Users, Groups, Roles
This section provides the configuration options for User/group services and Role services. In addition, users, groups, and roles themselves and can be added, edited, or removed. A great deal of configuration can be accomplished in this section and related pages.
User Group Services
In this menu, user/group services can be added, removed, or edited. By default, there is one user/group service in GeoServer, which is XML-based. It is encrypted with Weak PBE and uses the default password policy. It is also possible to have a user/group service based on JDBC, with or without JNDI.
User/group services
Clicking an existing user/group service will enable editing, while clicking the Add new link will configure a new user/group service.
There are three tabs for configuration: Settings, Users, and Groups.
Note
When creating a new user/group service, the form filled out initially can be found under the Settings tab.
Add new XML user/group service
To add a new XML user/group service, click the Add new link. XML is the default option. The following figure shows the configuration options for an XML user/group service.
Adding an XML user/group service
Option | Description |
---|---|
Name | The name of the user/group service |
Password encryption | Sets the type of Password encryption. Options are Plain text, Weak PBE, Strong PBE, and Digest. |
Password policy | Sets the password policy. Options are any active password policies as set in the Passwords section. |
XML filename | Name of the file that will contain the user and group information. Default is users.xml in the security/usergroup/<name_of_usergroupservice> directory. |
Enable schema validation | If selected, forces schema validation to occur every time the XML file is read. This option is useful when editing the XML file by hand. |
File reload interval | Defines the frequency (in milliseconds) in which GeoServer will check for changes to the XML file. If the file is found to have been modified, GeoServer will recreate the user/group database based on the current state of the file. This value is meant to be set in cases where the XML file contents might change "out of process" and not directly through the web admin interface. The value is specified in milliseconds. A value of 0 disables any checking of the file. |
Add new JDBC user/group service
To add a new JDBC user/group service, click the Add new link, and then the JDBC option at the top of the following form. The following figure shows the configuration options for a JDBC user/group service.
Adding a user/group service via JDBC
Option | Description |
---|---|
Name | Name of the JDBC user/group service in GeoServer |
Password encryption | The method to used to encrypt user passwords |
Password policy | The policy to use to enforce constraints on user passwords |
JNDI | When unchecked, specifies a direct connection to the database. When checked, specifies an existing connection located through JNDI. |
Driver class name | JDBC driver to use for the database connection |
Connection URL | Specifies the JDBC URL to use when creating the database connection |
Username | Username to use when connecting to the database |
Password | Password to use when connecting to the database |
Create database tables | Specifies whether to create all the necessary tables in the underlying database |
Data Definition Language (DDL) file | Specifies a custom DDL file to use for creating tables in the underlying database, for cases where the default DDL statements fail on the given database. If left blank, internal defaults are used. |
Data Manipulation Language (DML) file | Specifies a custom DML file to use for accessing tables in the underlying database, for cases where the default DML statements fail on the given database. If left blank, internal defaults are used. |
In addition to the parameters listed above, the following additional parameter will apply when the JNDI flag is set.
Adding a user/group service via JDBC with JNDI
Option | Description |
---|---|
JNDI resource name | JNDI name used to locate the database connection. |
Add new LDAP user/group service
To add a new LDAP user/group service, click the Add new link, and then the LDAP option at the top of the following form. The following figure shows the configuration options for a LDAP user/group service.
Adding a user/group service via LDAP
- Option
-
Description
- Name
-
Name of the LDAP role service in GeoServer
- Password encryption
-
The method to used to encrypt user passwords
- Password policy
-
The policy to use to enforce constraints on user passwords
- Server URL
-
URL for the LDAP server connection. It must include the protocol, host, and port, as well as the "distinguished name" (DN) for the root of the LDAP tree.
- TLS
-
Enables a STARTTLS connection. (See the section on Secure LDAP connections.)
- Group search base
-
Relative name of the node in the tree to use as the base for LDAP groups. Example:
ou=groups
. The root DN specified as port of the Server URL is automatically appended. - Filter to search all groups
-
Sets the LDAP filter for search all groups available. Leave blank to derive from attribute.
- Filter to search group by name
-
Sets the LDAP filter for search a group by its name. Leave blank to derive from attribute.
- Attribute which contains the name of the group
-
Sets attribute containing the group name. Leave blank to derive from name filter.
- Query format to retrieve the user/group mapping
-
Query format used for mapping user/group memberships. Leave blank to derive from attribute. This may contain some placeholder values:
{0}
, theusername
of the user, for examplebob
.{1}
, the full DN of the user, for exampleuid=bob,ou=users
. - Attribute name to retrieve the user/group mapping
-
Attribute name used for mapping user/group memberships. Leave blank to derive from filter.
