I am not quite sure if this a documentation error with the tutorial, or a regression in the LDAP security settings. If anyone with more experience using the LDAP provider knows which of these is more likely, your knowledge would be appreciated.

It looks more like a regression. For sure it is not the intended behaviour.

Regards,
Mauro Bartolomeoli

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via di Montramito 3/A

55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

2017-01-19 1:56 GMT+01:00 Torben Barsballe <tbarsballe@anonymised.com>:

I was testing out the GeoServer Authentication with LDAP tutorial, and ran into this issue.

After Step 5 of Map LDAP groups to GeoServer roles , the users with administrative roles (e.g. bill) do not behave as administrators, but rather as regular users.

Once restarting GeoServer, the users with administrative roles behave as administrators, as expected.

Reported as https://osgeo-org.atlassian.net/browse/GEOS-7936

I am not quite sure if this a documentation error with the tutorial, or a regression in the LDAP security settings. If anyone with more experience using the LDAP provider knows which of these is more likely, your knowledge would be appreciated.

Note that I was able to reproduce this issue with GeoServer 2.8.3 as well.

Torben

---

Check out the vibrant tech community on one of the world’s most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

---

Geoserver-devel mailing list
Geoserver-devel@anonymised.com.366…sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

On Wed, Jan 25, 2017 at 1:40 AM, Mauro Bartolomeoli <maurobartolomeoli@anonymised.com.403…> wrote:

Hi Torben,
I looked a little bit more into the issue you reported.

It seems to work as expected to me. Going to explain: you can give admin rights to users coming from LDAP in two ways:

1. using the LDAP Authentication Provider only, and filling the groups section as explained here: http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html#map-ldap-groups-to-geoserver-roles; a role service is not needed for this.

After doing that, bill can log in with admin rights (I was able to do that on a fresh 2.10.1 installation). Question: did you login with bill credentials before mapping the groups (then you could experience caching issues)?

2. creating an LDAP role service as explained here: http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html#configure-the-ldap-role-service
   and setting that role service as the active one (this is not mentioned in the tutorial, where the role service is created, but not really enabled for active usage); the purpose of the tutorial was to enable seeing roles from LDAP in the authorizations sections (data / services), not enabling the role service for role binding; we can probably add a sentence or two in the tutorial to clarify this

Regards,
Mauro Bartolomeoli

2017-01-19 1:56 GMT+01:00 Torben Barsballe <tbarsballe@…3839…>:

I was testing out the GeoServer Authentication with LDAP tutorial, and ran into this issue.

After Step 5 of Map LDAP groups to GeoServer roles , the users with administrative roles (e.g. bill) do not behave as administrators, but rather as regular users.

Once restarting GeoServer, the users with administrative roles behave as administrators, as expected.

Reported as https://osgeo-org.atlassian.net/browse/GEOS-7936

I am not quite sure if this a documentation error with the tutorial, or a regression in the LDAP security settings. If anyone with more experience using the LDAP provider knows which of these is more likely, your knowledge would be appreciated.

Note that I was able to reproduce this issue with GeoServer 2.8.3 as well.

Torben

---

Check out the vibrant tech community on one of the world’s most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

---

Geoserver-devel mailing list
Geoserver-devel@anonymised.comrge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel