Thanks Carsten! The escaping issue was probably https://github.com/geoserver/geoserver/pull/6189 (the Spring framework(?) changed so GeoServer had to adapt). We do not have any commas or other special characters in our values though, both {0} and {1} are simple alphanumeric+"=" lowercase strings like "foo" or "uid=alice,cn=admins,cn=users,dc=foo,dc=bar,dc=baz,dc=com" (comma-delimited, no commas in the actual "values"). And I looked at the strings before and after escaping, they were always the same for me.
I have to take back that https://osgeo-org.atlassian.net/browse/GEOS-10452 was closed with a not-really-related PR (the #6189). The PR actually is titled in a misleading way as its changes to affect not only Role Services (and User/Group services) but the lookup during authentication as well. Great idea about the logging. I won't be able to MITM the connection or switch the remote LDAP to non-ssl but maybe I can get them to check logs on the LDAP server end. Cheers, Hannes Carsten Klein schrieb am 28.02.2024 15:17 (GMT +01:00): > Hello everyone, > > actually, this seems to be broken for a long time. I'm runnig GS version > 2.22.2. > > I was researching on this issue several years ago and, as far as I > remember, the problem was that the actual LDAP query that gathers the > newly authenticated user's roles is not correctly formed/encoded etc. I > do no longer know the extact problem, but the query used some escaping > (where it shouldn't) or did not escape some things (it better should > have escaped). > > Use a network analyzer (e.g. WireShark on Windows or tcpdump on Linux) > and track the LDAP queries issued by GeoServer while logging in a user. > Likley you should temporarily switch to non-ssl LDAP (use ldap:// and > not ldaps://) in order to make packet analyzing easier. > > Likely the "get this user's roles" query looks odd (in contrast to the > other LDAP queries). That could be a starting point for finding the > problem in GeoServer's LDAP libraries. > > Cheers > Carsten > > Am 28.02.2024 um 14:33 schrieb hk.ihatemailingli...@enjoys.it: >> Hi everyone, >> >> I am struggling with LDAP as GeoServer (2.24.2) does not manage to pick up >> groups/roles from it. >> >> I did post on >> https://gis.stackexchange.com/questions/477658/geoserver-does-not-find-ldap-groups-of-user >> with no solution so far. >> >> - LDAP users can log in. >> - A LDAP User/Group Service does discover the users and groups. >> - A LDAP Role Service does discover/create the roles (ROLE_GROUPNAME). >> >> ----- >> >> There are several older inconclusive threads about probably the same issue, >> seemingly introduced after 2.15.2: >> - >> https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/a799bca3-0741-5caf-1db1-ca017b35a...@duif.net/ >> - >> https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/d2bb87fd-7a89-0aa5-7a3f-e975aaeba...@posteo.de/ >> - >> https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/sj0pr08mb6800c0e997d3cbd049d22b8ed7...@sj0pr08mb6800.namprd08.prod.outlook.com/ >> >> https://osgeo-org.atlassian.net/browse/GEOS-10452 was closed with a commit >> that did not actually really related to the ticket. >> The ticket is about role discovery for a user that is being authenticated. >> The >> commit was about the Role Service, a component that makes existing >> groups/roles visible in GeoServer. From all what I have found so far, the >> Role >> Service is *not* related to the role discovery during authentication. >> So I think that ticket was wrongly closed. >> >> ----- >> >> I have used the very same LDAP user, query etc in a Python script with >> success >> so the filters and whatnot seem correct. >> >> I have tried using a 2.15.2 geoserver.war without success (but maybe using >> the >> same GeoServer data directory led to issues). >> >> I have tried using the existing 2.24.2 with gs-sec-ldap-2.15.2.jar and >> gs-web-sec-ldap-2.15.2.jar as suggested in >> https://sourceforge.net/p/geoserver/mailman/message/37633270/ without >> success. >> >> I have tried using the existing 2.24.2 with gs-sec-ldap-2.15.2.jar and >> gs-web-sec-ldap-2.15.2.jar PLUS (spring-ldap-core-2.0.2.RELEASE.jar and >> spring-security-ldap-4.0.4.RELEASE.jar) or >> (spring-ldap-core-2.3.2.RELEASE.jar >> and spring-security-ldap-5.1.5.RELEASE.jar) without success. >> >> I have tried using the existing 2.24.2 with >> (spring-ldap-core-2.0.2.RELEASE.jar and >> spring-security-ldap-4.0.4.RELEASE.jar) or >> (spring-ldap-core-2.3.2.RELEASE.jar >> and spring-security-ldap-5.1.5.RELEASE.jar) without success. >> >> I compiled GeoServer 2.25 using Maven and added some more logging in >> BindingLdapAuthoritiesPopulator.java#getGroupMembershipRoles to see the >> formattedFilter before and after the escaping, and also inspect the other >> variables. >> They all look fine. >> >> >> ----- >> >> Strangely it seems to work with the acme-ldap.jar from >> https://docs.geoserver.org/main/en/user/security/tutorials/ldap/index.html >> bob gets ROLE_USER with it. >> The group/role discovery seems to work differently with that setup though. >> There are no "security.ldap" lines in the log when using it, instead all I >> see >> is: >> >> 28 Feb 13:24:15 DEBUG >> [filter.GeoServerUserNamePasswordAuthenticationFilter$1] - Set >> SecurityContextHolder to UsernamePasswordAuthenticationToken >> [Principal=LdapUserDetailsImpl [Dn=uid=bob,ou=people,dc=acme,dc=org; >> Username=bob; Password=[PROTECTED]; Enabled=true; AccountNonExpired=true; >> CredentialsNonExpired=true; AccountNonLocked=true; Granted >> Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, >> Details=GeoServerWebAuthenticationDetails [RemoteIpAddress=127.0.0.1, >> SessionId=A02D2978C7562773FF7F842FCF3B3E99], Granted >> Authorities=[ROLE_AUTHENTICATED, ROLE_USER]] >> >> One small difference might be that this uses ou=groups, not cn=groups, but I >> have no clue if that is something meaningful or just text. >> >> ----- >> >> Is anyone using a standard GeoServer 2.24 with working role discovery via >> LDAP? >> >> Could this be something in Spring? >> >> Cheers, Hannes >> >> >> >> _______________________________________________ >> Geoserver-users mailing list >> >> Please make sure you read the following two resources before posting to this >> list: >> - Earning your support instead of buying it, but Ian Turton: >> http://www.ianturton.com/talks/foss4g.html#/ >> - The GeoServer user list posting guidelines: >> http://geoserver.org/comm/userlist-guidelines.html >> >> If you want to request a feature or an improvement, also see this: >> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >> >> >> Geoserver-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-users > > _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