- User search base
-
LDAP search base for users.
- Filter to search all users
-
Sets the filter for search all available users. Leave blank to derive from attribute.
- Filter to search user by name
-
Sets the filter format for search a user by its name. Leave blank to derive from attribute.
- Attribute which contains the name of the user
-
Sets the attribute containing the name for users. Leave blank to derive from name filter.
- List of attributes to populate
-
Sets a comma separated list of attributes to populate on users.
- Authenticated onto the LDAP before querying
-
When checked all LDAP searches will be done in authenticated mode, using the credentials given with the Username and Password options
- Username
-
Username to use when connecting to the LDAP server. Only applicable when the Authenticated onto the LDAP before querying parameter is checked.
- Password
-
Password to use when connecting to the LDAP server. Only applicable when the Authenticated onto the LDAP before querying parameter is checked.
- Enable Hierarchical groups search
-
When checked all LDAP group searches will use hierarchical mode, retrieving LDAP parent groups too.
- Max depth for hierarchical groups search
-
Max depth number for hierarchical LDAP groups search, use -1 for infinite depth. Only applicable when the Enable Hierarchical groups search parameter is checked.
- Nested group search filter
-
LDAP search pattern for searching parent groups. Only applicable when the Enable Hierarchical groups search parameter is checked.
Edit user/group service
Once the new user/group service is added (either XML or JDBC), clicking on it in the list of user/group services will allow additional options to be specified, such as the users and groups associated with the service.
There are three tabs in the resulting menu: Settings, Users, and Groups. The Settings tab is identical to that found when creating the user/group service, while the others are described below.
The Users tab provides options to configure users in the user/group service.
Users tab
Clicking a username will allow its parameters to be changed, while clicking the Add new link will create a new user.
Add user
Creating or editing a user
Option | Description |
---|---|
User name | The name of the user |
Enabled | When selected, will enable the user to authenticate |
Password | The password for this user. Existing passwords will be obscured when viewed. |
Confirm password | To set or change the password enter the password twice. |
User properties | Key/value pairs associated with the user. Used for associating additional information with the user. |
Group list | Full list of groups, including list of groups to which the user is a member. Membership can be toggled here via the arrow buttons. |
Add a new group | Shortcut to adding a new group. Also available in the Groups tab. |
Role list | Full list of roles, including a list of roles to which the user is associated. Association can be toggled here via the arrow buttons. |
Add a new role | Shortcut to adding a new role |
List of current roles for the user | List of current roles associated with the user. Click a role to enable editing. |
The Groups tab provides configuration options for groups in this user/group service. There are options to add and remove a group, with an additional option to remove a group and the roles associated with that group.
Groups tab
Remove User
There are two related buttons that are responsible for removing users: Remove Selected, and Remove Selected and remove role associations.
- Remove Selected removes user from users.xml and leave untouched roles.xml.
- Remove Selected and remove role associations removes user from users.xml and also removes user and associated role to user from roles.xml.
Users tab
Add group
Creating or editing a group
Option | Description |
---|---|
Group name | The name of the group |
Enabled | When selected the group will be active |
Role list | Full list of roles, including a list of roles to which the group is associated. Association can be toggled here via the arrow buttons. |
Add a new role | Shortcut to adding a new role |
In this menu, user/group services can be added, removed, or edited. By default, there is one user/group service in GeoServer, which is XML-based. It is encrypted with Weak PBE and uses the default password policy. It is also possible to have a user/group service based on JDBC with or without JNDI.
Role services
In this menu, role services can be added, removed, or edited. By default, the active role service in GeoServer is XML-based, but it is also possible to have a role service based on JDBC, with or without JNDI.
The Administrator role is called ROLE_ADMINISTRATOR
.
Role services
Clicking an existing role service will open it for editing, while clicking the Add new link will configure a new role service.
There are two pages for configuration: Settings and Roles.
Note
When creating a new role service, the form filled out initially can be found under the Settings tab.
Add new XML role service
To add a new XML role service, click the Add new link. XML is the default option. The following figure shows the configuration options for an XML role service.
Adding an XML role service
Option | Description |
---|---|
Name | The name of the role service |
Administrator role | The name of the role that performs the administrator functions |
XML filename | Name of the file that will contain the role information. Default is roles.xml in the security/role/<name_of_roleservice> directory. |
File reload interval | Defines the frequency (in milliseconds) in which GeoServer will check for changes to the XML file. If the file is found to have been modified, GeoServer will recreate the user/group database based on the current state of the file. This value is meant to be set in cases where the XML file contents might change "out of process" and not directly through the web admin interface. The value is specified in milliseconds. A value of 0 disables any checking of the file. |
Add new JDBC role service
To add a new XML role service, click the Add new link, and then the JDBC option at the top of the following form. The following figure shows the configuration options for a JDBC role service.
