LDAP groups and roles concepts are mixed

[etj]

In the existing code, roles and groups are just merged together.
The only difference is that they have separate filters, and groups can be searched hierarchycally.
Also, mapping is performed using the same mapping bean.

This current implementation leads to:

• ldap groups retrieved by the role filter are saved as geostore groups (along with the real groups we want to import)
• ...

A quick fix to this may be:

• Use different mappers for groups and roles
• Allow mappers to drop input authorities that are not mapped

In this way we can use a proper mapping for roles that discards any role found in LDAP but not useful for privilege settings inside geostore; and the mapped roles will not be saved as geostore groups.

---

Since this issue was found in a quite old version (1.7), we want that any fixes applied should be backward compatible, i.e. if the jars are updated but the configuration is not, it should works exactly as before.

[ale-cristofori]

@etj, I tested the fix on the client live environment and unwanted groups are still being imported. I built geostore with the help @taba90 and I believe we are using the version with your fix, now included in the 1.7-SNAPSHOT version. The client is now using MapStore with the 'duplicated' filters on both ldap.roleFilter and ldap.groupFilter and the result is what the client expects. As soon as unset the ldap.roleFilter the same problem represents.

@nmco, since the customer is using MapStore just now and there is a work around in place I don't want to mess with their LDAP configuration, I am happy to remove the unnecessary filter on roles in the configuration and collect some logs tomorrow morning, this is to have a better understanding of the situation. I would need some time from one of your resources to investigate this issue further.
I investigated the logs mapstore_logs_2022042.zip but I can't see any issue in there, or at least anything that rings a bell to me. Just to be sure I opened the jar files to investigate the source code and 1.7-SNAPSHOT https://maven.geo-solutions.it/it/geosolutions/geostore/1.7-SNAPSHOT/ version of Geostore (used in the war file of MapStore in the client environment) contains the changes @etj made to fix the LDAP problem. @nmco, this needs a bit more investigation from one of your resources, when possible, thanks

[ale-cristofori]

Had a second look at the maven repository. @randomorder setup a Jenkins pipeline building to 1.7-SNAPSHOT that has built the artifact every day since 15 April. So from this end it seems it is updated with the fix. https://maven.geo-solutions.it/it/geosolutions/geostore/1.7-SNAPSHOT/

[ale-cristofori]

This issue can be closed the fix has been applied with this PR #272 #266

LDAP fix has been backported to stable 1.8.x #274 and master #273

I apparently have no permission to close @nmco or @taba90, could you do it for me when you can ? Thanks