Re: [Geoserver-users] ldap security issues in 2.16/17
It is still passed as plain text, but it would not be visible to anyone outside your network. -Original Message- From: Stefan Overkamp [mailto:overk...@posteo.de] Sent: Tuesday, 2 June 2020 4:15 PM To: Humphries, Graham ; rdmaili...@duif.net Cc: GeoServer Mailing List List Subject: Re: [Geoserver-users] ldap security issues in 2.16/17 Not, when Geoserver and the ldap service are in the same private network. Or? Stefan Am 01.06.2020 um 23:40 schrieb Humphries, Graham: > As I understand it not using TLS in your LDAP configuration means your > authentication details are being passed as plain text. This is a serious > security problem. > > -Original Message- > From: Stefan Overkamp [mailto:overk...@posteo.de] > Sent: Tuesday, 2 June 2020 1:34 AM > To: rdmaili...@duif.net > Cc: GeoServer Mailing List List > > Subject: Re: [Geoserver-users] ldap security issues in 2.16/17 > > Hi Richard, > > we are using LDAP. > LDAp was already running fine 2 years ago with Geoserver 2.13 when I joined > my new employer. > Our role service confguration (german ui) is approximately as follows: > > Administrator Role: ROLE_ADMIN > Group administrator role: ROLE_GRUPPEN_ADMIN > Server-URL: ldap://.de:389/dc=huhu,dc=de No TLS search base for groups; > ou=ogc_dienste Suchfilter für Gruppenzugehörigkeit von Benutzern: > member=cn={0},ou=user,dc=huhu,dc=de > Suchfilter für alle Gruppen: cn=* > verwendeter Filter für Benutzersuche: > member=cn={0},ou=user,dc=huhu,dc=de > authentification credentials > and not Enable Hierarchical groups search > > Stefan > > > Am 01.06.2020 um 13:23 schrieb Richard Duivenvoorde: >> Hi Stefan, >> >> Thank, for the check! I was eager to see if it fitted, but we already >> did not configure TLS ... I tested both, but without success Are you >> authenticating against an Active Directory, or ldap? >> >> Pretty frustrating this. There is so much to configure with magic >> terms like (member={0}) etc etc, and 'Group Search base' on different >> config pages. >> >> There has to be some difference. I even swapped the spring-ldap jars >> in the versions (without success). >> Tried the 'group search' thingie etc etc >> >> There is (to me) no way to see what is sended/received (LDAP-wise) >> because only the abstract filter and outcome are logged (and THOSE >> are exactly the same, except that 2.13 is returning a set and >2.15 is not)? >> >> Regards, >> Richard Duivenvoorde >> >> On 6/1/20 8:39 AM, Stefan Overkamp wrote: >>> Hi list, >>> >>> we are running geoserver 2.17.0 in a docker container with >>> tomcat:9.0.31-jdk11-openjdk and have no problems. >>> >>> I took a look into our ticket system and found an issue 2 month ago >>> with ldap I had to change >>> geoserver/security/role/[ourroleservicename]/config.xml >>> from >>> >>> |true | >>> >>> to >>> >>> |false | >>> >>> Maybe there ist the same server configuration change on Richards ldap site. >>> >>> Stefan > > -- > Dipl. Ing. Stefan Overkamp > Laakmannsbusch 44, 42555 Velbert > tel.: 0177 / 79 76 159 > overk...@posteo.de > > > > ___ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to this > list: > - Earning your support instead of buying it, but Ian Turton: > https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.i > anturton.com%2Ftalks%2Ffoss4g.html%23%2Fdata=02%7C01%7CGraham.Hum > phries%40stategrowth.tas.gov.au%7C6258323bb8224c6a976b08d806bc4ddd%7C6 > 4ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266753130159290sdata > =k5uszMbW1kBLv8j9hLXL96Gf7kr6HfMJHOHNCXdD%2FWI%3Dreserved=0 > - The GeoServer user list posting guidelines: > https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgeose > rver.org%2Fcomm%2Fuserlist-guidelines.htmldata=02%7C01%7CGraham.H > umphries%40stategrowth.tas.gov.au%7C6258323bb8224c6a976b08d806bc4ddd%7 > C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266753130159290sda > ta=aWM7EKRzkxFGcHi91zQkj9FOeM6EcNUjQ6nz77Va%2F14%3Dreserved=0 > > If you want to request a feature or an improvement, also see this: > https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith > ub.com%2Fgeoserver%2Fgeoserver%2Fwiki%2FSuccessfully-requesting-and-in > tegrating-new-features-and-improvements-in-GeoServerdata=02%7C01% > 7CGraham.Humphries%40stategrowth.tas.gov.au%7C6258323bb8224c6a976b08d8 > 06bc4ddd%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%
Re: [Geoserver-users] ldap security issues in 2.16/17
On 6/2/20 8:15 AM, Stefan Overkamp wrote: > Not, when Geoserver and the ldap service are in the same private > network. Or? Yes this is a private Windows Office environment (and not LDAP, but an Active Directory server). Not sure what the standard is in the AD world. I'm just an user of a running setup, but if you tell me that the rest of the world is using AD over SSL I will pass it on. Regards, Richard Duivenvoorde ___ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
Re: [Geoserver-users] ldap security issues in 2.16/17
Not, when Geoserver and the ldap service are in the same private network. Or? Stefan Am 01.06.2020 um 23:40 schrieb Humphries, Graham: > As I understand it not using TLS in your LDAP configuration means your > authentication details are being passed as plain text. This is a serious > security problem. > > -Original Message- > From: Stefan Overkamp [mailto:overk...@posteo.de] > Sent: Tuesday, 2 June 2020 1:34 AM > To: rdmaili...@duif.net > Cc: GeoServer Mailing List List > Subject: Re: [Geoserver-users] ldap security issues in 2.16/17 > > Hi Richard, > > we are using LDAP. > LDAp was already running fine 2 years ago with Geoserver 2.13 when I joined > my new employer. > Our role service confguration (german ui) is approximately as follows: > > Administrator Role: ROLE_ADMIN > Group administrator role: ROLE_GRUPPEN_ADMIN > Server-URL: ldap://.de:389/dc=huhu,dc=de No TLS search base for groups; > ou=ogc_dienste Suchfilter für Gruppenzugehörigkeit von Benutzern: > member=cn={0},ou=user,dc=huhu,dc=de > Suchfilter für alle Gruppen: cn=* > verwendeter Filter für Benutzersuche: member=cn={0},ou=user,dc=huhu,dc=de > authentification credentials > and not Enable Hierarchical groups search > > Stefan > > > Am 01.06.2020 um 13:23 schrieb Richard Duivenvoorde: >> Hi Stefan, >> >> Thank, for the check! I was eager to see if it fitted, but we already >> did not configure TLS ... I tested both, but without success Are you >> authenticating against an Active Directory, or ldap? >> >> Pretty frustrating this. There is so much to configure with magic >> terms like (member={0}) etc etc, and 'Group Search base' on different >> config pages. >> >> There has to be some difference. I even swapped the spring-ldap jars >> in the versions (without success). >> Tried the 'group search' thingie etc etc >> >> There is (to me) no way to see what is sended/received (LDAP-wise) >> because only the abstract filter and outcome are logged (and THOSE are >> exactly the same, except that 2.13 is returning a set and >2.15 is not)? >> >> Regards, >> Richard Duivenvoorde >> >> On 6/1/20 8:39 AM, Stefan Overkamp wrote: >>> Hi list, >>> >>> we are running geoserver 2.17.0 in a docker container with >>> tomcat:9.0.31-jdk11-openjdk and have no problems. >>> >>> I took a look into our ticket system and found an issue 2 month ago >>> with ldap I had to change >>> geoserver/security/role/[ourroleservicename]/config.xml >>> from >>> >>> |true | >>> >>> to >>> >>> |false | >>> >>> Maybe there ist the same server configuration change on Richards ldap site. >>> >>> Stefan > > -- > Dipl. Ing. Stefan Overkamp > Laakmannsbusch 44, 42555 Velbert > tel.: 0177 / 79 76 159 > overk...@posteo.de > > > > ___ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to this > list: > - Earning your support instead of buying it, but Ian Turton: > https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ianturton.com%2Ftalks%2Ffoss4g.html%23%2Fdata=02%7C01%7Cgraham.humphries%40stategrowth.tas.gov.au%7Cde3c33fccca34354482f08d806419501%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266226036263956sdata=WDd6z6MDyajMQDijd3kTvInztAgGrQBpEPEUzugiwhg%3Dreserved=0 > - The GeoServer user list posting guidelines: > https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgeoserver.org%2Fcomm%2Fuserlist-guidelines.htmldata=02%7C01%7Cgraham.humphries%40stategrowth.tas.gov.au%7Cde3c33fccca34354482f08d806419501%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266226036263956sdata=rN6BMyi7mWPh9YD5uumcXez%2BGms1EteQBd0l8Oq4Dtk%3Dreserved=0 > > If you