Hi Hannes, I confirm that LDAP works properly in Geoserver 2.22. I have not tried with 2.24 for the moment. Maybe you can try 2.22 to see if it is really a problem in Geoserver version or it is some other problem related with your settings or your environment.
César On Wed, 28 Feb 2024 at 14:50, <hk.ihatemailingli...@enjoys.it> wrote: > > Hi everyone, > > I am struggling with LDAP as GeoServer (2.24.2) does not manage to pick up > groups/roles from it. > > I did post on > https://gis.stackexchange.com/questions/477658/geoserver-does-not-find-ldap-groups-of-user > with no solution so far. > > - LDAP users can log in. > - A LDAP User/Group Service does discover the users and groups. > - A LDAP Role Service does discover/create the roles (ROLE_GROUPNAME). > > ----- > > There are several older inconclusive threads about probably the same issue, > seemingly introduced after 2.15.2: > - > https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/a799bca3-0741-5caf-1db1-ca017b35a...@duif.net/ > - > https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/d2bb87fd-7a89-0aa5-7a3f-e975aaeba...@posteo.de/ > - > https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/sj0pr08mb6800c0e997d3cbd049d22b8ed7...@sj0pr08mb6800.namprd08.prod.outlook.com/ > > https://osgeo-org.atlassian.net/browse/GEOS-10452 was closed with a commit > that did not actually really related to the ticket. > The ticket is about role discovery for a user that is being authenticated. > The commit was about the Role Service, a component that makes existing > groups/roles visible in GeoServer. From all what I have found so far, the > Role Service is *not* related to the role discovery during authentication. > So I think that ticket was wrongly closed. > > ----- > > I have used the very same LDAP user, query etc in a Python script with > success so the filters and whatnot seem correct. > > I have tried using a 2.15.2 geoserver.war without success (but maybe using > the same GeoServer data directory led to issues). > > I have tried using the existing 2.24.2 with gs-sec-ldap-2.15.2.jar and > gs-web-sec-ldap-2.15.2.jar as suggested in > https://sourceforge.net/p/geoserver/mailman/message/37633270/ without success. > > I have tried using the existing 2.24.2 with gs-sec-ldap-2.15.2.jar and > gs-web-sec-ldap-2.15.2.jar PLUS (spring-ldap-core-2.0.2.RELEASE.jar and > spring-security-ldap-4.0.4.RELEASE.jar) or > (spring-ldap-core-2.3.2.RELEASE.jar and > spring-security-ldap-5.1.5.RELEASE.jar) without success. > > I have tried using the existing 2.24.2 with > (spring-ldap-core-2.0.2.RELEASE.jar and > spring-security-ldap-4.0.4.RELEASE.jar) or > (spring-ldap-core-2.3.2.RELEASE.jar and > spring-security-ldap-5.1.5.RELEASE.jar) without success. > > I compiled GeoServer 2.25 using Maven and added some more logging in > BindingLdapAuthoritiesPopulator.java#getGroupMembershipRoles to see the > formattedFilter before and after the escaping, and also inspect the other > variables. > They all look fine. > > > ----- > > Strangely it seems to work with the acme-ldap.jar from > https://docs.geoserver.org/main/en/user/security/tutorials/ldap/index.html > bob gets ROLE_USER with it. > The group/role discovery seems to work differently with that setup though. > There are no "security.ldap" lines in the log when using it, instead all I > see is: > > 28 Feb 13:24:15 DEBUG > [filter.GeoServerUserNamePasswordAuthenticationFilter$1] - Set > SecurityContextHolder to UsernamePasswordAuthenticationToken > [Principal=LdapUserDetailsImpl [Dn=uid=bob,ou=people,dc=acme,dc=org; > Username=bob; Password=[PROTECTED]; Enabled=true; AccountNonExpired=true; > CredentialsNonExpired=true; AccountNonLocked=true; Granted > Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, > Details=GeoServerWebAuthenticationDetails [RemoteIpAddress=127.0.0.1, > SessionId=A02D2978C7562773FF7F842FCF3B3E99], Granted > Authorities=[ROLE_AUTHENTICATED, ROLE_USER]] > > One small difference might be that this uses ou=groups, not cn=groups, but I > have no clue if that is something meaningful or just text. > > ----- > > Is anyone using a standard GeoServer 2.24 with working role discovery via > LDAP? > > Could this be something in Spring? > > Cheers, Hannes > > > > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to this > list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - César Martínez Izquierdo GIS developer - - - - - - - - - - - - - - - - - - - - SCOLAB: http://www.scolab.es - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
