Ian, thank you so much! Your boldness saved the day/week/month :) Ian Turton schrieb am 29.02.2024 16:00 (GMT +01:00):
> My notes also include in bold `You must make the new role service the > active one by changing the drop down on the `security->settings` page > https://docs.geoserver.org/latest/en/user/security/webadmin/settings.html#active-role-service This was it! Interestingly the log still says "[security.ldap] - Roles from search: []" but my test user DOES get its roles assigned properly now using our LDAP server: 01 Mar 08:29:05 DEBUG [security.ldap] - Getting authorities for user uid=foo,cn=admins,cn=users,dc=example,dc=com 01 Mar 08:29:05 DEBUG [security.ldap] - Searching for roles for user 'foo', DN = 'uid=foo,cn=admins,cn=users,dc=example,dc=com', with filter (&(objectClass=univentionGroup)(memberUid={1})) in search base 'cn=services,cn=groups,dc=example,dc=com' 01 Mar 08:29:05 DEBUG [security.ldap] - Roles from search: [] 01 Mar 08:29:05 DEBUG [ldap.LDAPSecurityProvider$1] - Authenticated user 01 Mar 08:29:05 DEBUG [filter.GeoServerUserNamePasswordAuthenticationFilter$1] - Set SecurityContextHolder to UsernamePasswordAuthenticationToken [Principal=LdapUserDetailsImpl [Dn=uid=foo,cn=admins,cn=users,dc=example,dc=com; Username=foo; Password=[PROTECTED]; Enabled=true; AccountNonExpired=true; CredentialsNonExpired=true; AccountNonLocked=true; Granted Authorities=[]], Credentials=[PROTECTED], Authenticated=true, Details=GeoServerWebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=123123123], Granted Authorities=[ROLE_AUTHENTICATED, ROLE_GEOSERVER_GLOBAL_ADMINS, ROLE_BEWARE_OF_THE_LEOPARD]] Phew! This leaves me confused though. - Are there two ways of group/role discovery for LDAP users, one in the Authentication Provider and one with a Role Service? What is the difference? Are they completely different things? - From the logs and behaviour it seems like the three "[security.ldap]" lines come from the Authentication Provider while the Role Service discovers them silently? Why does one discovery log something and the other doesn't? I'll update https://gis.stackexchange.com/questions/477658/geoserver-does-not-find-ldap-groups-of-user momentarily, including the minimal configuration I ended up with. There is better formatting and higher search engine discovery on that site so I hope you don't mind if I switch from the mailing list. Cheers, Hannes PS: Future reader, once you switch the Role Service your GeoServer user "admin" won't become a GeoServer admin anymore. Make sure you have access to the "root" user's master password or that your LDAP setup includes a user that will become GeoServer admin! _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