want to request a feature or an improvement, also see this: > https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgeoserver%2Fgeoserver%2Fwiki%2FSuccessfully-requesting-and-integrating-new-features-and-improvements-in-GeoServerdata=02%7C01%7Cgraham.humphries%40stategrowth.tas.gov.au%7Cde3c33fccca34354482f08d806419501%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266226036263956sdata=gf12fKL9X4B7oV5NmDbeyoukHAsXmdRQKdwmHUlnevo%3Dreserved=0 > > > Geoserver-users@lists.sourceforge.net > https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fgeoserver-usersdata=02%7C01%7Cgraham.humphries%40stategrowth.tas.gov.au%7Cde3c33fccca34354482f08d806419501%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266226036263956sdata=TntSFrRTX8E7xSnvSxNaCW99gKOymfQoTX4t88NjJvc%3
Re: [Geoserver-users] ldap security issues in 2.16/17
As I understand it not using TLS in your LDAP configuration means your authentication details are being passed as plain text. This is a serious security problem. -Original Message- From: Stefan Overkamp [mailto:overk...@posteo.de] Sent: Tuesday, 2 June 2020 1:34 AM To: rdmaili...@duif.net Cc: GeoServer Mailing List List Subject: Re: [Geoserver-users] ldap security issues in 2.16/17 Hi Richard, we are using LDAP. LDAp was already running fine 2 years ago with Geoserver 2.13 when I joined my new employer. Our role service confguration (german ui) is approximately as follows: Administrator Role: ROLE_ADMIN Group administrator role: ROLE_GRUPPEN_ADMIN Server-URL: ldap://.de:389/dc=huhu,dc=de No TLS search base for groups; ou=ogc_dienste Suchfilter für Gruppenzugehörigkeit von Benutzern: member=cn={0},ou=user,dc=huhu,dc=de Suchfilter für alle Gruppen: cn=* verwendeter Filter für Benutzersuche: member=cn={0},ou=user,dc=huhu,dc=de authentification credentials and not Enable Hierarchical groups search Stefan Am 01.06.2020 um 13:23 schrieb Richard Duivenvoorde: > Hi Stefan, > > Thank, for the check! I was eager to see if it fitted, but we already > did not configure TLS ... I tested both, but without success Are you > authenticating against an Active Directory, or ldap? > > Pretty frustrating this. There is so much to configure with magic > terms like (member={0}) etc etc, and 'Group Search base' on different > config pages. > > There has to be some difference. I even swapped the spring-ldap jars > in the versions (without success). > Tried the 'group search' thingie etc etc > > There is (to me) no way to see what is sended/received (LDAP-wise) > because only the abstract filter and outcome are logged (and THOSE are > exactly the same, except that 2.13 is returning a set and >2.15 is not)? > > Regards, > Richard Duivenvoorde > > On 6/1/20 8:39 AM, Stefan Overkamp wrote: >> Hi list, >> >> we are running geoserver 2.17.0 in a docker container with >> tomcat:9.0.31-jdk11-openjdk and have no problems. >> >> I took a look into our ticket system and found an issue 2 month ago >> with ldap I had to change >> geoserver/security/role/[ourroleservicename]/config.xml >> from >> >> |true | >> >> to >> >> |false | >> >> Maybe there ist the same server configuration change on Richards ldap site. >> >> Stefan -- Dipl. Ing. Stefan Overkamp Laakmannsbusch 44, 42555 Velbert tel.: 0177 / 79 76 159 overk...@posteo.de ___ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ianturton.com%2Ftalks%2Ffoss4g.html%23%2Fdata=02%7C01%7Cgraham.humphries%40stategrowth.tas.gov.au%7Cde3c33fccca34354482f08d806419501%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266226036263956sdata=WDd6z6MDyajMQDijd3kTvInztAgGrQBpEPEUzugiwhg%3Dreserved=0 - The GeoServer user list posting guidelines: https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgeoserver.org%2Fcomm%2Fuserlist-guidelines.htmldata=02%7C01%7Cgraham.humphries%40stategrowth.tas.gov.au%7Cde3c33fccca34354482f08d806419501%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266226036263956sdata=rN6BMyi7mWPh9YD5uumcXez%2BGms1EteQBd0l8Oq4Dtk%3Dreserved=0 If you want to request a feature or an improvement, also see this: https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgeoserver%2Fgeoserver%2Fwiki%2FSuccessfully-requesting-and-integrating-new-features-and-improvements-in-GeoServerdata=02%7C01%7Cgraham.humphries%40stategrowth.tas.gov.au%7Cde3c33fccca34354482f08d806419501%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266226036263956sdata=gf12fKL9X4B7oV5NmDbeyoukHAsXmdRQKdwmHUlnevo%3Dreserved=0 