2013/6/22 Sudheer Chadalavada <csudheer@anonymised.com>

All,

As I have not seen much activity on this particular topic. I am wondering whether we were able to successfully deploy Geoserver on this particular platform. Is there any documentation available?

On Jun 22, 2013, at 10:29 AM, geoserver-users-request@lists.sourceforge.net wrote:

Send Geoserver-users mailing list submissions to
geoserver-users@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/geoserver-users
or, via email, send a message with subject or body ‘help’ to
geoserver-users-request@lists.sourceforge.net

You can reach the person managing the list at
geoserver-users-owner@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than “Re: Contents of Geoserver-users digest…”

Today’s Topics:

1. Re: Cannot map LDAP groups to GeoServer roles (Mauro Bartolomeoli)
2. Re: Cannot map LDAP groups to GeoServer roles (Andrea Aime)
3. Re: Cannot map LDAP groups to GeoServer roles (Justin Deoliveira)

---

Message: 1
Date: Sat, 22 Jun 2013 14:57:21 +0200
From: Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com>
Subject: Re: [Geoserver-users] Cannot map LDAP groups to GeoServer
roles
To: Andrea Aime <andrea.aime@anonymised.com>
Cc: Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com>,
GeoServer Mailing List List <geoserver-users@lists.sourceforge.net>
Message-ID:
<CADQU8v1bOhbne8cVcW-moEwS90SM_pmCwycEfAejQesq9zQRzg@anonymised.com.85…>
Content-Type: text/plain; charset=“iso-8859-1”

2013/6/22 Andrea Aime <andrea.aime@anonymised.com>

On Thu, Jun 20, 2013 at 8:50 AM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:

Yes, but what I exactly mean is that the Geoserver LDAP module,
internally, does two things:

1. login to the LDAP server with the user credentials to authenticate it
   (and this seems to be working for you) and then logs out from the LDAP
   server (it only logins to check the user is authenticated)
2. retrieve user groups with an anonymous search, without making a new
   login to the LDAP server with user credentials. Many LDAP servers deny the
   search to anonymous users and so no groups are retrieved, also if the user
   is correctly authenticated

Ah, really? This seems a bit dumb… would it be hard to make it
authenticate also on the second request?
If we have a user, why not use it, is there some particular setup where
that would cause issues?

Yes, sure, and this is already done with GEOS-5805 on master (using the new
option bindBeforeGroupSearch), but that enhancement has not been backported
to 2.3.x yet (by the way, I was thinking to backport it, after 2.3.3 is
out, what do you think about that?).

Mauro

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

---

-------------- next part --------------
An HTML attachment was scrubbed…

---

Message: 2
Date: Sat, 22 Jun 2013 15:06:01 +0200
From: Andrea Aime <andrea.aime@anonymised.com>
Subject: Re: [Geoserver-users] Cannot map LDAP groups to GeoServer
roles
To: Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com>, Justin
Deoliveira <jdeolive@…1671…>
Cc: GeoServer Mailing List List
<geoserver-users@lists.sourceforge.net>
Message-ID:
<CA+nxMTubXh=fT4zqKO9u0xd+SAjrgG3XjQexnGAazmSmQqUh0A@anonymised.com>
Content-Type: text/plain; charset=“iso-8859-1”

On Sat, Jun 22, 2013 at 2:57 PM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com.1107…> wrote:

2013/6/22 Andrea Aime <andrea.aime@anonymised.com>

On Thu, Jun 20, 2013 at 8:50 AM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:

Yes, but what I exactly mean is that the Geoserver LDAP module,
internally, does two things:

1. login to the LDAP server with the user credentials to authenticate
   it (and this seems to be working for you) and then logs out from the LDAP
   server (it only logins to check the user is authenticated)
2. retrieve user groups with an anonymous search, without making a new
   login to the LDAP server with user credentials. Many LDAP servers deny the
   search to anonymous users and so no groups are retrieved, also if the user
   is correctly authenticated

Ah, really? This seems a bit dumb… would it be hard to make it
authenticate also on the second request?
If we have a user, why not use it, is there some particular setup where
that would cause issues?

Yes, sure, and this is already done with GEOS-5805 on master (using the
new option bindBeforeGroupSearch), but that enhancement has not been
backported to 2.3.x yet (by the way, I was thinking to backport it, after
2.3.3 is out, what do you think about that?).

Sounds reasonable to me, but I’m not too familiar with the LDAP code, we
should hear from Justin
too, and ask on the geoserver-devel list just to make sure.
Afaik you have been using the GEOS-5805 results on the stable series
already (in a pre-production
environment? or was it production?) and it’s working fine, right?

