Hi Richard, I cannot speak for others, but you've lost me after a couple of sentences in the mail (little knowledge of LDAP, none of AD). It might well be that others active on this list are in the same situation.
Cheers Andrea On Sun, May 22, 2022 at 11:54 AM Richard Duivenvoorde <rdmaili...@duif.net> wrote: > Hi, > > still fighting > https://osgeo-org.atlassian.net/jira/core/projects/GEOS/issues/GEOS-10452 > > I now have a public working Active Directory and can confirm on a simple > schema that AD authorisation is still working with that simple schema > BUT: the (non public, production) is still failing to work (while working > in 2.13...) > > About the logic to check the (ldap) roles for a authorized user, am I > right think that: > > - an (AD/LDAP) user is authenticated, and DURING the authentication the > groups are also sourced and added to the user-records (guessing here!!) > > - so the logic to 'extract' the groups (for given user) is from the 'LDAP > authentication Provider' screen? > NOT so much the parameters you used for the LDAP Role Service? > There the given 'filter etc are only to authenticate given > username/password to extract all roles? > > Or am I wrong here? > > (From the blogs and documentation it is not so clear to me where all > Filters/Formats/Patterns in the dialogs are used for, and the fact that > both the Authentication and the Role Provider have group-params makes > things more complex to me). > > IF I am right in the above, then I think that my problem is that the > 'member's in the 'groups' are not defined using their 'userPrincipalName' > or 'sAMAccountName', but their CN: so I see normal names as members: 'Jim > Doe' instead... > > Could this be the reason? > > In the docs there is speak about 'place holders', so you can use > member={0} to search for the 'Username' in the groups. > But in this case these are Full Names. > > So my question: is it possible to use member={CN} or so? > > Or is the only solution, to ask the AD admins to create new groups using > the 'userPrincipalName' or 'sAMAccountName' instead? > > Any help or hint is appreciated, > > Regards, > > Richard Duivenvoorde > > > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > -- Regards, Andrea Aime == GeoServer Professional Services from the experts! Visit http://bit.ly/gs-services-us for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions Group phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 333 8128928 https://www.geosolutionsgroup.com/ http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