Geoserver-users@lists.sourceforge.net https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fgeoserver-usersdata=02%7C01%7Cgraham.humphries%40stategrowth.tas.gov.au%7Cde3c33fccca34354482f08d806419501%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266226036263956sdata=TntSFrRTX8E7xSnvSxNaCW99gKOymfQoTX4t88NjJvc%3Dreserved=0 CONFIDENTIALITY NOTICE AND DISCLAIMER The information in this transmission may be confidential and/or protected by legal professional privilege, and is intended only for the person or persons to whom it is addressed. If you are not such a person, you are warned that any disclosure, copying or dissemination of the information is unauthorised. If you have received the transmission in error, please immediately contact this office by telephone, fax or email, to inform us of the error and to enable arrangemen
Re: [Geoserver-users] ldap security issues in 2.16/17
Hi Richard, we are using LDAP. LDAp was already running fine 2 years ago with Geoserver 2.13 when I joined my new employer. Our role service confguration (german ui) is approximately as follows: Administrator Role: ROLE_ADMIN Group administrator role: ROLE_GRUPPEN_ADMIN Server-URL: ldap://.de:389/dc=huhu,dc=de No TLS search base for groups; ou=ogc_dienste Suchfilter für Gruppenzugehörigkeit von Benutzern: member=cn={0},ou=user,dc=huhu,dc=de Suchfilter für alle Gruppen: cn=* verwendeter Filter für Benutzersuche: member=cn={0},ou=user,dc=huhu,dc=de authentification credentials and not Enable Hierarchical groups search Stefan Am 01.06.2020 um 13:23 schrieb Richard Duivenvoorde: > Hi Stefan, > > Thank, for the check! I was eager to see if it fitted, but we already > did not configure TLS ... I tested both, but without success > Are you authenticating against an Active Directory, or ldap? > > Pretty frustrating this. There is so much to configure with magic terms > like (member={0}) etc etc, and 'Group Search base' on different config > pages. > > There has to be some difference. I even swapped the spring-ldap jars in > the versions (without success). > Tried the 'group search' thingie etc etc > > There is (to me) no way to see what is sended/received (LDAP-wise) > because only the abstract filter and outcome are logged (and THOSE are > exactly the same, except that 2.13 is returning a set and >2.15 is not)? > > Regards, > Richard Duivenvoorde > > On 6/1/20 8:39 AM, Stefan Overkamp wrote: >> Hi list, >> >> we are running geoserver 2.17.0 in a docker container with >> tomcat:9.0.31-jdk11-openjdk >> and have no problems. >> >> I took a look into our ticket system and found an issue 2 month ago with >> ldap >> I had to change geoserver/security/role/[ourroleservicename]/config.xml >> from >> >> |true | >> >> to >> >> |false | >> >> Maybe there ist the same server configuration change on Richards ldap site. >> >> Stefan -- Dipl. Ing. Stefan Overkamp Laakmannsbusch 44, 42555 Velbert tel.: 0177 / 79 76 159 overk...@posteo.de ___ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
Re: [Geoserver-users] ldap security issues in 2.16/17
Hi Stefan, Thank, for the check! I was eager to see if it fitted, but we already did not configure TLS ... I tested both, but without success Are you authenticating against an Active Directory, or ldap? Pretty frustrating this. There is so much to configure with magic terms like (member={0}) etc etc, and 'Group Search base' on different config pages. There has to be some difference. I even swapped the spring-ldap jars in the versions (without success). Tried the 'group search' thingie etc etc There is (to me) no way to see what is sended/received (LDAP-wise) because only the abstract filter and outcome are logged (and THOSE are exactly the same, except that 2.13 is returning a set and >2.15 is not)? Regards, Richard Duivenvoorde On 6/1/20 8:39 AM, Stefan Overkamp wrote: > Hi list, > > we are running geoserver 2.17.0 in a docker container with > tomcat:9.0.31-jdk11-openjdk > and have no problems. > > I took a look into our ticket system and found an issue 2 month ago with > ldap > I had to change geoserver/security/role/[ourroleservicename]/config.xml > from > > |true | > > to > > |false | > > Maybe there ist the same server configuration change on Richards ldap site. > > Stefan ___ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
