Not, when Geoserver and the ldap service are in the same private network. Or?
Stefan Am 01.06.2020 um 23:40 schrieb Humphries, Graham: > As I understand it not using TLS in your LDAP configuration means your > authentication details are being passed as plain text. This is a serious > security problem. > > -----Original Message----- > From: Stefan Overkamp [mailto:overk...@posteo.de] > Sent: Tuesday, 2 June 2020 1:34 AM > To: rdmaili...@duif.net > Cc: GeoServer Mailing List List <geoserver-users@lists.sourceforge.net> > Subject: Re: [Geoserver-users] ldap security issues in 2.16/17 > > Hi Richard, > > we are using LDAP. > LDAp was already running fine 2 years ago with Geoserver 2.13 when I joined > my new employer. > Our role service confguration (german ui) is approximately as follows: > > Administrator Role: ROLE_ADMIN > Group administrator role: ROLE_GRUPPEN_ADMIN > Server-URL: ldap://****.de:389/dc=huhu,dc=de No TLS search base for groups; > ou=ogc_dienste Suchfilter für Gruppenzugehörigkeit von Benutzern: > member=cn={0},ou=user,dc=huhu,dc=de > Suchfilter für alle Gruppen: cn=* > verwendeter Filter für Benutzersuche: member=cn={0},ou=user,dc=huhu,dc=de > authentification credentials > and not Enable Hierarchical groups search > > Stefan > > > Am 01.06.2020 um 13:23 schrieb Richard Duivenvoorde: >> Hi Stefan, >> >> Thank, for the check! I was eager to see if it fitted, but we already >> did not configure TLS ... I tested both, but without success Are you >> authenticating against an Active Directory, or ldap? >> >> Pretty frustrating this. There is so much to configure with magic >> terms like (member={0}) etc etc, and 'Group Search base' on different >> config pages. >> >> There has to be some difference. I even swapped the spring-ldap jars >> in the versions (without success). >> Tried the 'group search' thingie etc etc >> >> There is (to me) no way to see what is sended/received (LDAP-wise) >> because only the abstract filter and outcome are logged (and THOSE are >> exactly the same, except that 2.13 is returning a set and >2.15 is not)? >> >> Regards, >> Richard Duivenvoorde >> >> On 6/1/20 8:39 AM, Stefan Overkamp wrote: >>> Hi list, >>> >>> we are running geoserver 2.17.0 in a docker container with >>> tomcat:9.0.31-jdk11-openjdk and have no problems. >>> >>> I took a look into our ticket system and found an issue 2 month ago >>> with ldap I had to change >>> geoserver/security/role/[ourroleservicename]/config.xml >>> from >>> >>> |<useTLS>true</useTLS> | >>> >>> to >>> >>> |<useTLS>false</useTLS> | >>> >>> Maybe there ist the same server configuration change on Richards ldap site. >>> >>> Stefan > > -- > Dipl. Ing. Stefan Overkamp > Laakmannsbusch 44, 42555 Velbert > tel.: 0177 / 79 76 159 > overk...@posteo.de > > > > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to this > list: > - Earning your support instead of buying it, but Ian Turton: > https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ianturton.com%2Ftalks%2Ffoss4g.html%23%2F&data=02%7C01%7Cgraham.humphries%40stategrowth.tas.gov.au%7Cde3c33fccca34354482f08d806419501%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266226036263956&sdata=WDd6z6MDyajMQDijd3kTvInztAgGrQBpEPEUzugiwhg%3D&reserved=0 > - The GeoServer user list posting guidelines: > https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgeoserver.org%2Fcomm%2Fuserlist-guidelines.html&data=02%7C01%7Cgraham.humphries%40stategrowth.tas.gov.au%7Cde3c33fccca34354482f08d806419501%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266226036263956&sdata=rN6BMyi7mWPh9YD5uumcXez%2BGms1EteQBd0l8Oq4Dtk%3D&reserved=0 > > If you want to request a feature or an improvement, also see this: > https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgeoserver%2Fgeoserver%2Fwiki%2FSuccessfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer&data=02%7C01%7Cgraham.humphries%40stategrowth.tas.gov.au%7Cde3c33fccca34354482f08d806419501%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266226036263956&sdata=gf12fKL9X4B7oV5NmDbeyoukHAsXmdRQKdwmHUlnevo%3D&reserved=0 > > > Geoserver-users@lists.sourceforge.net > https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fgeoserver-users&data=02%7C01%7Cgraham.humphries%40stategrowth.tas.gov.au%7Cde3c33fccca34354482f08d806419501%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266226036263956&sdata=TntSFrRTX8E7xSnvSxNaCW99gKOymfQoTX4t88NjJvc%3D&reserved=0 > > ________________________________ > > CONFIDENTIALITY NOTICE AND DISCLAIMER > The information in this transmission may be confidential and/or protected by > legal professional privilege, and is intended only for the person or persons > to whom it is addressed. If you are not such a person, you are warned that > any disclosure, copying or dissemination of the information is unauthorised. > If you have received the transmission in error, please immediately contact > this office by telephone, fax or email, to inform us of the error and to > enable arrangements to be made for the destruction of the transmission, or > its return at our cost. No liability is accepted for any unauthorised use of > the information contained in this transmission. -- Dipl. Ing. Stefan Overkamp Laakmannsbusch 44, 42555 Velbert tel.: 0177 / 79 76 159 overk...@posteo.de _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
