Dear all,

I am struggling to map the LDAP groups to GeoServer roles. I am using GeoServer 2.3.2 and I followed the tutorial here: http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html
The result is that I can log in to GeoServer as LDAP user, but no role is assigned (except
ROLE_AUTHENTICATED).

I tried it twice:

First, I followed the tutorial step-by-step. I have configured the LDAP connection, logged in as "bob", that was fine. Then I configured LDAP groups mapping, added new role ROLE_ADMIN and configured it to be the Administrator role as described in the tutorial. The result was, that I was able to log in as "bill", but no administration rights were available. As a side-effect, the "admin" user lost the administration rights as well. (Note, that there are differences between the 2.3.2 version and the tutorial screenshots: In the "XML Role Service default", "Settings" tab, the choice for "Group administrator role" is missing in the screenshot. And, while the documentation speaks about "ROLE_ADMINISTRATOR" and "ROLE_GROUP_ADMIN" roles, in 2.3.2 there are "ADMIN" and "GROUP_ADMIN" roles instead.)

Second, I followed the tutorial regarding the configuration, but rather created "ROLE_USER" role in GeoServer for testing. I configured some layers to be readable for this role only and checked the configuration with new GeoServer user with this role assigned. Then I logged in as LDAP user "bob", (who is in the "user" LDAP group and hence shoud have "ROLE_USER" GeoServer role assigned). "bob" can log-in, but cannot see the restricted layers. (Yes, I did configure the "Group search base" and "Group search filter" as described in the tutorial.) GeoServer log is attached. Looking there, I see

  Granted Authorities: ;

and

  Granted Authorities: ROLE_AUTHENTICATED

so no LDAP groups were mapped.

Would you have any idea or hint?

Thank you very much in advance,

Michal

GeoServerLog_LdapLoginWithRole.txt (11 KB)

Hi all,

has anybody managed to map the LDAP groups to GeoServer roles? In what GS version? Is 2.3.2. known to work with LDAP groups?

(for details, please check the original post below)

Kind Regards,

Michal

Dne 17.06.2013 18:25, sredl@anonymised.com napsal:

Dear all,

I am struggling to map the LDAP groups to GeoServer roles. I am using
GeoServer 2.3.2 and I followed the tutorial here:

http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html
The result is that I can log in to GeoServer as LDAP user, but no
role is assigned (except
ROLE_AUTHENTICATED).

I tried it twice:

First, I followed the tutorial step-by-step. I have configured the
LDAP connection, logged in as "bob", that was fine. Then I configured
LDAP groups mapping, added new role ROLE_ADMIN and configured it to be
the Administrator role as described in the tutorial. The result was,
that I was able to log in as "bill", but no administration rights were
available. As a side-effect, the "admin" user lost the administration
rights as well. (Note, that there are differences between the 2.3.2
version and the tutorial screenshots: In the "XML Role Service
default", "Settings" tab, the choice for "Group administrator role" is
missing in the screenshot. And, while the documentation speaks about
"ROLE_ADMINISTRATOR" and "ROLE_GROUP_ADMIN" roles, in 2.3.2 there are
"ADMIN" and "GROUP_ADMIN" roles instead.)

Second, I followed the tutorial regarding the configuration, but
rather created "ROLE_USER" role in GeoServer for testing. I configured
some layers to be readable for this role only and checked the
configuration with new GeoServer user with this role assigned. Then I
logged in as LDAP user "bob", (who is in the "user" LDAP group and
hence shoud have "ROLE_USER" GeoServer role assigned). "bob" can
log-in, but cannot see the restricted layers. (Yes, I did configure
the "Group search base" and "Group search filter" as described in the
tutorial.) GeoServer log is attached. Looking there, I see

Granted Authorities: ;

and

Granted Authorities: ROLE_AUTHENTICATED

so no LDAP groups were mapped.

Would you have any idea or hint?

