As I understand it not using TLS in your LDAP configuration means your authentication details are being passed as plain text. This is a serious security problem.
-----Original Message----- From: Stefan Overkamp [mailto:overk...@posteo.de] Sent: Tuesday, 2 June 2020 1:34 AM To: rdmaili...@duif.net Cc: GeoServer Mailing List List <geoserver-users@lists.sourceforge.net> Subject: Re: [Geoserver-users] ldap security issues in 2.16/17 Hi Richard, we are using LDAP. LDAp was already running fine 2 years ago with Geoserver 2.13 when I joined my new employer. Our role service confguration (german ui) is approximately as follows: Administrator Role: ROLE_ADMIN Group administrator role: ROLE_GRUPPEN_ADMIN Server-URL: ldap://****.de:389/dc=huhu,dc=de No TLS search base for groups; ou=ogc_dienste Suchfilter für Gruppenzugehörigkeit von Benutzern: member=cn={0},ou=user,dc=huhu,dc=de Suchfilter für alle Gruppen: cn=* verwendeter Filter für Benutzersuche: member=cn={0},ou=user,dc=huhu,dc=de authentification credentials and not Enable Hierarchical groups search Stefan Am 01.06.2020 um 13:23 schrieb Richard Duivenvoorde: > Hi Stefan, > > Thank, for the check! I was eager to see if it fitted, but we already > did not configure TLS ... I tested both, but without success Are you > authenticating against an Active Directory, or ldap? > > Pretty frustrating this. There is so much to configure with magic > terms like (member={0}) etc etc, and 'Group Search base' on different > config pages. > > There has to be some difference. I even swapped the spring-ldap jars > in the versions (without success). > Tried the 'group search' thingie etc etc > > There is (to me) no way to see what is sended/received (LDAP-wise) > because only the abstract filter and outcome are logged (and THOSE are > exactly the same, except that 2.13 is returning a set and >2.15 is not)? > > Regards, > Richard Duivenvoorde > > On 6/1/20 8:39 AM, Stefan Overkamp wrote: >> Hi list, >> >> we are running geoserver 2.17.0 in a docker container with >> tomcat:9.0.31-jdk11-openjdk and have no problems. >> >> I took a look into our ticket system and found an issue 2 month ago >> with ldap I had to change >> geoserver/security/role/[ourroleservicename]/config.xml >> from >> >> |<useTLS>true</useTLS> | >> >> to >> >> |<useTLS>false</useTLS> | >> >> Maybe there ist the same server configuration change on Richards ldap site. >> >> Stefan -- Dipl. Ing. Stefan Overkamp Laakmannsbusch 44, 42555 Velbert tel.: 0177 / 79 76 159 overk...@posteo.de _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ianturton.com%2Ftalks%2Ffoss4g.html%23%2F&data=02%7C01%7Cgraham.humphries%40stategrowth.tas.gov.au%7Cde3c33fccca34354482f08d806419501%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266226036263956&sdata=WDd6z6MDyajMQDijd3kTvInztAgGrQBpEPEUzugiwhg%3D&reserved=0 - The GeoServer user list posting guidelines: https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgeoserver.org%2Fcomm%2Fuserlist-guidelines.html&data=02%7C01%7Cgraham.humphries%40stategrowth.tas.gov.au%7Cde3c33fccca34354482f08d806419501%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266226036263956&sdata=rN6BMyi7mWPh9YD5uumcXez%2BGms1EteQBd0l8Oq4Dtk%3D&reserved=0 If you want to request a feature or an improvement, also see this: https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgeoserver%2Fgeoserver%2Fwiki%2FSuccessfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer&data=02%7C01%7Cgraham.humphries%40stategrowth.tas.gov.au%7Cde3c33fccca34354482f08d806419501%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266226036263956&sdata=gf12fKL9X4B7oV5NmDbeyoukHAsXmdRQKdwmHUlnevo%3D&reserved=0 Geoserver-users@lists.sourceforge.net https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fgeoserver-users&data=02%7C01%7Cgraham.humphries%40stategrowth.tas.gov.au%7Cde3c33fccca34354482f08d806419501%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266226036263956&sdata=TntSFrRTX8E7xSnvSxNaCW99gKOymfQoTX4t88NjJvc%3D&reserved=0 ________________________________ CONFIDENTIALITY NOTICE AND DISCLAIMER The information in this transmission may be confidential and/or protected by legal professional privilege, and is intended only for the person or persons to whom it is addressed. If you are not such a person, you are warned that any disclosure, copying or dissemination of the information is unauthorised. If you have received the transmission in error, please immediately contact this office by telephone, fax or email, to inform us of the error and to enable arrangements to be made for the destruction of the transmission, or its return at our cost. No liability is accepted for any unauthorised use of the information contained in this transmission. _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
