providers.rst 4.4 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586
  1. .. _security_auth_providers:
  2. Authentication providers
  3. ========================
  4. The following authentication providers are available in GeoServer:
  5. * Authentication of a username/password against a :ref:`user/group service <security_rolesystem_usergroupservices>`
  6. * Authentication against an LDAP server
  7. * Authentication by connecting to a database through JDBC
  8. .. _security_auth_provider_userpasswd:
  9. Username/password authentication
  10. --------------------------------
  11. Username and password authentication is the default authentication provider. It uses a :ref:`user/group service <security_rolesystem_usergroupservices>` to authenticate.
  12. The provider simply takes the username/password from an incoming request (such as a Basic Authentication request), then loads the user information from the user/group service and verifies the credentials.
  13. .. _security_auth_provider_ldap:
  14. LDAP authentication
  15. -------------------
  16. The LDAP authentication provider allows for authentication against a `Lightweight Directory Access Protocol <http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol>`_ (LDAP) server. The provider takes the username/password from the incoming request and attempts to connect to the LDAP server with those credentials.
  17. .. note:: Currently only LDAP Bind authentication is supported.
  18. Role assignment
  19. ~~~~~~~~~~~~~~~
  20. The LDAP provider offers two options for role assignment for authenticated users:
  21. * Convert the user's LDAP groups into roles
  22. * Employ a user/group service
  23. The following LDAP database will illustrate the first option::
  24. dn: ou=people,dc=acme,dc=com
  25. objectclass: organizationalUnit
  26. ou: people
  27. dn: uid=bob,ou=people,dc=acme,dc=com
  28. objectclass: person
  29. uid: bob
  30. dn: ou=groups,dc=acme,dc=com
  31. objectclass: organizationalUnit
  32. ou: groups
  33. dn: cn=workers,ou=groups,dc=acme,dc=com
  34. objectclass: groupOfNames
  35. cn: users
  36. member: uid=bob,ou=people,dc=acme,dc=com
  37. The above scenario defines a user with the ``uid`` of ``bob``, and a ``group`` named ``workers`` of which ``bob`` is a member. After authentication, ``bob`` will be assigned the role ``ROLE_WORKERS``. The role name is generated by concatenating ``ROLE_`` with the name of the group in upper case.
  38. .. note:: When the LDAP server doesn't allow searching in an anonymous context, the bindBeforeGroupSearch option should be enabled to avoid errors.
  39. In the case of using a :ref:`user/group service <security_rolesystem_usergroupservices>`, the user/group service is queried for the user following authentication, and the role assignment is performed by both the user/group service and the active :ref:`role service <security_rolesystem_roleservices>`. When using this option, any password defined for the user in the user/group service database is ignored.
  40. .. _security_auth_provider_ldap_secure:
  41. Secure LDAP connections
  42. ~~~~~~~~~~~~~~~~~~~~~~~
  43. There are two ways to create a secure LDAP connection with the server. The first is to directly specify a secure connection by using the **ldaps** protocol as part of the *Server URL*. This typically requires changing the connection port to **port 636** rather than 389.
  44. The second method involves using **STARTTLS** (Transport Layer Security) to negotiate a secure connection over a non-secure one. The negotiation takes place over the non-secure URL using the "ldap" protocol on port 389. To use this option, the *Use TLS* flag must be set.
  45. .. warning:: Using TLS for connections will prevent GeoServer from being able to pool LDAP connections. This means a new LDAP connection will be created and destroyed for each authentication, resulting in loss of performance.
  46. .. _security_auth_provider_jdbc:
  47. JDBC authentication
  48. -------------------
  49. The JDBC authentication provider authenticates by connecting to a database over `JDBC <http://en.wikipedia.org/wiki/Java_Database_Connectivity>`_.
  50. The provider takes the username/password from the incoming request and attempts to create a database connection using those credentials. Optionally the provider may use a :ref:`user/group service <security_rolesystem_usergroupservices>` to load user information after a successful authentication. In this context the user/group service will not be used for password verification, only for role assignment.
  51. .. note:: To use the user/group service for password verification, please see the section on :ref:`security_auth_provider_userpasswd`.