I am trying to grant the GeoServer ADMIN role to members of an Active Directory group. I have followed the documentation here and here. My Active Directory users can successfully login, but the members of my Active Directory admin group do not receive ADMIN privileges in GeoServer.
Is there a problem with my configuration (below)?
I have tried many, many other filter values, without any success. Even if you can't offer a solution, comments from anyone who has successfully used Active Directory groups in GeoServer, will let me know the functionality works as documented.
Here are my LDAP Authorization settings in GeoServer (values have been changed for public posting, but the general structure is accurate):
Use LDAP groups for authorization: checked
Bind user before searching for groups: checked
Group search base: OU=Groups,OU=Department,OU=Company Name,DC=domain,DC=com
Group search filter: (member={1}) where {1} is apparently the user's complete distinguished name
Group to use as ADMIN: GeoServer Admins
Group to use as GROUP_ADMIN: GeoServer Admins
When I use an LDAP utility (Softerra LDAP Administrator), the following settings will successfully return a user's groups:
Search DN: OU=Groups,OU=Department,OU=Company Name,DC=domain,DC=com
Filter: (member=CN=Firstname Lastname,OU=Users,OU=Department,OU=Company Name,DC=domain,DC=com)
(I have not set up an LDAP Role Service in GeoServer, but I don't think I need to if I simply want to map one AD group to the ADMIN role in GeoServer?)
Best Answer
I just set this up on a test server here and got it to work.
One issue I see in your question: the doc says the "Group Search Base" should be "CN=Users". That setting works fine for me. You have something different in your config. I think the settings you show are for the sample LDAP setup on the docs, there is also a specific section on Active Directory with LDAP, which has that parameter in it.
Also, I think the "Group Search Filter" parameter should be "member={1},dc=domain,dc-com"
If all you want is the Admin role to be assigned to a AD group, then you don't need to add the LDAP Role Service, just the LDAP Authentification provider.
Also, I was running into the issue you described, was able to log in, but not get admin privileges on Geoserver. What resolved it for me was restarting the webserver. On Ubuntu, I did:
And just FYI, I installed Geoserver through the Boundless Geosuite with apt-get on Ubuntu 14.04. I set up AD and it works to allow me to log in and I assgined a group as admin group, which works as well.