Re: [Geoserver-users] ldap security issues in 2.16/17
Hi list, we are running geoserver 2.17.0 in a docker container with tomcat:9.0.31-jdk11-openjdk and have no problems. I took a look into our ticket system and found an issue 2 month ago with ldap I had to change geoserver/security/role/[ourroleservicename]/config.xml from |true | to |false | Maybe there ist the same server configuration change on Richards ldap site. Stefan Am 31.05.2020 um 16:43 schrieb Richard Duivenvoorde: > On 5/29/20 7:01 PM, Andrea Aime wrote: >> On Fri, May 29, 2020 at 2:56 PM Richard Duivenvoorde >> mailto:rdmaili...@duif.net>> wrote: >> >> Anybody a clue? Only thing that changes is java (and I cannot test that >> because 2.13 does not work with java11, and 2.16 not with java8 (mmm >> THAT I did test). >> >> >> Mind, in my company we run 2.16.x and 2.17.x with Java 8 exclusively, >> without issues. >> We either use the official distribution repositories, if they provide a >> recent Java 8 build, >> or just get it from AdoptOpenJDK otherwise. > Ok, further testing 2.16 and 2.17 with jdk8(!): NOT working either > (using the datadir from de working 2.13). > > So I downloaded 2.15: not working > then downloaded 2.14: working (!) (both with 2.13 datadir) > > So... it seems not jdk related? > > Then I remembered this tutorial there was a testing ldap jar mentioned in: > https://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html > > Note that the download url is not working anymore: > > http://files.opengeo.org/geoserver/acme-ldap.jar <== not working > > But I had an acme-ldap.jar somewhere on an old working station. > > THAT was working fine .. for 2.13 till 2.17 so... :-( > (using the exact setup from tutorial and again sf:roads as layer). > > It is apparently something ActiveDirectory related? > OR a local problem ... > > Anybody else authentication against AD in a recent geoserver? > Or anybody else is able to test against a local AD? > My test result is 2.13 and 2.14 working fine > 2.15 and up not working. > > Next step would be to setup an AD in a VM now [1,2]... but I'm not a > windows AD admin so not eager to try this out :-( > > Regards, > > Richard Duivenvoorde > > [1] > https://www.freeipa.org/page/Setting_up_Active_Directory_domain_for_testing_purposes > [2] https://www.microsoft.com/en-us/windows-server/trial > > > > > > > > ___ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to this > list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users -- Dipl. Ing. Stefan Overkamp Laakmannsbusch 44, 42555 Velbert tel.: 0177 / 79 76 159 overk...@posteo.de ___ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
Re: [Geoserver-users] ldap security issues in 2.16/17
On 5/29/20 7:01 PM, Andrea Aime wrote: > On Fri, May 29, 2020 at 2:56 PM Richard Duivenvoorde > mailto:rdmaili...@duif.net>> wrote: > > Anybody a clue? Only thing that changes is java (and I cannot test that > because 2.13 does not work with java11, and 2.16 not with java8 (mmm > THAT I did test). > > > Mind, in my company we run 2.16.x and 2.17.x with Java 8 exclusively, > without issues. > We either use the official distribution repositories, if they provide a > recent Java 8 build, > or just get it from AdoptOpenJDK otherwise. Ok, further testing 2.16 and 2.17 with jdk8(!): NOT working either (using the datadir from de working 2.13). So I downloaded 2.15: not working then downloaded 2.14: working (!) (both with 2.13 datadir) So... it seems not jdk related? Then I remembered this tutorial there was a testing ldap jar mentioned in: https://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html Note that the download url is not working anymore: http://files.opengeo.org/geoserver/acme-ldap.jar <== not working But I had an acme-ldap.jar somewhere on an old working station. THAT was working fine .. for 2.13 till 2.17 so... :-( (using the exact setup from tutorial and again sf:roads as layer). It is apparently something ActiveDirectory related? OR a local problem ... Anybody else authentication against AD in a recent geoserver? Or anybody else is able to test against a local AD? My test result is 2.13 and 2.14 working fine 2.15 and up not working. Next step would be to setup an AD in a VM now [1,2]... but I'm not a windows AD admin so not eager to try this out :-( Regards, Richard Duivenvoorde [1] https://www.freeipa.org/page/Setting_up_Active_Directory_domain_for_testing_purposes [2] https://www.microsoft.com/en-us/windows-server/trial ___ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
