Re: [Geoserver-users] LDAP authentication with group/role discovery still seems broken

Thu, 29 Feb 2024 07:02:53 -0800 

I'm sure that I made LDAP roles work with a more recent version of
GeoServer at my previous job (unfortunately it's behind a firewall so I
can't check) -

My LDAPUserGroupService config contained:

 <groupSearchBase>ou=groups,dc=galbraith,dc=co,dc=uk</groupSearchBase>
  <groupNameAttribute>cn</groupNameAttribute>

<allGroupsSearchFilter>(objectClass=groupOfUniqueNames)</allGroupsSearchFilter>

<groupSearchFilter>(uniqueMember=uid={0},ou=users,dc=galbraith,dc=co,dc=uk)</groupSearchFilter>
  <groupMembershipAttribute>uniqueMember</groupMembershipAttribute>
  <userSearchBase>ou=users,dc=galbraith,dc=co,dc=uk</userSearchBase>
  <userNameAttribute>uid</userNameAttribute>
  <allUsersSearchFilter>(objectClass=inetOrgPerson)</allUsersSearchFilter>
  <useTLS>false</useTLS>
  <useNestedParentGroups>false</useNestedParentGroups>
  <maxGroupSearchLevel>10</maxGroupSearchLevel>
  <nestedGroupSearchFilter>(uniqueMember={0})</nestedGroupSearchFilter>
  <bindBeforeGroupSearch>true</bindBeforeGroupSearch>
  <rolePrefix>ROLE_</rolePrefix>
  <convertToUpperCase>true</convertToUpperCase>

and my LDAPRoleServiceConfig

included

 <groupSearchBase>ou=groups,dc=galbraith,dc=co,dc=uk</groupSearchBase>
  <allGroupsSearchFilter>cn=*</allGroupsSearchFilter>

<groupSearchFilter>uniqueMember=uid={0},ou=users,dc=galbraith,dc=co,dc=uk</groupSearchFilter>
  <useTLS>false</useTLS>
  <useNestedParentGroups>false</useNestedParentGroups>
  <maxGroupSearchLevel>10</maxGroupSearchLevel>
  <nestedGroupSearchFilter>(member={0})</nestedGroupSearchFilter>
  <bindBeforeGroupSearch>true</bindBeforeGroupSearch>
  <adminGroup>ROLE_ADMINS</adminGroup>
  <groupAdminGroup>ROLE_ADMINS</groupAdminGroup>
  <rolePrefix>ROLE_</rolePrefix>
  <convertToUpperCase>true</convertToUpperCase>


My notes also include in bold `You must make the new role service the
active one by changing the drop down on the `security->settings` page
https://docs.geoserver.org/latest/en/user/security/webadmin/settings.html#active-role-service

I can highly recommend using a cli tool like ldapsearch to test out your
queries to see what they should be, which is how I got to
`(uniqueMember=cn={0},ou=users,dc=galbraith,dc=co,dc=uk)` for my group
member search

Ian

On Thu, 29 Feb 2024 at 11:48, <hk.ihatemailingli...@enjoys.it> wrote:

> "I dont know what I am doing"-Chapter 23:
>
>
-- 
Ian Turton

_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users






















					Reply via email to