Thank you very much in advance,

Michal

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Hi.

From my experience it depends on the LDAP server used. I had successfully configured it with OpenLDAP. Which type of server are you using?
One limit of the 2.3.2 version is that it cannot read groups if searches require the user to be logged in, because group searches are all done anonymously. In 2.4 version this will be possible. If you wish you can try a nightly of the 2.4 (master) version to see if that works in your case.

Also, can you also tell me how have you configured group base and filter?

Mauro

Il giorno 19/giu/2013 20:03, <sredl@anonymised.com> ha scritto:

Hi all,

has anybody managed to map the LDAP groups to GeoServer roles? In what
GS version? Is 2.3.2. known to work with LDAP groups?

(for details, please check the original post below)

Kind Regards,

Michal

Dne 17.06.2013 18:25, sredl@anonymised.com napsal:

Dear all,

I am struggling to map the LDAP groups to GeoServer roles. I am using
GeoServer 2.3.2 and I followed the tutorial here:

http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html
The result is that I can log in to GeoServer as LDAP user, but no
role is assigned (except
ROLE_AUTHENTICATED).

I tried it twice:

First, I followed the tutorial step-by-step. I have configured the
LDAP connection, logged in as “bob”, that was fine. Then I configured
LDAP groups mapping, added new role ROLE_ADMIN and configured it to
be
the Administrator role as described in the tutorial. The result was,
that I was able to log in as “bill”, but no administration rights
were
available. As a side-effect, the “admin” user lost the administration
rights as well. (Note, that there are differences between the 2.3.2
version and the tutorial screenshots: In the “XML Role Service
default”, “Settings” tab, the choice for “Group administrator role”
is
missing in the screenshot. And, while the documentation speaks about
“ROLE_ADMINISTRATOR” and “ROLE_GROUP_ADMIN” roles, in 2.3.2 there are
“ADMIN” and “GROUP_ADMIN” roles instead.)

Second, I followed the tutorial regarding the configuration, but
rather created “ROLE_USER” role in GeoServer for testing. I
configured
some layers to be readable for this role only and checked the
configuration with new GeoServer user with this role assigned. Then I
logged in as LDAP user “bob”, (who is in the “user” LDAP group and
hence shoud have “ROLE_USER” GeoServer role assigned). “bob” can
log-in, but cannot see the restricted layers. (Yes, I did configure
the “Group search base” and “Group search filter” as described in the
tutorial.) GeoServer log is attached. Looking there, I see

Granted Authorities: ;

and

Granted Authorities: ROLE_AUTHENTICATED

so no LDAP groups were mapped.

Would you have any idea or hint?

Thank you very much in advance,

Michal

---

This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

---

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

---

This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

---

Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Hi Mauro,

thank you very much for your answer!

Dne 19.06.2013 20:50, Mauro Bartolomeoli napsal:

From my experience it depends on the LDAP server used. I had
successfully configured it with OpenLDAP. Which type of server are you
using?

I just used the acme-ldap.jar referenced from the tutorial.
http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html
I can try the OpenLDAP instead.

One limit of the 2.3.2 version is that it cannot read groups if
searches require the user to be logged in, because group searches are
all done anonymously.

I assume you mean to be logged in into the LDAP, am I right?

In 2.4 version this will be possible. If you
wish you can try a nightly of the 2.4 (master) version to see if that
works in your case.

Also, can you also tell me how have you configured group base and filter?

As in the tutorial:

LDAP:

   ou=groups,dc=acme,dc=org
   cn=users,ou=groups,dc=acme,dc=org
     member: uid=bob,ou=people,dc=acme,dc=org
     member: uid=alice,ou=people,dc=acme,dc=org
   cn=admins,ou=groups,dc=acme,dc=org
     member: uid=bill,ou=people,dc=acme,dc=org

GeoServer:

   Set Group search base to “ou=groups”
   Set Group search filter to “member={0}”

Thank you again,

Michal

Mauro

Il giorno 19/giu/2013 20:03, <sredl@anonymised.com> ha scritto:

Hi all,

has anybody managed to map the LDAP groups to GeoServer roles? In what
GS version? Is 2.3.2. known to work with LDAP groups?

