LDAP Authentication Provider

The LDAP Authentication Provider uses and LDAP service to authenticate users. It can be configured to use LDAP only for authentication, or also for roles assignment (each LDAP group is a role).

To configure the provider you have to specify:

• a name for the provider
• the LDAP server url, complete with the root DN (e.g. http://localhost:389/dc=maxcrc,dc=com)
• the User lookup pattern: {0} should be used in place of the username value in the pattern (e.g. uid={0},ou=People)
• use TLS (secure connection) or not to connect to the server
• if using LDAP groups for authorization, groups bound to the LDAP user are used as GeoServer roles, in this case you have to configure also:

• the Group search base (e.g. ou=Groups)
• the Group search filter, a search pattern for locating the LDAP groups a user belongs to. This may contain two placeholder values: {0}, the full DN of the user, for example uid=bob,ou=people,dc=acme,dc=com {1}, the uid portion of the full DN, for example bob

• if NOT using LDAP groups for authorization:

• choose one of the available user/group service for that purpose

We will now add a new LDAP authentication provider, but first we need to add a new user/group service, that the provider will use:

Note

You will need an LDAP server (e.g. OpenLDAP) to do this exercise, the LDAP server is not part of the training material. We assume that an LDAP server is installed on localhost, with a dc=maxcrc,dc=com root and a user with uid ldapuser and password ldapuser exists.

1. From the Welcome page click the Users, Groups, Roles link on the Menu Security section. .. note:: You have to be logged in as Administrator in order to activate this function.

   

2. Click the Add new in the User Group Services menu

   • Insert ldapservice in the Name text field.
   • Select Weak PBE from Password encryption combo box.
   • Select default from Password policy combo box.
   • Insert ldapservice.xml in the XML filename text field.

   

3. Click the Save button.

Now we are going to add a user to the newly added user/group service:

1. From the Welcome page click the Users, Groups, Roles link on the Menu Security section

2. Click on the User/Groups tab

3. Click on the ldapservice link and the user/groups form will appear

4. Click on the edit link to the right of the ldapservice link

5. Click on the Users tab

6. Click on the Add new user button

   • Insert ldapuser in the User name text field
   • Insert fake in the Password and Confirm Password text fields (a password is always required, also if it is not used for authentication)
   • Select the ADMIN element in the Available list of the Roles taken from active role service: default menu
   • Click the arrow right button to add the element to the Selected list

   

7. Click the Save button.

Now we are ready to add the Authentication provider:

1. From the Welcome page click the Authentication link on the Menu Security section.

2. Click Add new in the Authentication Providers menu

3. Click LDAP in the Authentication Providers list

   • Insert testldap in the Name text field.
   • Insert ldap://localhost:389/dc=maxcrc,dc=com in the Server URL text field.
   • Insert uid={0},ou=People in the User lookup pattern text field.
   • Uncheck Use LDAP groups for authorization checkbox.
   • Select ldapservice from User/Group service combo box.

   

4. Click the Save button.

5. From the Welcome page click the Authentication link on the Menu Security section.

6. Select the testldap element in the Available list of the Provider Chain menu

7. Click the arrow right button to add the element to the Selected list

8. Click the Save button.

Now, we have activated a new Authentication provider, having a new administrator user, named ldaptest. To verify it:

1. Click the Logout button on the top right part of the page.
2. Isert ldaptest in the Username and password text fields on the top right part of the page.
3. Click the Login button on the top right part of the page.

You should be now logged in with the ldaptest user, with administrative rights.