[Geoserver-devel] ldap authentication provider & role service

Hello Mauro and Mailing List,

It appears to me that the LDAP authentication provider and role service currently are unable to be used simultaneously.
This is because the active role service is queried from the method RoleCalculator.calculateRoles. This method is normally called from the authenticator you use to log in to geoserver. However, the LDAP authenticator does not call this method. Therefore, when you log on with LDAP, the active role service is never used to assign roles to the user you are logging in with. Because of that the ADMIN and GROUP_ADMIN settings in the role service don't have any effect when using the ldap auth.prov. (or any other role mappings).

I have made a patch for this problem:
https://github.com/geoserver/geoserver/pull/928

Please have a look if that makes sense to you.

Kind Regards
Niels

On 12-02-15 19:20, Mauro Bartolomeoli wrote:

Hi Niels,

2015-02-12 19:11 GMT+01:00 Niels Charlier <niels@anonymised.com <mailto:niels@anonymised.com>>:

    Hi,

    Trying to wrap my head around the LDAP security configuration and
    I'm looking for someone who knows about this.
    I've read:
    http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html

    But I noticed that the following settings can be configured both
    in the authentication provider and the role service:
    1) group base and filter
    2) names of the ADMIN and GROUPADMIN roles;

    What is the difference between those different but similar looking
    settings?

They have the same meaning, but since the services are of different type, they are available in both services.

    What additional behaviour does the role service provide?

The role service allows you to get the roles list from LDAP so that you can bind permissions (service or layer) to a role coming from LDAP.

    I thought the role service was to map the roles to ldap groups,
    but the tutorial says that the settings in the auth.prov. do that
    as well.

Yes, in case of LDAP you can do roles mapping directly from the authentication provider, so the role service is not needed for that if you use the auth provider configuration.

    And what do you get from specifying admin and groupadmin in the
    role service on top of doing it in the auth.prov?

I think that in case you configured role mapping from the auth provider, that one wins, so it is probably not mandatory to have it also in the role service.
Take into account that, in general, the authentication provider and the role service are independent. In theory you can use an LDAP roleservice also with a not LDAP auth provider (I don't have a real use case at the moment, but in theory this is possible).

At the end if you use both in a standard way, the LDAP role service is needed to list (and use) the roles from LDAP in the authorization section.

Regards,
Mauro
--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

Hi Niels,

···

2015-02-17 15:43 GMT+01:00 Niels Charlier <niels@anonymised.com.2918…>:

Hello Mauro and Mailing List,

It appears to me that the LDAP authentication provider and role service currently are unable to be used simultaneously.
This is because the active role service is queried from the method RoleCalculator.calculateRoles. This method is normally called from the authenticator you use to log in to geoserver. However, the LDAP authenticator does not call this method. Therefore, when you log on with LDAP, the active role service is never used to assign roles to the user you are logging in with. Because of that the ADMIN and GROUP_ADMIN settings in the role service don’t have any effect when using the ldap auth.prov. (or any other role mappings).

I have made a patch for this problem:
https://github.com/geoserver/geoserver/pull/928

I made some comments on the pr. The main one is that some unit tests are needed.

Thanks
Mauro

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

Hi Mauro,

Thank you for your quick review. I have added a unit test that tests the changes.

Also note my reply to your other comment in the old diff. I have now removed this change form the patch because it was a totally unrelated to the bug. But I still wish to make a note for the future that this might be a desired change to make the configurations more consistent with each other (see comments in pull request for details).

On that note, I have also discovered a different issue with the RoleServiceTest, most of the test methods are skipped because once you have done one test method, the port of the test ldap server is still open and the assume command fails for each of the other test methods. I think there is some cleaning up necessary to get that test properly operative.

Thanks again for your quick assistance.

Kind Regards
Niels

On 17-02-15 17:47, Mauro Bartolomeoli wrote:

Hi Niels,

2015-02-17 15:43 GMT+01:00 Niels Charlier <niels@anonymised.com <mailto:niels@anonymised.com>>:

    Hello Mauro and Mailing List,

    It appears to me that the LDAP authentication provider and role
    service currently are unable to be used simultaneously.
    This is because the active role service is queried from the method
    RoleCalculator.calculateRoles. This method is normally called from
    the authenticator you use to log in to geoserver. However, the
    LDAP authenticator does not call this method. Therefore, when you
    log on with LDAP, the active role service is never used to assign
    roles to the user you are logging in with. Because of that the
    ADMIN and GROUP_ADMIN settings in the role service don't have any
    effect when using the ldap auth.prov. (or any other role mappings).

    I have made a patch for this problem:
    https://github.com/geoserver/geoserver/pull/928

I made some comments on the pr. The main one is that some unit tests are needed.

Thanks
Mauro

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

Hi Mauro,

I've got yet another (small) patch. One particular user was unable to map roles with the authentication provider. After a long search we figured out it was because the user had a colon (":") in their password. The authority populator now uses a colon to attach and separate a user from its password, which is not such a safe method.

Patch:
https://github.com/NielsCharlier/geoserver/commit/3b8c4aab7a2ae32b55fd546cdce279267c757938

Thanks!

Kind Regards,
Niels

On 17-02-15 17:47, Mauro Bartolomeoli wrote:

Hi Niels,

2015-02-17 15:43 GMT+01:00 Niels Charlier <niels@anonymised.com <mailto:niels@anonymised.com>>:

    Hello Mauro and Mailing List,

    It appears to me that the LDAP authentication provider and role
    service currently are unable to be used simultaneously.
    This is because the active role service is queried from the method
    RoleCalculator.calculateRoles. This method is normally called from
    the authenticator you use to log in to geoserver. However, the
    LDAP authenticator does not call this method. Therefore, when you
    log on with LDAP, the active role service is never used to assign
    roles to the user you are logging in with. Because of that the
    ADMIN and GROUP_ADMIN settings in the role service don't have any
    effect when using the ldap auth.prov. (or any other role mappings).

    I have made a patch for this problem:
    https://github.com/geoserver/geoserver/pull/928

I made some comments on the pr. The main one is that some unit tests are needed.

Thanks
Mauro

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

Hi Niels,
the patch looks good to me, please merge it into master.

Mauro

···

2015-02-21 17:34 GMT+01:00 Niels Charlier <niels@anonymised.com>:

Hi Mauro,

I’ve got yet another (small) patch. One particular user was unable to map roles with the authentication provider. After a long search we figured out it was because the user had a colon (“:”) in their password. The authority populator now uses a colon to attach and separate a user from its password, which is not such a safe method.

Patch:
https://github.com/NielsCharlier/geoserver/commit/3b8c4aab7a2ae32b55fd546cdce279267c757938

Thanks!

Kind Regards,
Niels

On 17-02-15 17:47, Mauro Bartolomeoli wrote:

Hi Niels,

2015-02-17 15:43 GMT+01:00 Niels Charlier <niels@anonymised.com>:

Hello Mauro and Mailing List,

It appears to me that the LDAP authentication provider and role service currently are unable to be used simultaneously.
This is because the active role service is queried from the method RoleCalculator.calculateRoles. This method is normally called from the authenticator you use to log in to geoserver. However, the LDAP authenticator does not call this method. Therefore, when you log on with LDAP, the active role service is never used to assign roles to the user you are logging in with. Because of that the ADMIN and GROUP_ADMIN settings in the role service don’t have any effect when using the ldap auth.prov. (or any other role mappings).

I have made a patch for this problem:
https://github.com/geoserver/geoserver/pull/928

I made some comments on the pr. The main one is that some unit tests are needed.

Thanks
Mauro

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.