It is still passed as plain text, but it would not be visible to anyone outside your network.
-----Original Message-----
From: Stefan Overkamp [mailto:overkamp@…9782…]
Sent: Tuesday, 2 June 2020 4:15 PM
To: Humphries, Graham <Graham.Humphries@...9749...>; rdmailings@...5924...
Cc: GeoServer Mailing List List <geoserver-users@lists.sourceforge.net>
Subject: Re: [Geoserver-users] ldap security issues in 2.16/17
Not, when Geoserver and the ldap service are in the same private network. Or?
Stefan
Am 01.06.2020 um 23:40 schrieb Humphries, Graham:
As I understand it not using TLS in your LDAP configuration means your authentication details are being passed as plain text. This is a serious security problem.
-----Original Message-----
From: Stefan Overkamp [mailto:overkamp@…9782…]
Sent: Tuesday, 2 June 2020 1:34 AM
To: rdmailings@...5924...
Cc: GeoServer Mailing List List
<geoserver-users@lists.sourceforge.net>
Subject: Re: [Geoserver-users] ldap security issues in 2.16/17
Hi Richard,
we are using LDAP.
LDAp was already running fine 2 years ago with Geoserver 2.13 when I joined my new employer.
Our role service confguration (german ui) is approximately as follows:
Administrator Role: ROLE_ADMIN
Group administrator role: ROLE_GRUPPEN_ADMIN
Server-URL: ldap://****.de:389/dc=huhu,dc=de No TLS search base for groups; ou=ogc_dienste Suchfilter für Gruppenzugehörigkeit von Benutzern:
member=cn={0},ou=user,dc=huhu,dc=de
Suchfilter für alle Gruppen: cn=*
verwendeter Filter für Benutzersuche:
member=cn={0},ou=user,dc=huhu,dc=de
authentification credentials
and not Enable Hierarchical groups search
Stefan
Am 01.06.2020 um 13:23 schrieb Richard Duivenvoorde:
Hi Stefan,
Thank, for the check! I was eager to see if it fitted, but we already
did not configure TLS ... I tested both, but without success Are you
authenticating against an Active Directory, or ldap?
Pretty frustrating this. There is so much to configure with magic
terms like (member={0}) etc etc, and 'Group Search base' on different
config pages.
There has to be some difference. I even swapped the spring-ldap jars
in the versions (without success).
Tried the 'group search' thingie etc etc
There is (to me) no way to see what is sended/received (LDAP-wise)
because only the abstract filter and outcome are logged (and THOSE
are exactly the same, except that 2.13 is returning a set and >2.15 is not)?
Regards,
Richard Duivenvoorde
On 6/1/20 8:39 AM, Stefan Overkamp wrote:
Hi list,
we are running geoserver 2.17.0 in a docker container with
tomcat:9.0.31-jdk11-openjdk and have no problems.
I took a look into our ticket system and found an issue 2 month ago
with ldap I had to change
geoserver/security/role/[ourroleservicename]/config.xml
from
|<useTLS>true</useTLS> |
to
|<useTLS>false</useTLS> |
Maybe there ist the same server configuration change on Richards ldap site.
Stefan
--
Dipl. Ing. Stefan Overkamp
Laakmannsbusch 44, 42555 Velbert
tel.: 0177 / 79 76 159
overkamp@...9782...
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton:
https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.i
anturton.com%2Ftalks%2Ffoss4g.html%23%2F&data=02%7C01%7CGraham.Hum
phries%40stategrowth.tas.gov.au%7C6258323bb8224c6a976b08d806bc4ddd%7C6
4ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266753130159290&sdata
=k5uszMbW1kBLv8j9hLXL96Gf7kr6HfMJHOHNCXdD%2FWI%3D&reserved=0
- The GeoServer user list posting guidelines:
https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgeose
rver.org%2Fcomm%2Fuserlist-guidelines.html&data=02%7C01%7CGraham.H
umphries%40stategrowth.tas.gov.au%7C6258323bb8224c6a976b08d806bc4ddd%7
C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C637266753130159290&sda
ta=aWM7EKRzkxFGcHi91zQkj9FOeM6EcNUjQ6nz77Va%2F14%3D&reserved=0
If you want to request a feature or an improvement, also see this:
https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
ub.com%2Fgeoserver%2Fgeoserver%2Fwiki%2FSuccessfully-requesting-and-in
tegrating-new-features-and-improvements-in-GeoServer&data=02%7C01%
7CGraham.Humphries%40stategrowth.tas.gov.au%7C6258323bb8224c6a976b08d8
06bc4ddd%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C6372667531301592
90&sdata=k4%2FtOVO3593UF9gTkFAWQ64yfqB76BcxlD2fwbGGT5I%3D&rese
rved=0
Geoserver-users@lists.sourceforge.net
https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
s.sourceforge.net%2Flists%2Flistinfo%2Fgeoserver-users&data=02%7C0
1%7CGraham.Humphries%40stategrowth.tas.gov.au%7C6258323bb8224c6a976b08
d806bc4ddd%7C64ebab8accf44b5ca2d32b4e972d96b2%7C0%7C0%7C63726675313015
9290&sdata=L%2BRSllgh%2BYcttaYwp7uCv%2FUlPnDvxUSa26kd0G%2BAj%2FU%3
D&reserved=0
________________________________
CONFIDENTIALITY NOTICE AND DISCLAIMER
The information in this transmission may be confidential and/or protected by legal professional privilege, and is intended only for the person or persons to whom it is addressed. If you are not such a person, you are warned that any disclosure, copying or dissemination of the information is unauthorised. If you have received the transmission in error, please immediately contact this office by telephone, fax or email, to inform us of the error and to enable arrangements to be made for the destruction of the transmission, or its return at our cost. No liability is accepted for any unauthorised use of the information contained in this transmission.
--
Dipl. Ing. Stefan Overkamp
Laakmannsbusch 44, 42555 Velbert
tel.: 0177 / 79 76 159
overkamp@...9782...
________________________________
CONFIDENTIALITY NOTICE AND DISCLAIMER
The information in this transmission may be confidential and/or protected by legal professional privilege, and is intended only for the person or persons to whom it is addressed. If you are not such a person, you are warned that any disclosure, copying or dissemination of the information is unauthorised. If you have received the transmission in error, please immediately contact this office by telephone, fax or email, to inform us of the error and to enable arrangements to be made for the destruction of the transmission, or its return at our cost. No liability is accepted for any unauthorised use of the information contained in this transmission.