(for details, please check the original post below)

Kind Regards,

Michal

Dne 17.06.2013 18:25, sredl@anonymised.com napsal:
> Dear all,
>
> I am struggling to map the LDAP groups to GeoServer roles. I am using
> GeoServer 2.3.2 and I followed the tutorial here:
>
> http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html [1]
> The result is that I can log in to GeoServer as LDAP user, but no
> role is assigned (except
> ROLE_AUTHENTICATED).
>
> I tried it twice:
>
> First, I followed the tutorial step-by-step. I have configured the
> LDAP connection, logged in as "bob", that was fine. Then I configured
> LDAP groups mapping, added new role ROLE_ADMIN and configured it to
> be
> the Administrator role as described in the tutorial. The result was,
> that I was able to log in as "bill", but no administration rights
> were
> available. As a side-effect, the "admin" user lost the administration
> rights as well. (Note, that there are differences between the 2.3.2
> version and the tutorial screenshots: In the "XML Role Service
> default", "Settings" tab, the choice for "Group administrator role"
> is
> missing in the screenshot. And, while the documentation speaks about
> "ROLE_ADMINISTRATOR" and "ROLE_GROUP_ADMIN" roles, in 2.3.2 there are
> "ADMIN" and "GROUP_ADMIN" roles instead.)
>
> Second, I followed the tutorial regarding the configuration, but
> rather created "ROLE_USER" role in GeoServer for testing. I
> configured
> some layers to be readable for this role only and checked the
> configuration with new GeoServer user with this role assigned. Then I
> logged in as LDAP user "bob", (who is in the "user" LDAP group and
> hence shoud have "ROLE_USER" GeoServer role assigned). "bob" can
> log-in, but cannot see the restricted layers. (Yes, I did configure
> the "Group search base" and "Group search filter" as described in the
> tutorial.) GeoServer log is attached. Looking there, I see
>
> Granted Authorities: ;
>
> and
>
> Granted Authorities: ROLE_AUTHENTICATED
>
> so no LDAP groups were mapped.
>
> Would you have any idea or hint?
>
> Thank you very much in advance,
>
> Michal
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev [2]
>
> _______________________________________________
> Geoserver-users mailing list
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users [3]

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev [2]
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users [3]

Links:
------
[1] http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html
[2] http://p.sf.net/sfu/windows-dev2dev
[3] https://lists.sourceforge.net/lists/listinfo/geoserver-users

Hi Mihal,

Hello people, i have a problem, am using geoserver 2.3.2, and GeoWebCache that comes with geoserver, i habilitate the direct integration with wms of geoserver, and still the openlayers are not working i thinks it is because the bounds of each bound of the layers in the application, or the gridset, i dont know , please help me, i need help, of the correct proceding, here is the main function in openlayers that i use:
//-------------------------------------------
function addSimpleLayerToMap(titulo, nombCapa, opacity, mapa, base, display, host)
{

    var capa = new OpenLayers.Layer.WMS(titulo, "http://" + host + "/geoserver/une/wms",
    {
       'layers' : nombCapa,
    transparent : true,
    format : 'image/png',
    STYLES : '',
    tiled : true,
    tilesOrigin : mapa.maxExtent.left + ',' + mapa.maxExtent.bottom
    }
    ,
    {
    buffer: 0,
       yx : {'EPSG:4326' : true},
       attribution : 'Facilitado por Geocuba',

       isBaseLayer : base,
       opacity : opacity,
       displayOutsideMaxExtent : base,
       displayInLayerSwitcher : display,
    transitionEffect : 'resize'
    }
    );
    mapa.addLayer(capa);

    return capa;

}
//---------------------------------------------------
it looks that am missing something, please help me

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--

Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas

Infomed: http://www.sld.cu/

Have a look at the example pages produced by the GWC user interface. Each example is produces an HTML page using OpenLayers for display. Perhaps this could be a good starting point for you?

