Authentication with LDAP

This tutorial introduces GeoServer LDAP support and walks through the process of setting up authentication agianst an LDAP server. It is recommended that the LDAP authentication section be read before proceeding.

LDAP server setup

A mock LDAP server will be used for this tutorial. Download and run the acme-ldap jar:

java -jar acme-ldap.jar

The output of which should look like the following:

Directory contents:
  ou=people,dc=acme,dc=org
    uid=bob,ou=people,dc=acme,dc=org
    uid=alice,ou=people,dc=acme,dc=org
    uid=bill,ou=people,dc=acme,dc=org
  ou=groups,dc=acme,dc=org
  cn=users,ou=groups,dc=acme,dc=org
    member: uid=bob,ou=people,dc=acme,dc=org
    member: uid=alice,ou=people,dc=acme,dc=org
  cn=admins,ou=groups,dc=acme,dc=org
    member: uid=bill,ou=people,dc=acme,dc=org

  Server running on port 10389

The following diagram illustrates the hierachy of the LDAP datatabse:

../../../_images/acme_ldap.png

The LDAP tree consists of:

  • The root domain component, dc=acme,dc=org
  • Two organizational units (groups) named user and admin
  • Two users named bob and alice who are members of the user group
  • One user named bill who is a member of the admin group

Configure the LDAP authentication provider

  1. Start GeoServer and login to the web admin interface as the admin user.

  2. Click the Authentication link located under the Security section of the navigation sidebar.

    ../../../_images/ldap11.jpg

  3. Scroll down to the Authentication Providers panel and click the Add new link.

    ../../../_images/ldap21.jpg

  4. Click the LDAP link.

    ../../../_images/ldap31.jpg

  5. Fill in the fields of the settings form as follows:

  6. Test the LDAP connection by entering the username “bob” and password “secret” in the connection test form located on the right and click the Test Connection button.

    ../../../_images/ldap4.jpg

    A successful connection should be reported at the top of the page.

  7. Save.

  8. Back on the authentication page scroll down to the Provider Chain panel and move the acme-ldap provider from Available to Selected.

    ../../../_images/ldap5.jpg

  9. Save.

Test a LDAP login

  1. Navigate to the GeoServer home page and log out of the admin account.

  2. Login as the user “bob” with the with the password “secret”.

    ../../../_images/ldap6.jpg

Logging in as bob doesn’t yield any administrative functionality because the bobaccount has not been mapped to the administrator role. In the next section GeoServer will be configured to map groups from the LDAP database to roles.

Map LDAP groups to GeoServer roles

When using LDAP for authentication GeoServer maps LDAP groups to GeoServer roles by prefixing the group name with ROLE_ and converting the result to uppercase. For example bob and alice are members of the user group so after authentication they would be assigned a role named ROLE_USER. Similarily bill is a member of the admin group so he would be assigned a role named ROLE_ADMIN.

  1. Log out of the web admin and log back in as the admin user.

  2. Navigate to the Authentication page.

  3. Scroll to the Authentication Providers panel and click the acme-ldap link.

    ../../../_images/ldap7.jpg

  4. On the settings page fill in the following form fields:

    • Set Group search base to “ou=groups”
    • Set Group search filter to “member={0}”

    The first field specifies the node of the LDAP directory tree at which groups are located. In this case the organizational unit named groups. The second field specifies the LDAP query filter to use in order to locate those groups that a specific user is a member of. The {0} is a placeholder which is replaced with the uid of the user.

  5. Save.

At this point the LDAP provider will populate an authenticated user with roles based on the groups the user is a member of. But the GeoServer administrative role is named ROLE_ADMINISTRATOR. Therefore even bill who is assigned the role ROLE_ADMIN will not be granted administrative rights. To remedy this the GeoServer role service will be reconfigured to treat ROLE_ADMIN as an adminstrative role.

  1. Click the Users,Group,Roles link located under the Security section of the navigation sidebar.

    ../../../_images/ldap8.jpg

  2. Scroll to the Role Services panel and click the default link.

    ../../../_images/ldap9.jpg

  3. Switch to the Roles tab.

  4. Add a new role named ROLE_ADMIN.

  5. Save.

    ../../../_images/ldap10.jpg
    ../../../_images/ldap111.jpg

  6. Switch to the Settings tab.

  7. Select ROLE_ADMIN from the Administrator role drop down.

    ../../../_images/ldap12.jpg

  8. Save.

At this point members of the admin LDAP group should be given full administrative privileges once authenticated. Log out of the admin account and log in as “bill” with the password “hello”. Once logged in full administrative functionality should be available.

Previous: Tutorials
Next: Authentication with LDAP against ActiveDirectory