Hi Zdenek, Thanks for looking into this issue and offering to test it out. I've asked our LDAP administrator for the ldif file for our system, I'll let you know if he can provide that to me. If you don't mind providing me with your test steps, that would be great, I would like to double check that you are using the LDAP admin role association the same way as we are.
Thanks, Brandon On Thu, May 13, 2021 at 11:16 AM Zdeněk Henek <vrab...@gmail.com> wrote: > > Hi Richard, > Hi Brandon, > > I have recently tested ApacheDS with Geoserver main branch and I got roles > working without problems. I have done a quick test in 2.15.2 to be sure my > use case works there too. > > Do you think it will be good enough to test with ApacheDS studio? > https://directory.apache.org/studio/ Works on linux too (using AdoptOpenJDK). > > Would you like me to share my tests steps or could you provide a ldif file > with your testing ldap database? I could do a quick test in my env if you > would like. > > Regards, > Zdenek Henek > > On Wed, May 12, 2021 at 9:57 AM Richard Duivenvoorde <rdmaili...@duif.net> > wrote: >> >> FYI: I'm in the same boat: >> see: >> https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/d2bb87fd-7a89-0aa5-7a3f-e975aaeba967%40posteo.de/ >> >> My gutfeeling is that 'something' (recursive groups?) were added which break >> old setups. >> >> We have not been able to make this work in newer Geoserver versions and run >> an old version of Geoserver parallel just to have the secure maps available >> via AD... >> It's pretty hard to debug/develop this, as I would need an AD server (and >> I'm totally not into Windows Server admin). >> >> IF anybody is able to use the AD authenticatie with Geoserver, please let us >> know. >> >> Regards, >> >> Richard Duivenvoorde >> >> On 5/4/21 9:03 PM, Brandon M wrote: >> > Hi Stefan, >> > >> > Thanks for getting back to me on this issue. I see you are using a >> > slightly different approach with >> > https://docs.geoserver.org/latest/en/user/security/usergrouprole/roleservices.html >> > than what I've configured. >> > >> > I have been using the LDAP authentication provider which is documented >> > here: >> > https://docs.geoserver.org/latest/en/user/security/webadmin/auth.html#ldap-provider. >> > In versions 2.15.2 and prior this has worked well. In the >> > configuration, I included the roles from our internal LDAP server that >> > were assigned to users that should have GeoServer administrator >> > privileges ( UDEV-BDA-Dev in my case). GeoServer would look up the >> > groups from my LDAP and like you describe, prepend "ROLE_" to the >> > group and save it off in the "Granted Authorities" list. Logging >> > would show GeoServer connecting to our LDAP server retrieving a list >> > of groups I was part of, and granting me Authorities for each with >> > "ROLE_" prepended to each group returned. This LDAP lookup stopped >> > finding any roles from our configured LDAP server once I installed >> > GeoServer 2.15.3. I'm providing the same "LDAP Authentication >> > Provider" details to both versions 2.15.2 and 2.15.3, but get no group >> > results from the LDAP query for any version after 2.15.2. I'm >> > guessing something changed between these versions, but can't pinpoint >> > what it is and how I need to update my configuration to get GeoServer >> > to see the LDAP roles again. >> > >> > I did try your method, and created a role service in geoServer. >> > Unfortunately GeoServer still doesn't appear to find any roles from my >> > LDAP, when I login, I don't see the admin options in GeoServer, my >> > user is only granted "ROLE_AUTHENTICATED" authority . I don't know >> > how to debug this any further. >> > >> > Thanks, >> > Brandon >> > >> > On Sun, May 2, 2021 at 3:53 AM Stefan Overkamp <overk...