–
Jody Garnett

Yes i saw it, thanks, but i read the html help that comes with geoserver, the "geowebcache troubleshooting" and i get some indication that i am following now, and i make this:
//---------------------------------------------------------------------------
curl -v "http://sigfre.cujae.edu.cu/geoserver/une/wms?LAYERS=une%3Asigfre_base&STYLES=&FORMAT=image%2Fpng&TILED=true&TRANSPARENT=FALSE&TILESORIGIN=-84.956%2C19.825&SERVICE=WMS&VERSION=1.1.1&REQUEST=GetMap&SRS=EPSG%3A4326&BBOX=-84.956,19.825,-69.561866666667,35.219133333333&WIDTH=256&HEIGHT=256&quot;
//---------------------------------------------------------------------------
and it return this

//---------------------------------------------------------------------------
* Adding handle: conn: 0xcb4628
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0xcb4628) send_pipe: 1, recv_pipe: 0
* About to connect() to sigfre.cujae.edu.cu port 80 (#0)
* Trying 10.8.194.10...
* Connected to sigfre.cujae.edu.cu (10.8.194.10) port 80 (#0)

GET /geoserver/une/wms?LAYERS=une%3Asigfre_base&STYLES=&FORMAT=image%2Fpng&TIL

ED=true&TRANSPARENT=FALSE&TILESORIGIN=-84.956%2C19.825&SERVICE=WMS&VERSION=1.1.1
&REQUEST=GetMap&SRS=EPSG%3A4326&BBOX=-84.956,19.825,-69.561866666667,35.21913333
3333&WIDTH=256&HEIGHT=256 HTTP/1.1

User-Agent: curl/7.30.0
Host: sigfre.cujae.edu.cu
Accept: */*

< HTTP/1.1 200 OK
< Date: Fri, 21 Jun 2013 09:30:53 GMT
* Server Jetty(6.1.8) is not blacklisted
< Server: Jetty(6.1.8)
< Content-Type: image/png
< geowebcache-miss-reason: request does not align to grid(s) 'EPSG:4326'
< geowebcache-cache-result: MISS
< Content-Disposition: inline; filename=une:sigfre_base
< Transfer-Encoding: chunked
<
ëPNG
//------------------------------------------------------------------------------
jodi you are right, i begun with that examples, and they work fine, because that examples are only proved with only a layer, but my app have in the same map more that one layer, sow it throught "request does not align to grid(s) 'EPSG:4326'" , how can i fix this?, thanks

"Jody Garnett" <jody.garnett@anonymised.com> escribió:

Have a look at the example pages produced by the GWC user interface. Each example is produces an HTML page using OpenLayers for display. Perhaps this could be a good starting point for you?
--
Jody Garnett

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--

Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas

Infomed: http://www.sld.cu/

On Thu, Jun 20, 2013 at 8:50 AM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:

Yes, but what I exactly mean is that the Geoserver LDAP module,
internally, does two things:
1) login to the LDAP server with the user credentials to authenticate it
(and this seems to be working for you) and then logs out from the LDAP
server (it only logins to check the user is authenticated)
2) retrieve user groups with an anonymous search, without making a new
login to the LDAP server with user credentials. Many LDAP servers deny the
search to anonymous users and so no groups are retrieved, also if the user
is correctly authenticated

Ah, really? This seems a bit dumb... would it be hard to make it
authenticate also on the second request?
If we have a user, why not use it, is there some particular setup where
that would cause issues?

