Hi, in my configuration I have additional:
<allGroupsSearchFilter>cn=*</allGroupsSearchFilter> (defaults to cn=*) and <user>cn=huhu,dc=geodaten,dc=de</user> <password>GANZGEHEIM</password> Also, see https://docs.geoserver.org/latest/en/user/security/usergrouprole/roleservices.html Groups are extracted from a specific LDAP node, configured as the |Groups search base|. A role is mapped for every matching group. The role will have a name that is built taking the Group common name (cn attribute), transformed to upper case and with a |ROLE_| prefix applied. There is no ROLE_ prefix in your example <adminGroup>UDEV-BDA-Dev</adminGroup> <groupAdminGroup>UDEV-BDA-Dev</groupAdminGroup> My configuration example: <org.geoserver.security.ldap.LDAPRoleServiceConfig> <id>-ceba2b8:15ecc57126b:-445f</id> <name>Geodaten Rollendienst</name> <className>org.geoserver.security.ldap.LDAPRoleService</className> <serverURL>ldaps://geodaten.de:636/dc=geodaten,dc=de</serverURL> <groupSearchBase>ou=ogc_dienste</groupSearchBase> <allGroupsSearchFilter>cn=*</allGroupsSearchFilter> <groupSearchFilter>member=cn={0},ou=user,dc=geodaten,dc=de</groupSearchFilter> <userFilter>member=cn={0},ou=user,dc=geodaten,dc=de</userFilter> <useTLS>false</useTLS> <useNestedParentGroups>false</useNestedParentGroups> <maxGroupSearchLevel>0</maxGroupSearchLevel> <bindBeforeGroupSearch>true</bindBeforeGroupSearch> <adminGroup>ROLE_ADMIN</adminGroup> <groupAdminGroup>ROLE_GRUPPEN_ADMIN</groupAdminGroup> <user>cn=huhu,dc=geodaten,dc=de</user> <password>GANZGEHEIM</password> </org.geoserver.security.ldap.LDAPRoleServiceConfig> Stefan Am 29.04.2021 um 14:16 schrieb Brandon M: > Hi GeoServer Users, > > We recently upgraded to a new version of GeoServer, 2.16.2 from 2.12.2 > (I know we are a little behind the curve). We have GeoServer > configured to use our internal LDAP for user login, and assign users > GeoServer ADMIN privileges based on their LDAP groups, which is > configured under Security -> Authentication -> LDAP Authentication > Provider section of the GeoServer console. The LDAP group lookup > performed by GeoServer stopped working when we upgraded, the LDAP > authentication still works as it did before the upgrade. > > I did some additional testing and found that this issue started in > version 2.15.3. I read the release notes for 2.15.3 and didn't see > anything that would explain why the lookup and handling of LDAP roles > would be any different between 2.15.2 and 2.15.3. The LDAP > Authentication setup page in GeoServer does have a new "Enable > Hierarchical groups search" option in version 2.15.3, which we did not > enable. > > I didn't notice anything in the GeoServer documentation for 2.15.3 > that would require us to change our LDAP configuration parameters. I > installed GeoServer version 2.18.* and it behaved the same, no LDAP > groups were returned for any of our LDAP accounts. > > GeoServer DEBUG logging details related to the same LDAP user login > appears to be the same between the 2.15.2 and 2.15.3 versions, the > only noticeable difference is the > "[ldap.BindingLdapAuthoritiesPopulator] - Roles from search: []" is > empty with any version after 2.15.2, here are some logging details: > > LDAP authentication logging with 2.15.2: > > 2021-04-27 17:05:25,676 DEBUG [ldap.LDAPSecurityProvider$1] - > Processing authentication request for user: tuser1 > 2021-04-27 17:05:25,780 DEBUG [ldap.GeoserverLdapBindAuthenticator] - > Retrieving user object using filter... > 2021-04-27 17:05:25,862 INFO [ldap.SpringSecurityLdapTemplate] - > Ignoring PartialResultException > 2021-04-27 17:05:25,863 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > Getting authorities for user CN=Test > User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com > 2021-04-27 17:05:25,877 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > Searching for roles for user 'tuser1', DN = 'CN=Test > User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com', with filter > member={0} in search base 'ou=groups,ou=udev' > 2021-04-27 17:05:25,898 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > Roles from search: [dl-All-Users, UDEV-All-Users, UDEV-Jenkins-Dev, > UDEV-Sudo-Users, dl-Workspaces, AWS-Console-Admin, UDEV-BDA-Dev] > 2021-04-27 17:05:25,913 DEBUG > [filter.GeoServerUserNamePasswordAuthenticationFilter$1] - > Authentication success. Updating SecurityContextHolder to contain: > org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4cc36d05: > Principal: > org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@39493be2: > Dn: CN=Test User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com; Username: > tuser1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; > CredentialsNonExpired: true; AccountNonLocked: true; Granted > Authorities: ROLE_UDEV-SUDO-USERS, ROLE_DL-ALL-USERS, > ROLE_AWS-CONSOLE-ADMIN, ROLE_UDEV-JENKINS-DEV, ROLE_DL-WORKSPACES, > ROLE_UDEV-ALL-USERS, ROLE_UDEV-BDA-DEV; Credentials: [PROTECTED]; > Authenticated: true; Details: > org.geoserver.security.filter.GeoServerWebAuthenticationDetails@ef30: > RemoteIpAddress: 10.0.0.1; SessionId: > 2C4C913D1A84AF86CE2009430A500B59; Granted Authorities: > ROLE_UDEV-SUDO-USERS, ROLE_AUTHENTICATED, ROLE_DL-ALL-USERS, > ROLE_AWS-CONSOLE-ADMIN, ROLE_UDEV-JENKINS-DEV, ROLE_ADMINISTRATOR, > ROLE_DL-WORKSPACES, ROLE_GROUP_ADMIN, ROLE_UDEV-ALL-USERS, > ROLE_UDEV-BDA-DEV > > LDAP authentication logging with 2.15.3: > > 2021-04-28 11:53:59,114 DEBUG [ldap.LDAPSecurityProvider$1] - > Processing authentication request for user: tuser1 > 2021-04-28 11:53:59,208 DEBUG [ldap.GeoserverLdapBindAuthenticator] - > Retrieving user object using filter... > 2021-04-28 11:53:59,249 INFO [ldap.SpringSecurityLdapTemplate] - > Ignoring PartialResultException > 2021-04-28 11:53:59,250 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > Getting authorities for user CN=Test > User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com > 2021-04-28 11:53:59,258 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > Searching for roles for user 'tuser1', DN = 'CN=Test > User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com', with filter > member={0} in search base 'ou=groups,ou=udev' > 2021-04-28 11:53:59,270 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - > Roles from search: [] > 2021-04-28 11:53:59,288 DEBUG > [filter.GeoServerUserNamePasswordAuthenticationFilter$1] - > Authentication success. Updating SecurityContextHolder to contain: > org.springframework.security.authentication.UsernamePasswordAuthenticationToken@c764efec: > Principal: > org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@39493be2: > Dn: CN=Test User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com; Username: > tuser1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; > CredentialsNonExpired: true; AccountNonLocked: true; Not granted any > authorities; Credentials: [PROTECTED]; Authenticated: true; Details: > org.geoserver.security.filter.GeoServerWebAuthenticationDetails@3bcc: > RemoteIpAddress: 10.0.0.1; SessionId: > 7946087888C889D6616C47047EA8DC2E; Granted Authorities: > ROLE_AUTHENTICATED > > Here is the data\security\auth\udev\config.xml that contains the > details of our LDAP Authentication configuration for 2.16.2: > > <ldap> > <id>-178dde25:179184fe481:-7fff</id> > <name>udev</name> > > <className>org.geoserver.security.ldap.LDAPAuthenticationProvider</className> > <serverURL>ldap://udev.com:389/dc=udev,dc=com</serverURL> > <groupSearchBase>ou=groups,ou=udev</groupSearchBase> > <groupSearchFilter>member={0}</groupSearchFilter> > <userFilter>(sAMAccountName={1})</userFilter> > <useTLS>false</useTLS> > <useNestedParentGroups>false</useNestedParentGroups> > <maxGroupSearchLevel>10</maxGroupSearchLevel> > <nestedGroupSearchFilter>(member={0})</nestedGroupSearchFilter> > <bindBeforeGroupSearch>true</bindBeforeGroupSearch> > <adminGroup>UDEV-BDA-Dev</adminGroup> > <groupAdminGroup>UDEV-BDA-Dev</groupAdminGroup> > <userFormat>{0}@udev.com</userFormat> > </ldap> > > Let me know if there is any additional information needed to help > understand the problem. > > Thanks for any help! > > Brandon > > > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to this > list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users -- Dipl. Ing. Stefan Overkamp overk...@posteo.de
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
