index.rst 5.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137
  1. .. _security_tutorials_activedirectory:
  2. Authentication with LDAP against ActiveDirectory
  3. ================================================
  4. This tutorial explains how to use GeoServer LDAP support to connect to a Windows Domain using ActiveDirectory as an LDAP server. It is recommended that the
  5. :ref:`security_auth_provider_ldap` section be read before proceeding.
  6. Windows Server and ActiveDirectory
  7. ----------------------------------
  8. Active Directory is just another LDAP server implementation, but has some features that we must know to successfully use it with GeoServer LDAP authentication.
  9. In this tutorial we will assume to have a Windows Server Domain Controller with ActiveDirectory named ``domain-controller`` for a domain named ``ad.local``.
  10. If your environment uses different names (and it surely will) use your real names where needed.
  11. We will also assume that:
  12. * a group named ``GISADMINGROUP`` exists.
  13. * a user named ``GISADMIN`` exists, has password ``secret``, and belongs to the ``GISADMINGROUP`` group.
  14. * a user named ``GISUSER`` exists, has password ``secret``, and does NOT belong to the ``GISADMINGROUP`` group.
  15. .. note:: ADMINISTRATOR cannot be generally used as the admin group name with ActiveDirectory, because Administrator is the root user name in Windows environment.
  16. Configure the LDAP authentication provider
  17. ------------------------------------------
  18. #. Start GeoServer and login to the web admin interface as the ``admin`` user.
  19. #. Click the ``Authentication`` link located under the ``Security`` section of
  20. the navigation sidebar.
  21. .. figure:: images/ldap1.jpg
  22. :align: center
  23. #. Scroll down to the ``Authentication Providers`` panel and click the ``Add new`` link.
  24. .. figure:: images/ldap2.jpg
  25. :align: center
  26. #. Click the ``LDAP`` link.
  27. .. figure:: images/ldap3.jpg
  28. :align: center
  29. #. Fill in the fields of the settings form as follows:
  30. * Set ``Name`` to "ad-ldap"
  31. * Set ``Server URL`` to "ldap://domain-controller/dc=ad,dc=local
  32. * Set ``Filter used to lookup user`` to ``(|(userPrincipalName={0})(sAMAccountName={1}))``
  33. * Set ``Format used for user login name`` to "{0}@ad.local"
  34. * Check ``Use LDAP groups for authorization``
  35. * Check ``Bind user before searching for groups``
  36. * Set ``Group to use as ADMIN`` to "GISADMINGROUP"
  37. * Set ``Group search base`` to "cn=Users"
  38. * Set ``Group search filter`` to "member={0}"
  39. #. Test the LDAP connection by entering the username "GISADMIN" and password "secret"
  40. in the connection test form located on the right and click the
  41. ``Test Connection`` button.
  42. .. figure:: images/ad1.jpg
  43. :align: center
  44. A successful connection should be reported at the top of the page.
  45. #. Save.
  46. #. Back on the authentication page scroll down to the ``Provider Chain`` panel
  47. and move the ``ad-ldap`` provider from ``Available`` to ``Selected``.
  48. .. figure:: images/ad2.jpg
  49. :align: center
  50. #. Save.
  51. Test a LDAP login
  52. -----------------
  53. #. Navigate to the GeoServer home page and log out of the admin account.
  54. #. Login as the user "GISUSER" with the password "secret".
  55. .. figure:: images/ad3.jpg
  56. :align: center
  57. Logging in as GISUSER doesn't yield any administrative functionality because the GISUSER account has not been mapped to the administrator role. In the next section
  58. GeoServer will be configured to map groups from the LDAP database to roles.
  59. Now we will login with a user having administrative rights.
  60. #. Navigate to the GeoServer home page and log out of the account.
  61. #. Login as the user "GISADMIN" with the password "secret".
  62. Once logged in full administrative functionality should be available.
  63. Configure the LDAP role service
  64. ------------------------------------------
  65. An additional step permits to configure a role service to get GeoServer roles
  66. from the LDAP repository and allow access rights to be assigned to those roles.
  67. #. Click the ``Users,Group,Roles`` link located under the ``Security`` section
  68. of the navigation sidebar.
  69. #. Click the ``Add new`` link under the ``Role Services`` section.
  70. #. Click the ``LDAP`` option under the ``New Role Service`` section.
  71. .. figure:: images/ldap14.jpg
  72. :align: center
  73. #. Enter ``ldapadrs`` in the ``Name`` text field.
  74. #. Enter ``ldap://domain-controller/dc=ad,dc=local`` in the ``Server URL`` text field.
  75. #. Enter ``CN=Users`` in the ``Group search base`` text field.
  76. #. Enter ``member={1},dc=ad,dc=local`` in the ``Group user membership search filter`` text field.
  77. #. Enter ``objectClass=group`` in the ``All groups search filter`` text field.
  78. #. Enter ``sAMAccountName={0}`` in the ``Filter used to lookup user`` text field.
  79. Then we need to a choose a user to authenticate on the server (many LDAP server don't allow anonymous data lookup).
  80. #. Check the ``Authenticate to extract roles`` checkbox.
  81. #. Enter ``GISADMIN@ad.local`` in the ``Username`` text field.
  82. #. Enter ``secret`` in the ``Password`` text field.
  83. #. Save.
  84. #. Click the ``ldapadrs`` role service item under the ``Role Services`` section.
  85. #. Select ``ROLE_DOMAIN ADMINS`` from the ``Administrator role`` combo-box.
  86. #. Select ``ROLE_DOMAIN ADMINS`` from the ``Group administrator role`` combo-box.
  87. #. Save again.
  88. You should now be able to see and assign the new ActiveDirectory roles wherever an ``Available Roles`` list is shown (for example in the ``Data`` and ``Services`` rules sections.