Thanks for your kind words Andrea, I know my writing skills are not the best if I'm drowning into details
Crux: the ldap dialogs are full of very picky inputs, with not very descriptive names. And the provider and the role-provider have same names, but it isn't clear which one is used or take precedence. I was just hoping in an LDAP-coder could shine some light on this...
(to be honest, I'm not very much in favour of Micro$oft AD either but I really want Geoserver to keep being used in my clients env....)
I can now debug the public AD, so maybe I'll spend some time on it.
Regards,
Richard
On 5/26/22 11:31, Andrea Aime wrote:
Hi Richard,
I cannot speak for others, but you've lost me after a couple of sentences in the mail (little knowledge of LDAP, none of AD).
It might well be that others active on this list are in the same situation.
Cheers
Andrea
On Sun, May 22, 2022 at 11:54 AM Richard Duivenvoorde <rdmailings@anonymised.com <mailto:rdmailings@anonymised.com>> wrote:
Hi,
still fighting https://osgeo-org.atlassian.net/jira/core/projects/GEOS/issues/GEOS-10452
I now have a public working Active Directory and can confirm on a simple schema that AD authorisation is still working with that simple schema
BUT: the (non public, production) is still failing to work (while working in 2.13...)
About the logic to check the (ldap) roles for a authorized user, am I right think that:
- an (AD/LDAP) user is authenticated, and DURING the authentication the groups are also sourced and added to the user-records (guessing here!!)
- so the logic to 'extract' the groups (for given user) is from the 'LDAP authentication Provider' screen?
NOT so much the parameters you used for the LDAP Role Service?
There the given 'filter etc are only to authenticate given username/password to extract all roles?
Or am I wrong here?
(From the blogs and documentation it is not so clear to me where all Filters/Formats/Patterns in the dialogs are used for, and the fact that both the Authentication and the Role Provider have group-params makes things more complex to me).
IF I am right in the above, then I think that my problem is that the 'member's in the 'groups' are not defined using their 'userPrincipalName' or 'sAMAccountName', but their CN: so I see normal names as members: 'Jim Doe' instead...
Could this be the reason?
In the docs there is speak about 'place holders', so you can use member={0} to search for the 'Username' in the groups.
But in this case these are Full Names.
So my question: is it possible to use member={CN} or so?
Or is the only solution, to ask the AD admins to create new groups using the 'userPrincipalName' or 'sAMAccountName' instead?
Any help or hint is appreciated,
Regards,
Richard Duivenvoorde
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net <mailto:Geoserver-devel@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
--
Regards,
Andrea Aime
==
GeoServer Professional Services from the experts!
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions Group
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 333 8128928
https://www.geosolutionsgroup.com/
http://twitter.com/geosolutions_it
-------------------------------------------------------
Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail