Hello Mauro and Mailing List,
It appears to me that the LDAP authentication provider and role service currently are unable to be used simultaneously.
This is because the active role service is queried from the method RoleCalculator.calculateRoles. This method is normally called from the authenticator you use to log in to geoserver. However, the LDAP authenticator does not call this method. Therefore, when you log on with LDAP, the active role service is never used to assign roles to the user you are logging in with. Because of that the ADMIN and GROUP_ADMIN settings in the role service don't have any effect when using the ldap auth.prov. (or any other role mappings).
I have made a patch for this problem:
https://github.com/geoserver/geoserver/pull/928
Please have a look if that makes sense to you.
Kind Regards
Niels
On 12-02-15 19:20, Mauro Bartolomeoli wrote:
Hi Niels,
2015-02-12 19:11 GMT+01:00 Niels Charlier <niels@anonymised.com <mailto:niels@anonymised.com>>:
Hi,
Trying to wrap my head around the LDAP security configuration and
I'm looking for someone who knows about this.
I've read:
http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.htmlBut I noticed that the following settings can be configured both
in the authentication provider and the role service:
1) group base and filter
2) names of the ADMIN and GROUPADMIN roles;What is the difference between those different but similar looking
settings?They have the same meaning, but since the services are of different type, they are available in both services.
What additional behaviour does the role service provide?
The role service allows you to get the roles list from LDAP so that you can bind permissions (service or layer) to a role coming from LDAP.
I thought the role service was to map the roles to ldap groups,
but the tutorial says that the settings in the auth.prov. do that
as well.Yes, in case of LDAP you can do roles mapping directly from the authentication provider, so the role service is not needed for that if you use the auth provider configuration.
And what do you get from specifying admin and groupadmin in the
role service on top of doing it in the auth.prov?I think that in case you configured role mapping from the auth provider, that one wins, so it is probably not mandatory to have it also in the role service.
Take into account that, in general, the authentication provider and the role service are independent. In theory you can use an LDAP roleservice also with a not LDAP auth provider (I don't have a real use case at the moment, but in theory this is possible).At the end if you use both in a standard way, the LDAP role service is needed to list (and use) the roles from LDAP in the authorization section.
Regards,
Mauro
--GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software EngineerGeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272http://www.geo-solutions.it
http://twitter.com/geosolutions_it-------------------------------------------------------
*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.