Hello everyone,
actually, this seems to be broken for a long time. I'm runnig GS version
2.22.2.
I was researching on this issue several years ago and, as far as I
remember, the problem was that the actual LDAP query that gathers the
newly authenticated user's roles is not correctly formed/encoded etc. I
do no longer know the extact problem, but the query used some escaping
(where it shouldn't) or did not escape some things (it better should
have escaped).
Use a network analyzer (e.g. WireShark on Windows or tcpdump on Linux)
and track the LDAP queries issued by GeoServer while logging in a user.
Likley you should temporarily switch to non-ssl LDAP (use ldap:// and
not ldaps://) in order to make packet analyzing easier.
Likely the "get this user's roles" query looks odd (in contrast to the
other LDAP queries). That could be a starting point for finding the
problem in GeoServer's LDAP libraries.
Cheers
Carsten
Am 28.02.2024 um 14:33 schrieb hk.ihatemailingli...@enjoys.it:
Hi everyone,
I am struggling with LDAP as GeoServer (2.24.2) does not manage to pick up
groups/roles from it.
I did post on
https://gis.stackexchange.com/questions/477658/geoserver-does-not-find-ldap-groups-of-user
with no solution so far.
- LDAP users can log in.
- A LDAP User/Group Service does discover the users and groups.
- A LDAP Role Service does discover/create the roles (ROLE_GROUPNAME).
-----
There are several older inconclusive threads about probably the same issue,
seemingly introduced after 2.15.2:
-
https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/a799bca3-0741-5caf-1db1-ca017b35a...@duif.net/
-
https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/d2bb87fd-7a89-0aa5-7a3f-e975aaeba...@posteo.de/
-
https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/sj0pr08mb6800c0e997d3cbd049d22b8ed7...@sj0pr08mb6800.namprd08.prod.outlook.com/
https://osgeo-org.atlassian.net/browse/GEOS-10452 was closed with a commit that
did not actually really related to the ticket.
The ticket is about role discovery for a user that is being authenticated. The
commit was about the Role Service, a component that makes existing groups/roles
visible in GeoServer. From all what I have found so far, the Role Service is
*not* related to the role discovery during authentication.
So I think that ticket was wrongly closed.
-----
I have used the very same LDAP user, query etc in a Python script with success
so the filters and whatnot seem correct.
I have tried using a 2.15.2 geoserver.war without success (but maybe using the
same GeoServer data directory led to issues).
I have tried using the existing 2.24.2 with gs-sec-ldap-2.15.2.jar and
gs-web-sec-ldap-2.15.2.jar as suggested in
https://sourceforge.net/p/geoserver/mailman/message/37633270/ without success.
I have tried using the existing 2.24.2 with gs-sec-ldap-2.15.2.jar and
gs-web-sec-ldap-2.15.2.jar PLUS (spring-ldap-core-2.0.2.RELEASE.jar and
spring-security-ldap-4.0.4.RELEASE.jar) or (spring-ldap-core-2.3.2.RELEASE.jar
and spring-security-ldap-5.1.5.RELEASE.jar) without success.
I have tried using the existing 2.24.2 with (spring-ldap-core-2.0.2.RELEASE.jar
and spring-security-ldap-4.0.4.RELEASE.jar) or
(spring-ldap-core-2.3.2.RELEASE.jar and spring-security-ldap-5.1.5.RELEASE.jar)
without success.
I compiled GeoServer 2.25 using Maven and added some more logging in
BindingLdapAuthoritiesPopulator.java#getGroupMembershipRoles to see the
formattedFilter before and after the escaping, and also inspect the other
variables.
They all look fine.
-----
Strangely it seems to work with the acme-ldap.jar from
https://docs.geoserver.org/main/en/user/security/tutorials/ldap/index.html
bob gets ROLE_USER with it.
The group/role discovery seems to work differently with that setup though. There are no
"security.ldap" lines in the log when using it, instead all I see is:
28 Feb 13:24:15 DEBUG [filter.GeoServerUserNamePasswordAuthenticationFilter$1]
- Set SecurityContextHolder to UsernamePasswordAuthenticationToken
[Principal=LdapUserDetailsImpl [Dn=uid=bob,ou=people,dc=acme,dc=org;
Username=bob; Password=[PROTECTED]; Enabled=true; AccountNonExpired=true;
CredentialsNonExpired=true; AccountNonLocked=true; Granted
Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true,
Details=GeoServerWebAuthenticationDetails [RemoteIpAddress=127.0.0.1,
SessionId=A02D2978C7562773FF7F842FCF3B3E99], Granted
Authorities=[ROLE_AUTHENTICATED, ROLE_USER]]
One small difference might be that this uses ou=groups, not cn=groups, but I
have no clue if that is something meaningful or just text.
-----
Is anyone using a standard GeoServer 2.24 with working role discovery via LDAP?
Could this be something in Spring?
Cheers, Hannes
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
