> I tested other different LDAP filters trying to restrict *Portal_User* group
> only but it was worse (I got errors when trying to log in).
>
>
> Thanks in advance for any suggestions.
>
> Please reply all.
>
> Vera
>
___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users