Hi everyone,
I am struggling with LDAP as GeoServer (2.24.2) does not manage to pick up groups/roles from it.
I did post on https://gis.stackexchange.com/questions/477658/geoserver-does-not-find-ldap-groups-of-user with no solution so far.
- LDAP users can log in.
- A LDAP User/Group Service does discover the users and groups.
- A LDAP Role Service does discover/create the roles (ROLE_GROUPNAME).
-----
There are several older inconclusive threads about probably the same issue, seemingly introduced after 2.15.2:
- https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/a799bca3-0741-5caf-1db1-ca017b35a78e@anonymised.com/
- https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/d2bb87fd-7a89-0aa5-7a3f-e975aaeba967@anonymised.com/
- https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/SJ0PR08MB6800C0E997D3CBD049D22B8ED71F9@anonymised.com/
https://osgeo-org.atlassian.net/browse/GEOS-10452 was closed with a commit that did not actually really related to the ticket.
The ticket is about role discovery for a user that is being authenticated. The commit was about the Role Service, a component that makes existing groups/roles visible in GeoServer. From all what I have found so far, the Role Service is *not* related to the role discovery during authentication.
So I think that ticket was wrongly closed.
-----
I have used the very same LDAP user, query etc in a Python script with success so the filters and whatnot seem correct.
I have tried using a 2.15.2 geoserver.war without success (but maybe using the same GeoServer data directory led to issues).
I have tried using the existing 2.24.2 with gs-sec-ldap-2.15.2.jar and gs-web-sec-ldap-2.15.2.jar as suggested in https://sourceforge.net/p/geoserver/mailman/message/37633270/ without success.
I have tried using the existing 2.24.2 with gs-sec-ldap-2.15.2.jar and gs-web-sec-ldap-2.15.2.jar PLUS (spring-ldap-core-2.0.2.RELEASE.jar and spring-security-ldap-4.0.4.RELEASE.jar) or (spring-ldap-core-2.3.2.RELEASE.jar and spring-security-ldap-5.1.5.RELEASE.jar) without success.
I have tried using the existing 2.24.2 with (spring-ldap-core-2.0.2.RELEASE.jar and spring-security-ldap-4.0.4.RELEASE.jar) or (spring-ldap-core-2.3.2.RELEASE.jar and spring-security-ldap-5.1.5.RELEASE.jar) without success.
I compiled GeoServer 2.25 using Maven and added some more logging in BindingLdapAuthoritiesPopulator.java#getGroupMembershipRoles to see the formattedFilter before and after the escaping, and also inspect the other variables.
They all look fine.
-----
Strangely it seems to work with the acme-ldap.jar from https://docs.geoserver.org/main/en/user/security/tutorials/ldap/index.html
bob gets ROLE_USER with it.
The group/role discovery seems to work differently with that setup though. There are no "security.ldap" lines in the log when using it, instead all I see is:
28 Feb 13:24:15 DEBUG [filter.GeoServerUserNamePasswordAuthenticationFilter$1] - Set SecurityContextHolder to UsernamePasswordAuthenticationToken [Principal=LdapUserDetailsImpl [Dn=uid=bob,ou=people,dc=acme,dc=org; Username=bob; Password=[PROTECTED]; Enabled=true; AccountNonExpired=true; CredentialsNonExpired=true; AccountNonLocked=true; Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=GeoServerWebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=A02D2978C7562773FF7F842FCF3B3E99], Granted Authorities=[ROLE_AUTHENTICATED, ROLE_USER]]
One small difference might be that this uses ou=groups, not cn=groups, but I have no clue if that is something meaningful or just text.
-----
Is anyone using a standard GeoServer 2.24 with working role discovery via LDAP?
Could this be something in Spring?
Cheers, Hannes