Login to REST API with LDAP account returns 401

GeoServer GeoServer User
,
1

Hi there,

Have recently been twiddling with LDAP Role Service on GeoServer and seem to be coming across a problem where a local user from the defaut XML role store will work, but an LDAP user won’t

This seems to have happened in the past but appears to have been resolved: [GEOS-7327] Access to REST endpoints blocked when using LDAP authentication - JIRA

PS C:\Users\usr> curl --basic -v -u <LDAP username> -XGET http://dev-geoserver.gdnnet.lan/geoserver/rest/workspaces.xml
[ ..]
HTTP Status 403 – Forbidden
The server understood the request but refuses to authorize it.
Apache Tomcat/9.0.107

Lookup to the roles appears to be handled correctly, have added the LDAP role into rest.properties and this then appears in the log trace. I am a member of LDAP_SG-GDIM-GIS and this is also declared as admin

image
image325×187 2.21 KB

08 Dec 18:16:33 DEBUG  [geoserver.security] - Converted URL to lowercase, from: '/rest/workspaces.xml'; to: '/rest/workspaces.xml'  and httpMethod= GET
08 Dec 18:16:33 DEBUG  [geoserver.security] - ~~~~~~~~~~ antPath= /** methodList= [GET]
08 Dec 18:16:33 DEBUG  [geoserver.security] - Candidate is: '/rest/workspaces.xml'; antPath is /**; matchedPath=true; matchedMethods=true
08 Dec 18:16:33 DEBUG  [geoserver.security] - returning ADMIN,LDAP_SG-GDIM-GIS

Running the same command as a local user in the ADMIN group returns OK!

PS C:\Users\usr> curl --basic -v -u sa_geoserver_inspire -XGET http://dev-geoserver.gdnnet.lan/geoserver/rest/workspaces.xml

[...]
<workspaces>
[....]

Swapping the provider chain around so that the LDAP user is above default doesn’t deliver a good result. Hierarchical group search on/off doesn’t seem to impact either. Have tried using the user@domain and DOMAIN\user syntax for logging in, still get a 401.

It feels like the REST API just isn’t consulting the LDAP Role Service?
Would be really grateful or any input.

Joey

2

Have tried to further look into this and exclude some factors, it appears that the lookup/chain for role works well in the GUI but not for the REST API.

Switching the Active role service to the LDAP and adjusting the Provider chain so that the LDAP provider was before default still didn’t resolve this.

image
image141×118 2.17 KB

image
image1066×165 4.58 KB

For me there’s a couple of bits that are unclear;

  1. Role lookup seems to differ between Wicket and REST, but it’s unclear if this needs to be further declared in rest.properties, does anyone have any advice on this?
  2. The documentation is titled for OWS and REST flows but doesn’t have any explanation of the REST flow, so I assumed this was the same but it appears not?
    Authentication to OWS and REST services — GeoServer 2.28.0 User Manual
  3. I thought maybe using the LDAP User/Group service would fix this, but the fact that changing the Active role service to the LDAP provider still doesn’t work makes me think it might not

Ultimately it’s a bit confusing that behaviour between REST and the GUI differ.

For anyone stumbling across this, the workaround for now was to make some local accounts and then use these for REST actions, but that’s a little less than ideal.

Thanks so much for any information!

3

Filed this as a bug:

[GEOS-12059] REST API appears to only evaluate local (e.g. default) role service and cannot evaluate LDAP - JIRA