Re: [Geoserver-users] ldap security issues in 2.16/17
On Fri, May 29, 2020 at 2:56 PM Richard Duivenvoorde wrote: > Anybody a clue? Only thing that changes is java (and I cannot test that > because 2.13 does not work with java11, and 2.16 not with java8 (mmm > THAT I did test). > Mind, in my company we run 2.16.x and 2.17.x with Java 8 exclusively, without issues. We either use the official distribution repositories, if they provide a recent Java 8 build, or just get it from AdoptOpenJDK otherwise. Cheers Andrea == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it --- *Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.* ___ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
Re: [Geoserver-users] ldap security issues in 2.16/17
I'd suggest running 2.16 or 2.17 with Java 8 - to rule out a java change. If it continues to be an issue then we'll need to look to see if there were any changes in the LDAP authentication code. Ian On Fri, 29 May 2020 at 13:51, Richard Duivenvoorde wrote: > Hi List, > > We have/had a working setup to secure layers based on LDAP/AD groups. > All works fine in 2.13.1 java8 (Windows machines, all java from > adoptopenjdk) > > Then we got a new server (Windows0) and installed 2.16 (also tried 2.17) > and jdk11 and with identical setup I NEVER receive my 'groups'... > > I'm aware of caches etc etc, so have restarted both > tomcat/browser/etcetc 1000 times. I keep seeing: > > DEBUG [org.geoserver.security.ldap.BindingLdapAuthoritiesPopulator] - > Roles from search: [] > > This logline looks 100% the same between the two versions: > > [org.geoserver.security.ldap.BindingLdapAuthoritiesPopulator] - > Searching for roles for user 'n3704', DN = 'CN=Duivenvoorde\, > Richard,OU=Users,OU=Xendesktop,OU=,dc=nieuwegein,dc=nl', with filter > (member={0}) in search base 'OU=Security Groups,OU=Groups,OU=' > > Except that 2.13 returns my groups :-( > > I even installed a fresh 2.13.1 with java8 on that machine, got a fresh > data_dir from the war, and put succesfully ldap security on sf.roads > layer... > > But then going back to 2.16 (even reusing the succesfull data-dir) fails > again. > > This is very hard to debug (I cannot see what is logged at the Active > Directory end, as that is corporate stuff there). > > Anybody a clue? Only thing that changes is java (and I cannot test that > because 2.13 does not work with java11, and 2.16 not with java8 (mmm > THAT I did test). > > Anybody has a recent succesfull LDAP setup? > > Or hints on how to debug this (all Windows there, and not able to setup > a full debug setup there). > > Any help appreciated > > Regards, > > Richard Duivenvoorde > > > ___ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > -- Ian Turton ___ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
Re: [Geoserver-users] ldap security
HI Mauro, Thank you for that explanation, that was very helpful! Kind Regards Niels On 12-02-15 19:20, Mauro Bartolomeoli wrote: Hi Niels, 2015-02-12 19:11 GMT+01:00 Niels Charlier ni...@scitus.be mailto:ni...@scitus.be: Hi, Trying to wrap my head around the LDAP security configuration and I'm looking for someone who knows about this. I've read: http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html But I noticed that the following settings can be configured both in the authentication provider and the role service: 1) group base and filter 2) names of the ADMIN and GROUPADMIN roles; What is the difference between those different but similar looking settings? They have the same meaning, but since the services are of different type, they are available in both services. What additional behaviour does the role service provide? The role service allows you to get the roles list from LDAP so that