Authentication with LDAP against ActiveDirectory
This tutorial explains how to use GeoServer LDAP support to connect to a Windows Domain using ActiveDirectory as an LDAP server. It is recommended that the LDAP authentication section be read before proceeding.
Windows Server and ActiveDirectory
Active Directory is just another LDAP server implementation, but has some features that we must know to successfully use it with GeoServer LDAP authentication. In this tutorial we will assume to have a Windows Server Domain Controller with ActiveDirectory named domain-controller
for a domain named ad.local
. If your environment uses different names (and it surely will) use your real names where needed.
We will also assume that:
- a group named
GISADMINGROUP
exists.- a user named
GISADMIN
exists, has passwordsecret
, and belongs to theGISADMINGROUP
group.- a user named
GISUSER
exists, has passwordsecret
, and does NOT belong to theGISADMINGROUP
group.
Note
ADMINISTRATOR cannot be generally used as the admin group name with ActiveDirectory, because Administrator is the root user name in Windows environment.
Configure the LDAP authentication provider
-
Start GeoServer and login to the web admin interface as the
admin
user. -
Click the
Authentication
link located under theSecurity
section of the navigation sidebar. -
Scroll down to the
Authentication Providers
panel and click theAdd new
link. -
Click the
LDAP
link. -
Fill in the fields of the settings form as follows:
- Set
Name
to "ad-ldap" - Set
Server URL
to " - Set
Filter used to lookup user
to(|(userPrincipalName={0})(sAMAccountName={1}))
- Set
Format used for user login name
to "{0%7D@ad.local" - Check
Use LDAP groups for authorization
- Check
Bind user before searching for groups
- Set
Group to use as ADMIN
to "GISADMINGROUP" - Set
Group search base
to "cn=Users" - Set
Group search filter
to "member={0}"
- Set
-
Test the LDAP connection by entering the username "GISADMIN" and password "secret" in the connection test form located on the right and click the
Test Connection
button.A successful connection should be reported at the top of the page.
-
Save.
-
Back on the authentication page scroll down to the
Provider Chain
panel and move thead-ldap
provider fromAvailable
toSelected
. -
Save.
Test a LDAP login
- Navigate to the GeoServer home page and log out of the admin account.
. Login as the user "GISUSER" with the password "secret".
Logging in as GISUSER doesn't yield any administrative functionality because the GISUSER account has not been mapped to the administrator role. In the next section GeoServer will be configured to map groups from the LDAP database to roles.
Now we will login with a user having administrative rights.
- Navigate to the GeoServer home page and log out of the account.
- Login as the user "GISADMIN" with the password "secret".
Once logged in full administrative functionality should be available.
Configure the LDAP role service
An additional step permits to configure a role service to get GeoServer roles from the LDAP repository and allow access rights to be assigned to those roles.
-
Click the
Users,Group,Roles
link located under theSecurity
section of the navigation sidebar. -
Click the
Add new link
under theRole Services
section. -
Click the
LDAP
option under theNew Role Service
section. -
Enter
ldapadrs
in theName
text field. -
Enter
ldap://domain-controller/dc=ad,dc=local
in theServer URL
text field. -
Enter
CN=Users
in theGroup search base
text field. -
Enter
member={1},dc=ad,dc=local
in theGroup user membership search filter
text field. -
Enter
objectClass=group
in theAll groups search filter
text field. -
Enter
sAMAccountName={0}
in theFilter used to lookup user
text field.
Then we need to a choose a user to authenticate on the server (many LDAP server don't allow anonymous data lookup).
- Check the
Authenticate to extract roles
checkbox. - Enter
GISADMIN@ad.local
in theUsername
text field. - Enter
secret
in thePassword
text field. - Save.
- Click the
ldapadrs
role service item under theRole Services
section. - Select
ROLE_DOMAIN ADMINS
from theAdministrator role
combo-box. - Select
ROLE_DOMAIN ADMINS
from theGroup administrator role
combo-box. - Save again.
You should now be able to see and assign the new ActiveDirectory roles wherever an Available Roles
list is shown (for example in the Data
and Services
rules sections.