[Geoserver-devel] [JIRA] (GEOS-10452) Use of Active Directory authorisation seems broken since 2.15.2 (LDAP still works)

Richard Duivenvoorde created an issue

GeoServer / BugGEOS-10452

Use of Active Directory authorisation seems broken since 2.15.2 (LDAP still works)

Issue Type:

BugBug

Assignee:

Unassigned

Created:

07/Apr/22 5:38 PM

Environment:

Geoserver >= 2.15.2 on Windows, securing layers against Active Directory using the LDAP authentication

Priority:

MediumMedium

Reporter:

Richard Duivenvoorde

In 2020 after an upgrade from 2.13 to a current version the untill then good working LDAP/Active directory authentication failed to work: https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/d2bb87fd-7a89-0aa5-7a3f-e975aaeba967%40posteo.de/

Recently on the mailing list somebody else reported the exact same issue:

https://sourceforge.net/p/geoserver/mailman/geoserver-users/?viewmonth=202203 title ‘LDAP past version 15.2’

Untill now we ‘worked around this’ by using an old geoserver instance for the secure layer.

In the thread above somebody suggested to try to remove gs-sec-ldap-2.xx.jar gs-web-sec-ldap-2.xx.jar and installing the related jars from the last working version, 2.15.2: gs-sec-ldap-2.15.2.jar gs-web-sec-ldap-2.15.2.jar

That actually works!

Another observation by others: LDAP also still works!

I think around this commit:

https://github.com/geoserver/geoserver/commit/c6ec068909cb552333d2a5ae0ea314ca37218b7b

Fixing this: https://osgeo-org.atlassian.net/projects/GEOS/issues/GEOS-9199

https://github.com/geoserver/geoserver/pull/3487

our (earlier) working Active Directory setup actually broke down.

My problem is that I cannot create an Active Directory myself (and certainly not a public one). So I’m very much hoping that somebody who can create an AD and can debug Geoserver (which I fail to do in the client environment (because of Windows/Firewall/Proxy etc etc) is able to reproduce this.

As said in the mailing lists, Geoserver never receives any ‘Roles from search’ anymore:

[org.geoserver.security.ldap.BindingLdapAuthoritiesPopulator] - Roles from search:

‘Offending’ line: https://github.com/geoserver/geoserver/blob/2.13.x/src/security/ldap/src/main/java/org/geoserver/security/ldap/BindingLdapAuthoritiesPopulator.java#L201

So: same datadir/config in 2.13 is working fine, above 2.15.x this breaks.

Replacing the 2 jars above in a current Geoserver (just tested 2.20.0) immidialty make AD authentication work again.

We do have some funding available for somebody willing (and able) to pick this up, either creating an actual fix, OR maybe adding some more debug info (in case this is a configuration issue, or AD is misbehaving)

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100198-sha1:6f7fe5b)

Atlassian logo