Authentication providers

The following authentication providers are available in GeoServer:

  • Authentication of a username/password against a user/group service

  • Authentication against an LDAP server

  • Authentication by connecting to a database through JDBC

Username/password authentication

Username and password authentication is the default authentication provider. It uses a user/group service to authenticate.

The provider simply takes the username/password from an incoming request (such as a Basic Authentication request), then loads the user information from the user/group service and verifies the credentials.

LDAP authentication

The LDAP authentication provider allows for authentication against a Lightweight Directory Access Protocol (LDAP) server. The provider takes the username/password from the incoming request and attempts to connect to the LDAP server with those credentials.

Note

Currently only LDAP Bind authentication is supported.

Role assignment

The LDAP provider offers two options for role assignment for authenticated users:

  • Convert the user’s LDAP groups into roles

  • Employ a user/group service

The following LDAP database will illustrate the first option:

dn: ou=people,dc=acme,dc=com
objectclass: organizationalUnit
ou: people

dn: uid=bob,ou=people,dc=acme,dc=com
objectclass: person
uid: bob

dn: ou=groups,dc=acme,dc=com
objectclass: organizationalUnit
ou: groups

dn: cn=workers,ou=groups,dc=acme,dc=com
objectclass: groupOfNames
cn: users
member: uid=bob,ou=people,dc=acme,dc=com

The above scenario defines a user with the uid of bob, and a group named workers of which bob is a member. After authentication, bob will be assigned the role ROLE_WORKERS. The role name is generated by concatenating ROLE_ with the name of the group in upper case.

Note

When the LDAP server doesn’t allow searching in an anonymous context, the bindBeforeGroupSearch option should be enabled to avoid errors.

In the case of using a user/group service, the user/group service is queried for the user following authentication, and the role assignment is performed by both the user/group service and the active role service. When using this option, any password defined for the user in the user/group service database is ignored.

Secure LDAP connections

There are two ways to create a secure LDAP connection with the server. The first is to directly specify a secure connection by using the ldaps protocol as part of the Server URL. This typically requires changing the connection port to port 636 rather than 389.

The second method involves using STARTTLS (Transport Layer Security) to negotiate a secure connection over a non-secure one. The negotiation takes place over the non-secure URL using the “ldap” protocol on port 389. To use this option, the Use TLS flag must be set.

Warning

Using TLS for connections will prevent GeoServer from being able to pool LDAP connections. This means a new LDAP connection will be created and destroyed for each authentication, resulting in loss of performance.

JDBC authentication

The JDBC authentication provider authenticates by connecting to a database over JDBC.

The provider takes the username/password from the incoming request and attempts to create a database connection using those credentials. Optionally the provider may use a user/group service to load user information after a successful authentication. In this context the user/group service will not be used for password verification, only for role assignment.

Note

To use the user/group service for password verification, please see the section on Username/password authentication.