Home Explore Help
Register Sign In
siwei
/
web-server
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
web-server
/
doc
/
en
/
user
/
source
/
security
/
auth
/
providers.rst

providers.rst 4.4 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586 
  1. .. _security_auth_providers:
    2. 

  2. 

  3. Authentication providers
    4. 

  4. ========================
    5. 

  5. 

  6. The following authentication providers are available in GeoServer:
    7. 

  7.  
    8. 

  8. * Authentication of a username/password against a :ref:`user/group service <security_rolesystem_usergroupservices>`
    9. 

  9. * Authentication against an LDAP server
    10. 

  10. * Authentication by connecting to a database through JDBC
    11. 

  11. 

  12. 

  13. .. _security_auth_provider_userpasswd:
    14. 

  14. 

  15. Username/password authentication
    16. 

  16. --------------------------------
    17. 

  17. 

  18. Username and password authentication is the default authentication provider. It uses a :ref:`user/group service <security_rolesystem_usergroupservices>` to authenticate.
    19. 

  19. 

  20. The provider simply takes the username/password from an incoming request (such as a Basic Authentication request), then loads the user information from the user/group service and verifies the credentials.
    21. 

  21. 

  22. .. _security_auth_provider_ldap:
    23. 

  23. 

  24. LDAP authentication
    25. 

  25. -------------------
    26. 

  26. 

  27. The LDAP authentication provider allows for authentication against a `Lightweight Directory Access Protocol <http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol>`_ (LDAP) server. The provider takes the username/password from the incoming request and attempts to connect to the LDAP server with those credentials. 
    28. 

  28. 

  29. .. note:: Currently only LDAP Bind authentication is supported.
    30. 

  30. 

  31. Role assignment
    32. 

  32. ~~~~~~~~~~~~~~~
    33. 

  33. 

  34. The LDAP provider offers two options for role assignment for authenticated users:
    35. 

  35. 

  36. * Convert the user's LDAP groups into roles
    37. 

  37. * Employ a user/group service
    38. 

  38. 

  39. The following LDAP database will illustrate the first option::
    40. 

  40. 

  41.     dn: ou=people,dc=acme,dc=com
    42. 

  42.     objectclass: organizationalUnit
    43. 

  43.     ou: people
    44. 

  44.     
    45. 

  45.     dn: uid=bob,ou=people,dc=acme,dc=com
    46. 

  46.     objectclass: person
    47. 

  47.     uid: bob
    48. 

  48.     
    49. 

  49.     dn: ou=groups,dc=acme,dc=com
    50. 

  50.     objectclass: organizationalUnit
    51. 

  51.     ou: groups
    52. 

  52.     
    53. 

  53.     dn: cn=workers,ou=groups,dc=acme,dc=com
    54. 

  54.     objectclass: groupOfNames
    55. 

  55.     cn: users
    56. 

  56.     member: uid=bob,ou=people,dc=acme,dc=com
    57. 

  57. 

  58. The above scenario defines a user with the ``uid`` of ``bob``, and a ``group`` named ``workers`` of which ``bob`` is a member. After authentication, ``bob`` will be assigned the role ``ROLE_WORKERS``. The role name is generated by concatenating ``ROLE_`` with the name of the group in upper case.
    59. 

  59. 

  60. .. note:: When the LDAP server doesn't allow searching in an anonymous context, the bindBeforeGroupSearch option should be enabled to avoid errors.
    61. 

  61. 

  62. In the case of using a :ref:`user/group service <security_rolesystem_usergroupservices>`, the user/group service is queried for the user following authentication, and the role assignment is performed by both the user/group service and the active :ref:`role service <security_rolesystem_roleservices>`. When using this option, any password defined for the user in the user/group service database is ignored.
    63. 

  63. 

  64. .. _security_auth_provider_ldap_secure:
    65. 

  65. 

  66. Secure LDAP connections
    67. 

  67. ~~~~~~~~~~~~~~~~~~~~~~~
    68. 

  68. 

  69. There are two ways to create a secure LDAP connection with the server. The first is to directly specify a secure connection by using the **ldaps** protocol as part of the *Server URL*. This typically requires changing the connection port to **port 636** rather than 389.
    70. 

  70. 

  71. The second method involves using **STARTTLS** (Transport Layer Security) to negotiate a secure connection over a non-secure one. The negotiation takes place over the non-secure URL using the "ldap" protocol on port 389. To use this option, the *Use TLS* flag must be set.
    72. 

  72. 

  73. .. warning::  Using TLS for connections will prevent GeoServer from being able to pool LDAP connections. This means a new LDAP connection will be created and destroyed for each authentication, resulting in loss of performance.
    74. 

  74. 

  75. 

  76. .. _security_auth_provider_jdbc:
    77. 

  77. 

  78. JDBC authentication
    79. 

  79. -------------------
    80. 

  80. 

  81. The JDBC authentication provider authenticates by connecting to a database over `JDBC <http://en.wikipedia.org/wiki/Java_Database_Connectivity>`_.
    82. 

  82. 

  83. The provider takes the username/password from the incoming request and attempts to create a database connection using those credentials. Optionally the provider may use a :ref:`user/group service <security_rolesystem_usergroupservices>` to load user information after a successful authentication. In this context the user/group service will not be used for password verification, only for role assignment.
    84. 

  84. 

  85. .. note:: To use the user/group service for password verification, please see the section on :ref:`security_auth_provider_userpasswd`.
    86. 

  86.