Cheers
Andrea

–

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

---

-------------- next part --------------
An HTML attachment was scrubbed…

---

Message: 3
Date: Sat, 22 Jun 2013 08:29:17 -0600
From: Justin Deoliveira <jdeolive@anonymised.com>
Subject: Re: [Geoserver-users] Cannot map LDAP groups to GeoServer
roles
To: Andrea Aime <andrea.aime@anonymised.com>
Cc: Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com>,
GeoServer Mailing List List <geoserver-users@lists.sourceforge.net>
Message-ID:
<CAEwWEk0=GgRohQOQWX7pC=Nz0k5y9zZm351hyMcQH8zNow52Tg@anonymised.com>
Content-Type: text/plain; charset=“iso-8859-1”

On Sat, Jun 22, 2013 at 7:06 AM, Andrea Aime
<andrea.aime@anonymised.com>wrote:

On Sat, Jun 22, 2013 at 2:57 PM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:

2013/6/22 Andrea Aime <andrea.aime@anonymised.com>

On Thu, Jun 20, 2013 at 8:50 AM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:

Yes, but what I exactly mean is that the Geoserver LDAP module,
internally, does two things:

1. login to the LDAP server with the user credentials to authenticate
   it (and this seems to be working for you) and then logs out from the LDAP
   server (it only logins to check the user is authenticated)
2. retrieve user groups with an anonymous search, without making a new
   login to the LDAP server with user credentials. Many LDAP servers deny the
   search to anonymous users and so no groups are retrieved, also if the user
   is correctly authenticated

Ah, really? This seems a bit dumb… would it be hard to make it
authenticate also on the second request?
If we have a user, why not use it, is there some particular setup where
that would cause issues?

Yes, sure, and this is already done with GEOS-5805 on master (using the
new option bindBeforeGroupSearch), but that enhancement has not been
backported to 2.3.x yet (by the way, I was thinking to backport it, after
2.3.3 is out, what do you think about that?).

Sounds reasonable to me, but I’m not too familiar with the LDAP code, we
should hear from Justin
too, and ask on the geoserver-devel list just to make sure.
Afaik you have been using the GEOS-5805 results on the stable series
already (in a pre-production
environment? or was it production?) and it’s working fine, right?

All for the backport. The ldap code pre the changes was mauro wasn’t
exactly rock solid I think these changes make it much more useful. +1
and great work Mauro.

Cheers
Andrea

–

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

---

–
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.
-------------- next part --------------
An HTML attachment was scrubbed…

---

---

This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

---

---

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

End of Geoserver-users Digest, Vol 85, Issue 90

---

---

This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

---

Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Sat, Jun 22, 2013 at 11:33 AM, Sudheer Chadalavada <csudheer@anonymised.com> wrote:

All,

As I have not seen much activity on this particular topic. I am wondering whether we were able to successfully deploy Geoserver on this particular platform. Is there any documentation available?

On Jun 22, 2013, at 10:29 AM, geoserver-users-request@lists.sourceforge.net wrote:

Send Geoserver-users mailing list submissions to
geoserver-users@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/geoserver-users
or, via email, send a message with subject or body ‘help’ to
geoserver-users-request@lists.sourceforge.net

You can reach the person managing the list at
geoserver-users-owner@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than “Re: Contents of Geoserver-users digest…”

Today’s Topics:

1. Re: Cannot map LDAP groups to GeoServer roles (Mauro Bartolomeoli)
2. Re: Cannot map LDAP groups to GeoServer roles (Andrea Aime)
3. Re: Cannot map LDAP groups to GeoServer roles (Justin Deoliveira)

---

Message: 1
Date: Sat, 22 Jun 2013 14:57:21 +0200
From: Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com>
Subject: Re: [Geoserver-users] Cannot map LDAP groups to GeoServer
roles
To: Andrea Aime <andrea.aime@anonymised.com>
Cc: Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com>,
GeoServer Mailing List List <geoserver-users@lists.sourceforge.net>
Message-ID:
<CADQU8v1bOhbne8cVcW-moEwS90SM_pmCwycEfAejQesq9zQRzg@anonymised.com.85…>
Content-Type: text/plain; charset=“iso-8859-1”

2013/6/22 Andrea Aime <andrea.aime@anonymised.com>

On Thu, Jun 20, 2013 at 8:50 AM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:

Yes, but what I exactly mean is that the Geoserver LDAP module,
internally, does two things:

1. login to the LDAP server with the user credentials to authenticate it
   (and this seems to be working for you) and then logs out from the LDAP
   server (it only logins to check the user is authenticated)
2. retrieve user groups with an anonymous search, without making a new
   login to the LDAP server with user credentials. Many LDAP servers deny the
   search to anonymous users and so no groups are retrieved, also if the user
   is correctly authenticated

Ah, really? This seems a bit dumb… would it be hard to make it
authenticate also on the second request?
If we have a user, why not use it, is there some particular setup where
that would cause issues?