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

2013/6/22 Andrea Aime <andrea.aime@anonymised.com>

On Thu, Jun 20, 2013 at 8:50 AM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:

Yes, but what I exactly mean is that the Geoserver LDAP module,
internally, does two things:
1) login to the LDAP server with the user credentials to authenticate it
(and this seems to be working for you) and then logs out from the LDAP
server (it only logins to check the user is authenticated)
2) retrieve user groups with an anonymous search, without making a new
login to the LDAP server with user credentials. Many LDAP servers deny the
search to anonymous users and so no groups are retrieved, also if the user
is correctly authenticated

Ah, really? This seems a bit dumb... would it be hard to make it
authenticate also on the second request?
If we have a user, why not use it, is there some particular setup where
that would cause issues?

Yes, sure, and this is already done with GEOS-5805 on master (using the new
option bindBeforeGroupSearch), but that enhancement has not been backported
to 2.3.x yet (by the way, I was thinking to backport it, after 2.3.3 is
out, what do you think about that?).

Mauro
--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

On Sat, Jun 22, 2013 at 2:57 PM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:

2013/6/22 Andrea Aime <andrea.aime@anonymised.com>

On Thu, Jun 20, 2013 at 8:50 AM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:

Yes, but what I exactly mean is that the Geoserver LDAP module,
internally, does two things:
1) login to the LDAP server with the user credentials to authenticate
it (and this seems to be working for you) and then logs out from the LDAP
server (it only logins to check the user is authenticated)
2) retrieve user groups with an anonymous search, without making a new
login to the LDAP server with user credentials. Many LDAP servers deny the
search to anonymous users and so no groups are retrieved, also if the user
is correctly authenticated

Ah, really? This seems a bit dumb... would it be hard to make it
authenticate also on the second request?
If we have a user, why not use it, is there some particular setup where
that would cause issues?

Yes, sure, and this is already done with GEOS-5805 on master (using the
new option bindBeforeGroupSearch), but that enhancement has not been
backported to 2.3.x yet (by the way, I was thinking to backport it, after
2.3.3 is out, what do you think about that?).

Sounds reasonable to me, but I'm not too familiar with the LDAP code, we
should hear from Justin
too, and ask on the geoserver-devel list just to make sure.
Afaik you have been using the GEOS-5805 results on the stable series
already (in a pre-production
environment? or was it production?) and it's working fine, right?

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

On Sat, Jun 22, 2013 at 7:06 AM, Andrea Aime
<andrea.aime@anonymised.com>wrote:

On Sat, Jun 22, 2013 at 2:57 PM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:

2013/6/22 Andrea Aime <andrea.aime@anonymised.com>

On Thu, Jun 20, 2013 at 8:50 AM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:

Yes, but what I exactly mean is that the Geoserver LDAP module,
internally, does two things:
1) login to the LDAP server with the user credentials to authenticate
it (and this seems to be working for you) and then logs out from the LDAP
server (it only logins to check the user is authenticated)
2) retrieve user groups with an anonymous search, without making a new
login to the LDAP server with user credentials. Many LDAP servers deny the
search to anonymous users and so no groups are retrieved, also if the user
is correctly authenticated

Ah, really? This seems a bit dumb... would it be hard to make it
authenticate also on the second request?
If we have a user, why not use it, is there some particular setup where
that would cause issues?

Yes, sure, and this is already done with GEOS-5805 on master (using the
new option bindBeforeGroupSearch), but that enhancement has not been
backported to 2.3.x yet (by the way, I was thinking to backport it, after
2.3.3 is out, what do you think about that?).

Sounds reasonable to me, but I'm not too familiar with the LDAP code, we
should hear from Justin
too, and ask on the geoserver-devel list just to make sure.
Afaik you have been using the GEOS-5805 results on the stable series
already (in a pre-production
environment? or was it production?) and it's working fine, right?

All for the backport. The ldap code pre the changes was mauro wasn't
exactly rock solid I think these changes make it much more useful. +1
and great work Mauro.

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.