you can bind permissions (service or layer) to a role coming from LDAP. I thought the role service was to map the roles to ldap groups, but the tutorial says that the settings in the auth.prov. do that as well. Yes, in case of LDAP you can do roles mapping directly from the authentication provider, so the role service is not needed for that if you use the auth provider configuration. And what do you get from specifying admin and groupadmin in the role service on top of doing it in the auth.prov? I think that in case you configured role mapping from the auth provider, that one wins, so it is probably not mandatory to have it also in the role service. Take into account that, in general, the authentication provider and the role service are independent. In theory you can use an LDAP roleservice also with a not LDAP auth provider (I don't have a real use case at the moment, but in theory this is possible). At the end if you use both in a standard way, the LDAP role service is needed to list (and use) the roles from LDAP in the authorization section. Regards, Mauro -- == GeoServer Professional Services from the experts! Visit http://goo.gl/NWWaa2 for more information. == Dott. Mauro Bartolomeoli @mauro_bart Senior Software Engineer GeoSolutions S.A.S. Via Poggio alle Viti 1187 55054 Massarosa (LU) Italy phone: +39 0584 962313 fax: +39 0584 1660272 http://www.geo-solutions.it http://twitter.com/geosolutions_it --- *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003* Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003. The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc. -- Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/___ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
Re: [Geoserver-users] ldap security
Hi Niels, 2015-02-12 19:11 GMT+01:00 Niels Charlier ni...@scitus.be: Hi, Trying to wrap my head around the LDAP security configuration and I'm looking for someone who knows about this. I've read: http://docs.geoserver.org/latest/en/user/security/ tutorials/ldap/index.html But I noticed that the following settings can be configured both in the authentication provider and the role service: 1) group base and filter 2) names of the ADMIN and GROUPADMIN roles; What is the difference between those different but similar looking settings? They have the same meaning, but since the services are of different type, they are available in both services. What additional behaviour does the role service provide? The role service allows you to get the roles list from LDAP so that you can bind permissions (service or layer) to a role coming from LDAP. I thought the role service was to map the roles to ldap groups, but the tutorial says that the settings in the auth.prov. do that as well. Yes, in case of LDAP you can do roles mapping directly from the authentication provider, so the role service is not needed for that if you use the auth provider configuration. And what do you get from specifying admin and groupadmin in the role service on top of doing it in the auth.prov? I think that in case you configured role mapping from the auth provider, that one wins, so it is probably not mandatory to have it also in the role service. Take into account that, in general, the authentication provider and the role service are independent. In theory you can use an LDAP roleservice also with a not LDAP auth provider (I don't have a real use case at the moment, but in theory this is possible). At the end if you use both in a standard way, the LDAP role service is needed to list (and use) the roles from LDAP in the authorization section. Regards, Mauro -- == GeoServer Professional Services from the experts! Visit http://goo.gl/NWWaa2 for more information. == Dott. Mauro Bartolomeoli @mauro_bart Senior Software Engineer GeoSolutions S.A.S. Via Poggio alle Viti 1187 55054 Massarosa (LU) Italy phone: +39 0584 962313 fax: +39 0584 1660272 http://www.geo-solutions.it http://twitter.com/geosolutions_it --- *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003* Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003. The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc. -- Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/___ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users