Adding a role service via JDBC
Option | Description |
---|---|
Name | Name of the JDBC role service in GeoServer |
Administrator role | The name of the role that performs the administrator function |
JNDI | When unchecked, specifies a direct connection to the database. When checked, specifies an existing connection located through JNDI. |
Driver class name | JDBC driver to use for the database connection |
Connection URL | Specifies the JDBC URL to use when creating the database connection |
Username | Username to use when connecting to the database |
Password | Password to use when connecting to the database |
Create database tables | Specifies whether to create all the necessary tables in the underlying database |
Data Definition Language (DDL) file | Specifies a custom DDL file to use for creating tables in the underlying database, for cases where the default DDL statements fail on the given database. If left blank, internal defaults are used. |
Data Manipulation Language (DML) file | Specifies a custom DML file to use for accessing tables in the underlying database, for cases where the default DML statements fail on the given database. If left blank, internal defaults are used. |
In addition to the parameters listed above, the following additional parameter will apply when the JNDI flag is set.
Adding a role service via JDBC with JNDI
Option | Description |
---|---|
JNDI resource name | JNDI name used to locate the database connection. |
Add new LDAP role service
To add a new LDAP role service, click the Add new link, and then the LDAP option at the top of the following form. The following figure shows the configuration options for a LDAP role service.
Adding a role service via LDAP
- Option
-
Description
- Name
-
Name of the LDAP role service in GeoServer
- Administrator role
-
The name of the role that performs the administrator function
- Group administrator role
-
The name of the role that performs the group administrator function
- Server URL
-
URL for the LDAP server connection. It must include the protocol, host, and port, as well as the "distinguished name" (DN) for the root of the LDAP tree.
- TLS
-
Enables a STARTTLS connection. (See the section on Secure LDAP connections.)
- Group search base
-
Relative name of the node in the tree to use as the base for LDAP groups. Example:
ou=groups
. The root DN specified as port of the Server URL is automatically appended. - Group user membership search filter
-
Search pattern for extracting users of a LDAP group a user belongs to. This may contain some placeholder values:
{0}
, theusername
of the user, for examplebob
.{1}
, the full DN of the user, for exampleuid=bob,ou=users
. To use this placeholder, the Filter used to lookup user needs to be defined, so that the dn of a user can be extracted from its username. - All groups search filter
-
Search pattern for locating the LDAP groups to be mapped to GeoServer roles inside the Group search base root node
- Filter used to lookup user.
-
optional filter used to extract a user dn, to be used together with Group user membership search filter when the {1} placeholder is specified. This may contain a placeholder value:
{0}
, theusername
of the user, for examplebob
. - Role prefix
-
Prefix appended in front of role names extracted from the LDAP. If left blank, no prefix will be inserted.
- Convert Role To Upper Case
-
If selected all role names extracted from the LDAP will be converted to upper case.
- Authenticate to extract roles
-
When checked all LDAP searches will be done in authenticated mode, using the credentials given with the Username and Password options
- Username
-
Username to use when connecting to the LDAP server. Only applicable when the Authenticate to extract roles parameter is checked.
- Password
-
Password to use when connecting to the LDAP server. Only applicable when the Authenticate to extract roles parameter is checked.
- Enable Hierarchical groups search
-
When checked all LDAP group searches will use hierarchical mode, retrieving LDAP parent groups too.
- Max depth for hierarchical groups search
-
Max depth number for hierarchical LDAP groups search, use -1 for infinite depth. Only applicable when the Enable Hierarchical groups search parameter is checked.
- Nested group search filter
-
LDAP search pattern for searching parent groups. Only applicable when the Enable Hierarchical groups search parameter is checked.
Edit role service
Once the new role service is added (either XML or JDBC), clicking it in the list of role services will allow the additional options to be specified, such as the roles associated with the service.
There are two tabs in the resulting menu: Settings and Roles. The Settings tab is identical to that found when creating the role service, while the Roles tab is described below.
Roles tab
Clicking a role will allow its parameters to be changed, while clicking the Add new link will create a new role.
Add role
Creating or editing a role
- Option
-
Description
- Role name
-
The name of role. Convention is uppercase, but is not required.
- Parent roles
-
The role that this role inherits. See the section on Roles for more information on inheritance.
- Role parameters
-
Key/value pairs associated with the role. Used for associating additional information with the role.