Thank you César! If it works for you, that is great news.
Thank you for sharing censored information with me in private. I spotted a small difference: In your (working) case there is "ou=users" and "ou=groups" while in my case we have "cn=users" and "cn=groups". The acme-ldap.jar from https://docs.geoserver.org/stable/en/user/security/tutorials/ldap/index.html#ldap-server-setup also uses "ou=groups" and worked in my tests. I will try to recompile acme-ldap.jar and changing its structure to "cn=groups" to see if that still works. Maybe Spring (or GeoServer in some hidden place) is really adamant on some specific CN structure? I looked around and the "group search base" always looks completely configurable even if it usually uses a "ou=..." thing in examples. - https://docs.spring.io/spring-security/site/docs/4.0.x/reference/html/ldap.html#loading-authorities (4) - https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/ldap/userdetails/DefaultLdapAuthoritiesPopulator.html (4) - https://docs.spring.io/spring-security/site/docs/6.1.6-SNAPSHOT/api/org/springframework/security/ldap/userdetails/DefaultLdapAuthoritiesPopulator.html (6, identical to 4) Cheers, Hannes César Martínez Izquierdo schrieb am 28.02.2024 15:03 (GMT +01:00): > Hi Hannes, > I confirm that LDAP works properly in Geoserver 2.22. I have not tried > with 2.24 for the moment. > Maybe you can try 2.22 to see if it is really a problem in Geoserver > version or it is some other problem related with your settings or your > environment. > > César > > On Wed, 28 Feb 2024 at 14:50, <hk.ihatemailingli...@enjoys.it> wrote: >> >> Hi everyone, >> >> I am struggling with LDAP as GeoServer (2.24.2) does not manage to pick up >> groups/roles from it. >> >> I did post on >> https://gis.stackexchange.com/questions/477658/geoserver-does-not-find-ldap-groups-of-user >> with no solution so far. >> >> - LDAP users can log in. >> - A LDAP User/Group Service does discover the users and groups. >> - A LDAP Role Service does discover/create the roles (ROLE_GROUPNAME). >> >> ----- >> >> There are several older inconclusive threads about probably the same issue, >> seemingly introduced after 2.15.2: >> - >> https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/a799bca3-0741-5caf-1db1-ca017b35a...@duif.net/ >> - >> https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/d2bb87fd-7a89-0aa5-7a3f-e975aaeba...@posteo.de/ >> - >> https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/sj0pr08mb6800c0e997d3cbd049d22b8ed7...@sj0pr08mb6800.namprd08.prod.outlook.com/ >> >> https://osgeo-org.atlassian.net/browse/GEOS-10452 was closed with a commit >> that did not actually really related to the ticket. >> The ticket is about role discovery for a user that is being authenticated. >> The >> commit was about the Role Service, a component that makes existing >> groups/roles visible in GeoServer. From all what I have found so far, the >> Role >> Service is *not* related to the role discovery during authentication. >> So I think that ticket was wrongly closed. >> >> ----- >> >> I have used the very same LDAP user, query etc in a Python script with >> success >> so the filters and whatnot seem correct. >> >> I have tried using a 2.15.2 geoserver.war without success (but maybe using >> the >> same GeoServer data directory led to issues). >> >> I have tried using the existing 2.24.2 with gs-sec-ldap-2.15.2.jar and >> gs-web-sec-ldap-2.15.2.jar as suggested in >> https://sourceforge.net/p/geoserver/mailman/message/37633270/ without >> success. >> >> I have tried using the existing 2.24.2 with gs-sec-ldap-2.15.2.jar and >> gs-web-sec-ldap-2.15.2.jar PLUS (spring-ldap-core-2.0.2.RELEASE.jar and >> spring-security-ldap-4.0.4.RELEASE.jar) or >> (spring-ldap-core-2.3.2.RELEASE.jar >> and spring-security-ldap-5.1.5.RELEASE.jar) without success. >> >> I have tried using the existing 2.24.2 with >> (spring-ldap-core-2.0.2.RELEASE.jar and >> spring-security-ldap-4.0.4.RELEASE.jar) or >> (spring-ldap-core-2.3.2.RELEASE.jar >> and spring-security-ldap-5.1.5.RELEASE.jar) without success. >> >> I compiled GeoServer 2.25 using Maven and added some more logging in >> BindingLdapAuthoritiesPopulator.java#getGroupMembershipRoles to see the >> formattedFilter before and after the escaping, and also inspect the other >> variables. >> They all look fine. >> >> >> ----- >> >> Strangely it seems to work with the acme-ldap.jar from >> https://docs.geoserver.org/main/en/user/security/tutorials/ldap/index.html >> bob gets ROLE_USER with it. >> The group/role discovery seems to work differently with that setup though. >> There are no "security.ldap" lines in the log when using it, instead all I >> see >> is: >> >> 28 Feb 13:24:15 DEBUG >> [filter.GeoServerUserNamePasswordAuthenticationFilter$1] - Set >> SecurityContextHolder to UsernamePasswordAuthenticationToken >> [Principal=LdapUserDetailsImpl [Dn=uid=bob,ou=people,dc=acme,dc=org; >> Username=bob; Password=[PROTECTED]; Enabled=true; AccountNonExpired=true; >> CredentialsNonExpired=true; AccountNonLocked=true; Granted >> Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, >> Details=GeoServerWebAuthenticationDetails [RemoteIpAddress=127.0.0.1, >> SessionId=A02D2978C7562773FF7F842FCF3B3E99], Granted >> Authorities=[ROLE_AUTHENTICATED, ROLE_USER]] >> >> One small difference might be that this uses ou=groups, not cn=groups, but I >> have no clue if that is something meaningful or just text. >> >> ----- >> >> Is anyone using a standard GeoServer 2.24 with working role discovery via >> LDAP? >> >> Could this be something in Spring? >> >> Cheers, Hannes >> >> >> >> _______________________________________________ >> Geoserver-users mailing list >> >> Please make sure you read the following two resources before posting to this >> list: >> - Earning your support instead of buying it, but Ian Turton: >> http://www.ianturton.com/talks/foss4g.html#/ >> - The GeoServer user list posting guidelines: >> http://geoserver.org/comm/userlist-guidelines.html >> >> If you want to request a feature or an improvement, also see this: >> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >> >> >> Geoserver-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-users > > > > -- > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > César Martínez Izquierdo > GIS developer > - - - - - - - - - - - - - - - - - - - - > SCOLAB: http://www.scolab.es > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to this > list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