@posteo.de> wrote: >> >> >> >> Hi, >> >> >> >> in my configuration I have additional: >> >> >> >> <allGroupsSearchFilter>cn=*</allGroupsSearchFilter> >> >> (defaults to cn=*) and >> >> <user>cn=huhu,dc=geodaten,dc=de</user> >> >> <password>GANZGEHEIM</password> >> >> >> >> Also, see >> >> https://docs.geoserver.org/latest/en/user/security/usergrouprole/roleservices.html >> >> >> >> Groups are extracted from a specific LDAP node, configured as the Groups >> >> search base. A role is mapped for every matching group. >> >> The role will have a name that is built taking the Group common name (cn >> >> attribute), transformed to upper case and with a ROLE_ prefix applied. >> >> >> >> There is no ROLE_ prefix in your example >> >> >> >> <adminGroup>UDEV-BDA-Dev</adminGroup> >> >> <groupAdminGroup>UDEV-BDA-Dev</groupAdminGroup> >> >> >> >> >> >> My configuration example: >> >> >> >> <org.geoserver.security.ldap.LDAPRoleServiceConfig> >> >> <id>-ceba2b8:15ecc57126b:-445f</id> >> >> <name>Geodaten Rollendienst</name> >> >> <className>org.geoserver.security.ldap.LDAPRoleService</className> >> >> <serverURL>ldaps://geodaten.de:636/dc=geodaten,dc=de</serverURL> >> >> <groupSearchBase>ou=ogc_dienste</groupSearchBase> >> >> <allGroupsSearchFilter>cn=*</allGroupsSearchFilter> >> >> >> >> <groupSearchFilter>member=cn={0},ou=user,dc=geodaten,dc=de</groupSearchFilter> >> >> <userFilter>member=cn={0},ou=user,dc=geodaten,dc=de</userFilter> >> >> <useTLS>false</useTLS> >> >> <useNestedParentGroups>false</useNestedParentGroups> >> >> <maxGroupSearchLevel>0</maxGroupSearchLevel> >> >> <bindBeforeGroupSearch>true</bindBeforeGroupSearch> >> >> <adminGroup>ROLE_ADMIN</adminGroup> >> >> <groupAdminGroup>ROLE_GRUPPEN_ADMIN</groupAdminGroup> >> >> <user>cn=huhu,dc=geodaten,dc=de</user> >> >> <password>GANZGEHEIM</password> >> >> </org.geoserver.security.ldap.LDAPRoleServiceConfig> >> >> >> >> Stefan >> >> >> >> >> >> Am 29.04.2021 um 14:16 schrieb Brandon M: >> >> >> >> Hi GeoServer Users, >> >> >> >> We recently upgraded to a new version of GeoServer, 2.16.2 from 2.12.2 >> >> (I know we are a little behind the curve). We have GeoServer >> >> configured to use our internal LDAP for user login, and assign users >> >> GeoServer ADMIN privileges based on their LDAP groups, which is >> >> configured under Security -> Authentication -> LDAP Authentication >> >> Provider section of the GeoServer console. The LDAP group lookup >> >> performed by GeoServer stopped working when we upgraded, the LDAP >> >> authentication still works as it did before the upgrade. >> >> >> >> I did some additional testing and found that this issue started in >> >> version 2.15.3. I read the release notes for 2.15.3 and didn't see >> >> anything that would explain why the lookup and handling of LDAP roles >> >> would be any different between 2.15.2 and 2.15.3. The LDAP >> >> Authentication setup page in GeoServer does have a new "Enable >> >> Hierarchical groups search" option in version 2.15.3, which we did not >> >> enable. >> >> >> >> I didn't notice anything in the GeoServer documentation for 2.15.3 >> >> that would require us to change our LDAP configuration parameters. I >> >> installed GeoServer version 2.18.