Yes, sure, and this is already done with GEOS-5805 on master (using the new
option bindBeforeGroupSearch), but that enhancement has not been backported
to 2.3.x yet (by the way, I was thinking to backport it, after 2.3.3 is
out, what do you think about that?).

Mauro

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

---

-------------- next part --------------
An HTML attachment was scrubbed…

---

Message: 2
Date: Sat, 22 Jun 2013 15:06:01 +0200
From: Andrea Aime <andrea.aime@anonymised.com>
Subject: Re: [Geoserver-users] Cannot map LDAP groups to GeoServer
roles
To: Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com>, Justin
Deoliveira <jdeolive@…1671…>
Cc: GeoServer Mailing List List
<geoserver-users@lists.sourceforge.net>
Message-ID:
<CA+nxMTubXh=fT4zqKO9u0xd+SAjrgG3XjQexnGAazmSmQqUh0A@anonymised.com>
Content-Type: text/plain; charset=“iso-8859-1”

On Sat, Jun 22, 2013 at 2:57 PM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com.1107…> wrote:

2013/6/22 Andrea Aime <andrea.aime@anonymised.com>

On Thu, Jun 20, 2013 at 8:50 AM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:

Yes, but what I exactly mean is that the Geoserver LDAP module,
internally, does two things:

1. login to the LDAP server with the user credentials to authenticate
   it (and this seems to be working for you) and then logs out from the LDAP
   server (it only logins to check the user is authenticated)
2. retrieve user groups with an anonymous search, without making a new
   login to the LDAP server with user credentials. Many LDAP servers deny the
   search to anonymous users and so no groups are retrieved, also if the user
   is correctly authenticated

Ah, really? This seems a bit dumb… would it be hard to make it
authenticate also on the second request?
If we have a user, why not use it, is there some particular setup where
that would cause issues?

Yes, sure, and this is already done with GEOS-5805 on master (using the
new option bindBeforeGroupSearch), but that enhancement has not been
backported to 2.3.x yet (by the way, I was thinking to backport it, after
2.3.3 is out, what do you think about that?).

Sounds reasonable to me, but I’m not too familiar with the LDAP code, we
should hear from Justin
too, and ask on the geoserver-devel list just to make sure.
Afaik you have been using the GEOS-5805 results on the stable series
already (in a pre-production
environment? or was it production?) and it’s working fine, right?

Cheers
Andrea

–

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

---

-------------- next part --------------
An HTML attachment was scrubbed…

---

Message: 3
Date: Sat, 22 Jun 2013 08:29:17 -0600
From: Justin Deoliveira <jdeolive@anonymised.com>
Subject: Re: [Geoserver-users] Cannot map LDAP groups to GeoServer
roles
To: Andrea Aime <andrea.aime@anonymised.com>
Cc: Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com>,
GeoServer Mailing List List <geoserver-users@lists.sourceforge.net>
Message-ID:
<CAEwWEk0=GgRohQOQWX7pC=Nz0k5y9zZm351hyMcQH8zNow52Tg@anonymised.com>
Content-Type: text/plain; charset=“iso-8859-1”

On Sat, Jun 22, 2013 at 7:06 AM, Andrea Aime
<andrea.aime@anonymised.com>wrote:

On Sat, Jun 22, 2013 at 2:57 PM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:

2013/6/22 Andrea Aime <andrea.aime@anonymised.com>

On Thu, Jun 20, 2013 at 8:50 AM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:

Yes, but what I exactly mean is that the Geoserver LDAP module,
internally, does two things:

1. login to the LDAP server with the user credentials to authenticate
   it (and this seems to be working for you) and then logs out from the LDAP
   server (it only logins to check the user is authenticated)
2. retrieve user groups with an anonymous search, without making a new
   login to the LDAP server with user credentials. Many LDAP servers deny the
   search to anonymous users and so no groups are retrieved, also if the user
   is correctly authenticated

Ah, really? This seems a bit dumb… would it be hard to make it
authenticate also on the second request?
If we have a user, why not use it, is there some particular setup where
that would cause issues?

Yes, sure, and this is already done with GEOS-5805 on master (using the
new option bindBeforeGroupSearch), but that enhancement has not been
backported to 2.3.x yet (by the way, I was thinking to backport it, after
2.3.3 is out, what do you think about that?).

Sounds reasonable to me, but I’m not too familiar with the LDAP code, we
should hear from Justin
too, and ask on the geoserver-devel list just to make sure.
Afaik you have been using the GEOS-5805 results on the stable series
already (in a pre-production
environment? or was it production?) and it’s working fine, right?

All for the backport. The ldap code pre the changes was mauro wasn’t
exactly rock solid I think these changes make it much more useful. +1
and great work Mauro.

Cheers
Andrea

–

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

---

–
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.
-------------- next part --------------
An HTML attachment was scrubbed…

---

---

This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

---

---

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

End of Geoserver-users Digest, Vol 85, Issue 90

---