Hi, I encountered a strange problem today:
I managed the access to individual layers based on groups of users. I also
implemented Authentication with LDAP as described here:
http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html
I converted the user’s LDAP groups into roles, so that each group can only
access certain layers. However there are still some problems:
I log in with User "XX" via http://localhost:8080/geoserver/ with the login
details saved on my LDAP server (ApacheDS). Then I can only see the layers I
assigned to User "XX". When I log out, the Geoserver UI tells me that I am
logged out. So far so good... But if I click on "Layer Preview" I can still
see the layers I normally shouldn't be able to see (since I am logged out).
After then refreshing my browser, my user "XX" is again logged in?! How can
that be?
Do I have to change something on my LDAP-Server (e.g. Session Timeout?!)?
--
View this message in context: http://osgeo-org.1560.x6.nabble.com/Geoserver-Authentication-with-LDAP-tp5262290.html
Sent from the GeoServer - User mailing list archive at Nabble.com.
Hi,
As two quick questions/suggestions...
1. Did you remove the 'remember me' bit from the filter chain?
2. Have you confirmed from a logged out session that the anonymous role/user cannot access the layer via the Layer Preview?
The first might explain why you are still logged in.
Cheers,
Jim
On 4/21/2016 8:22 AM, treeflower wrote:
Hi, I encountered a strange problem today:
I managed the access to individual layers based on groups of users. I also
implemented Authentication with LDAP as described here:
http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html
I converted the user’s LDAP groups into roles, so that each group can only
access certain layers. However there are still some problems:
I log in with User "XX" via http://localhost:8080/geoserver/ with the login
details saved on my LDAP server (ApacheDS). Then I can only see the layers I
assigned to User "XX". When I log out, the Geoserver UI tells me that I am
logged out. So far so good... But if I click on "Layer Preview" I can still
see the layers I normally shouldn't be able to see (since I am logged out).
After then refreshing my browser, my user "XX" is again logged in?! How can
that be?
Do I have to change something on my LDAP-Server (e.g. Session Timeout?!)?
--
View this message in context: http://osgeo-org.1560.x6.nabble.com/Geoserver-Authentication-with-LDAP-tp5262290.html
Sent from the GeoServer - User mailing list archive at Nabble.com.
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
Thanks for your answer.
Where can I remove the "Remember me" function?
Thanks in advance
--
View this message in context: http://osgeo-org.1560.x6.nabble.com/Geoserver-Authentication-with-LDAP-tp5262290p5262759.html
Sent from the GeoServer - User mailing list archive at Nabble.com.
Hi,
As an admin in GeoServer, click on "Authentication" under "Security" on the left-hand side.
On the page which comes up, under Authentication filters, click the box next to 'remeberme' and then click 'Remove selected'.
In terms of documentation, I'd recommend the particular section:
http://docs.geoserver.org/stable/en/user/webadmin/security/auth.html#authentication-filters
and for more background:
http://docs.geoserver.org/stable/en/user/webadmin/security/index.html
http://docs.geoserver.org/stable/en/user/security/index.html
Cheers,
Jim
On 04/25/2016 08:14 AM, treeflower wrote:
Thanks for your answer.
Where can I remove the "Remember me" function?
Thanks in advance
--
View this message in context: http://osgeo-org.1560.x6.nabble.com/Geoserver-Authentication-with-LDAP-tp5262290p5262759.html
Sent from the GeoServer - User mailing list archive at Nabble.com.
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
Thank you for your answers.
In the last days I tried your first suggestion and it seemed to work but
then I encountered another problem 
As described here:
http://docs.geoserver.org/stable/en/user/security/layer.html#rules
I set the catalog mode to "mode=mixed" as it matches my needs. Every time I
want to log in as a LDAP user now, I get the message "Cannot access XX with
the current privileges".
(Additional notes:
The syntax for layer security is a followed: workspace.layer.r=ROLE_USER1
I noticed, that if the catalog mode is set to hide, I can log in as USER1.
But when I read the GetCapabilities Document I can see ALL Layers - also
layers I normally shouldn't be able to see. So I guess, that the mixed mode
is the right mode. But how can I solve the privilege problem?!)
--
View this message in context: http://osgeo-org.1560.x6.nabble.com/Geoserver-Authentication-with-LDAP-tp5262290p5263912.html
Sent from the GeoServer - User mailing list archive at Nabble.com.
Hi,
No worries. Happy to help. I have two questions/suggestions:
First, for your current setup, do you have any of the original *.*.r = * or *.*.w = * entries remaining? That might be causing the issues...
Second, have you had a chance to try out the LDAP tutorial here: http://docs.geoserver.org/stable/en/user/security/tutorials/ldap/index.html#map-ldap-groups-to-geoserver-roles ? That guide may provide a concrete way to see things work out once in an example environment.
Cheers,
Jim
On 5/2/2016 9:01 AM, treeflower wrote:
Thank you for your answers.
In the last days I tried your first suggestion and it seemed to work but
then I encountered another problem
As described here:
http://docs.geoserver.org/stable/en/user/security/layer.html#rules
I set the catalog mode to "mode=mixed" as it matches my needs. Every time I
want to log in as a LDAP user now, I get the message "Cannot access XX with
the current privileges".
(Additional notes:
The syntax for layer security is a followed: workspace.layer.r=ROLE_USER1
I noticed, that if the catalog mode is set to hide, I can log in as USER1.
But when I read the GetCapabilities Document I can see ALL Layers - also
layers I normally shouldn't be able to see. So I guess, that the mixed mode
is the right mode. But how can I solve the privilege problem?!)
--
View this message in context: http://osgeo-org.1560.x6.nabble.com/Geoserver-Authentication-with-LDAP-tp5262290p5263912.html
Sent from the GeoServer - User mailing list archive at Nabble.com.
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users