* and it behaved the same, no LDAP >> >> groups were returned for any of our LDAP accounts. >> >> >> >> GeoServer DEBUG logging details related to the same LDAP user login >> >> appears to be the same between the 2.15.2 and 2.15.3 versions, the >> >> only noticeable difference is the >> >> "[ldap.BindingLdapAuthoritiesPopulator] - Roles from search: []" is >> >> empty with any version after 2.15.2, here are some logging details: >> >> >> >> LDAP authentication logging with 2.15.2: >> >> >> >> 2021-04-27 17:05:25,676 DEBUG [ldap.LDAPSecurityProvider$1] - >> >> Processing authentication request for user: tuser1 >> >> 2021-04-27 17:05:25,780 DEBUG [ldap.GeoserverLdapBindAuthenticator] - >> >> Retrieving user object using filter... >> >> 2021-04-27 17:05:25,862 INFO [ldap.SpringSecurityLdapTemplate] - >> >> Ignoring PartialResultException >> >> 2021-04-27 17:05:25,863 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - >> >> Getting authorities for user CN=Test >> >> User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com >> >> 2021-04-27 17:05:25,877 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - >> >> Searching for roles for user 'tuser1', DN = 'CN=Test >> >> User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com', with filter >> >> member={0} in search base 'ou=groups,ou=udev' >> >> 2021-04-27 17:05:25,898 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - >> >> Roles from search: [dl-All-Users, UDEV-All-Users, UDEV-Jenkins-Dev, >> >> UDEV-Sudo-Users, dl-Workspaces, AWS-Console-Admin, UDEV-BDA-Dev] >> >> 2021-04-27 17:05:25,913 DEBUG >> >> [filter.GeoServerUserNamePasswordAuthenticationFilter$1] - >> >> Authentication success. Updating SecurityContextHolder to contain: >> >> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4cc36d05: >> >> Principal: >> >> org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@39493be2: >> >> Dn: CN=Test User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com; Username: >> >> tuser1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; >> >> CredentialsNonExpired: true; AccountNonLocked: true; Granted >> >> Authorities: ROLE_UDEV-SUDO-USERS, ROLE_DL-ALL-USERS, >> >> ROLE_AWS-CONSOLE-ADMIN, ROLE_UDEV-JENKINS-DEV, ROLE_DL-WORKSPACES, >> >> ROLE_UDEV-ALL-USERS, ROLE_UDEV-BDA-DEV; Credentials: [PROTECTED]; >> >> Authenticated: true; Details: >> >> org.geoserver.security.filter.GeoServerWebAuthenticationDetails@ef30: >> >> RemoteIpAddress: 10.0.0.1; SessionId: >> >> 2C4C913D1A84AF86CE2009430A500B59; Granted Authorities: >> >> ROLE_UDEV-SUDO-USERS, ROLE_AUTHENTICATED, ROLE_DL-ALL-USERS, >> >> ROLE_AWS-CONSOLE-ADMIN, ROLE_UDEV-JENKINS-DEV, ROLE_ADMINISTRATOR, >> >> ROLE_DL-WORKSPACES, ROLE_GROUP_ADMIN, ROLE_UDEV-ALL-USERS, >> >> ROLE_UDEV-BDA-DEV >> >> >> >> LDAP authentication logging with 2.15.3: >> >> >> >> 2021-04-28 11:53:59,114 DEBUG [ldap.LDAPSecurityProvider$1] - >> >> Processing authentication request for user: tuser1 >> >> 2021-04-28 11:53:59,208 DEBUG [ldap.GeoserverLdapBindAuthenticator] - >> >> Retrieving user object using filter... >> >> 2021-04-28 11:53:59,249 INFO [ldap.SpringSecurityLdapTemplate] - >> >> Ignoring PartialResultException >> >> 2021-04-28 11:53:59,250 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - >> >> Getting authorities for user CN=Test >> >> User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com >> >> 2021-04-28 11:53:59,258 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - >> >> Searching for roles for user 'tuser1', DN = 'CN=Test >> >> User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com', with filter >> >> member={0} in search base 'ou=groups,ou=udev' >> >> 2021-04-28 11:53:59,270 DEBUG [ldap.BindingLdapAuthoritiesPopulator] - >> >> Roles from search: [] >> >> 2021-04-28 11:53:59,288 DEBUG >> >> [filter.GeoServerUserNamePasswordAuthenticationFilter$1] - >> >> Authentication success. Updating SecurityContextHolder to contain: >> >> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@c764efec: >> >> Principal: >> >> org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@39493be2: >> >> Dn: CN=Test User,OU=NonPriv,OU=Users,OU=udev,dc=udev,dc=com; Username: >> >> tuser1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; >> >> CredentialsNonExpired: true; AccountNonLocked: true; Not granted any >> >> authorities; Credentials: [PROTECTED]; Authenticated: true; Details: >> >> org.geoserver.security.filter.GeoServerWebAuthenticationDetails@3bcc: >> >> RemoteIpAddress: 10.0.0.1; SessionId: >> >> 7946087888C889D6616C47047EA8DC2E; Granted Authorities: >> >> ROLE_AUTHENTICATED >> >> >> >> Here is the data\security\auth\udev\config.xml that contains the >> >> details of our LDAP Authentication configuration for 2.16.2: >> >> >> >> <ldap> >> >> <id>-178dde25:179184fe481:-7fff</id> >> >> <name>udev</name> >> >> >> >> <className>org.geoserver.security.ldap.LDAPAuthenticationProvider</className> >> >> <serverURL>ldap://udev.com:389/dc=udev,dc=com</serverURL> >> >> <groupSearchBase>ou=groups,ou=udev</groupSearchBase> >> >> <groupSearchFilter>member={0}</groupSearchFilter> >> >> <userFilter>(sAMAccountName={1})</userFilter> >> >> <useTLS>false</useTLS> >> >> <useNestedParentGroups>false</useNestedParentGroups> >> >> <maxGroupSearchLevel>10</maxGroupSearchLevel> >> >> <nestedGroupSearchFilter>(member={0})</nestedGroupSearchFilter> >> >> <bindBeforeGroupSearch>true</bindBeforeGroupSearch> >> >> <adminGroup>UDEV-BDA-Dev</adminGroup> >> >> <groupAdminGroup>UDEV-BDA-Dev</groupAdminGroup> >> >> <userFormat>{0}@udev.com</userFormat> >> >> </ldap> >> >> >> >> Let me know if there is any additional information needed to help >> >> understand the problem. >> >> >> >> Thanks for any help! >> >> >> >> Brandon >> >> >> >> >> >> _______________________________________________ >> >> Geoserver-users mailing list >> >> >> >> Please make sure you read the following two resources before posting to >> >> this list: >> >> - Earning your support instead of buying it, but Ian Turton: >> >> http://www.ianturton.com/talks/foss4g.html#/ >> >> - The GeoServer user list posting guidelines: >> >> http://geoserver.org/comm/userlist-guidelines.html >> >> >> >> If you want to request a feature or an improvement, also see this: >> >> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >> >> >> >> >> >> Geoserver-users@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/geoserver-users >> >> >> >> >> >> >> >> -- >> >> Dipl. Ing. Stefan Overkamp >> >> overk...@posteo.de >> > >> > >> > _______________________________________________ >> > Geoserver-users mailing list >> > >> > Please make sure you read the following two resources before posting to >> > this list: >> > - Earning your support instead of buying it, but Ian Turton: >> > http://www.ianturton.com/talks/foss4g.html#/ >> > - The GeoServer user list posting guidelines: >> > http://geoserver.org/comm/userlist-guidelines.html >> > >> > If you want to request a feature or an improvement, also see this: >> > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >> > >> > >> > Geoserver-users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/geoserver-users >> > >> >> >> >> _______________________________________________ >> Geoserver-users mailing list >> >> Please make sure you read the following two resources before posting to this >> list: >> - Earning your support instead of buying it, but Ian Turton: >> http://www.ianturton.com/talks/foss4g.html#/ >> - The GeoServer user list posting guidelines: >> http://geoserver.org/comm/userlist-guidelines.html >> >> If you want to request a feature or an improvement, also see this: >> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >> >> >> Geoserver-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-users > > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to this > list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
