As I said I updated the manual to try to make this clearer, if you can think of anything else that could be added please do edit it too.
Ian On Fri, 1 Mar 2024, 13:43 , <hk.ihatemailingli...@enjoys.it> wrote: > Ian, thank you so much! Your boldness saved the day/week/month :) > > Ian Turton schrieb am 29.02.2024 16:00 (GMT +01:00): > > > My notes also include in bold `You must make the new role service the > > active one by changing the drop down on the `security->settings` page > > > https://docs.geoserver.org/latest/en/user/security/webadmin/settings.html#active-role-service > > This was it! > > Interestingly the log still says "[security.ldap] - Roles from search: []" > but my test user DOES get its roles assigned properly now using our LDAP > server: > > 01 Mar 08:29:05 DEBUG [security.ldap] - Getting authorities for user > uid=foo,cn=admins,cn=users,dc=example,dc=com > 01 Mar 08:29:05 DEBUG [security.ldap] - Searching for roles for user > 'foo', DN = 'uid=foo,cn=admins,cn=users,dc=example,dc=com', with filter > (&(objectClass=univentionGroup)(memberUid={1})) in search base > 'cn=services,cn=groups,dc=example,dc=com' > 01 Mar 08:29:05 DEBUG [security.ldap] - Roles from search: [] > 01 Mar 08:29:05 DEBUG [ldap.LDAPSecurityProvider$1] - Authenticated user > 01 Mar 08:29:05 DEBUG > [filter.GeoServerUserNamePasswordAuthenticationFilter$1] - Set > SecurityContextHolder to UsernamePasswordAuthenticationToken > [Principal=LdapUserDetailsImpl > [Dn=uid=foo,cn=admins,cn=users,dc=example,dc=com; Username=foo; > Password=[PROTECTED]; Enabled=true; AccountNonExpired=true; > CredentialsNonExpired=true; AccountNonLocked=true; Granted Authorities=[]], > Credentials=[PROTECTED], Authenticated=true, > Details=GeoServerWebAuthenticationDetails [RemoteIpAddress=127.0.0.1, > SessionId=123123123], Granted Authorities=[ROLE_AUTHENTICATED, > ROLE_GEOSERVER_GLOBAL_ADMINS, ROLE_BEWARE_OF_THE_LEOPARD]] > > Phew! > > This leaves me confused though. > - Are there two ways of group/role discovery for LDAP users, one in the > Authentication Provider and one with a Role Service? What is the > difference? Are they completely different things? > - From the logs and behaviour it seems like the three "[security.ldap]" > lines come from the Authentication Provider while the Role Service > discovers them silently? Why does one discovery log something and the other > doesn't? > > I'll update > https://gis.stackexchange.com/questions/477658/geoserver-does-not-find-ldap-groups-of-user > momentarily, including the minimal configuration I ended up with. There is > better formatting and higher search engine discovery on that site so I hope > you don't mind if I switch from the mailing list. > > Cheers, Hannes > > PS: Future reader, once you switch the Role Service your GeoServer user > "admin" won't become a GeoServer admin anymore. Make sure you have access > to the "root" user's master password or that your LDAP setup includes a > user that will become GeoServer admin! >
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
