The following authentication providers are available in GeoServer:
Authentication of a username/password against a user/group service
Authentication against an LDAP server
Authentication by connecting to a database through JDBC
Username and password authentication is the default authentication provider. It uses a user/group service to authenticate.
The provider simply takes the username/password from an incoming request (such as a Basic Authentication request), then loads the user information from the user/group service and verifies the credentials.
The LDAP authentication provider allows for authentication against a Lightweight Directory Access Protocol (LDAP) server. The provider takes the username/password from the incoming request and attempts to connect to the LDAP server with those credentials.
Currently only LDAP Bind authentication is supported.
The LDAP provider offers two options for role assignment for authenticated users:
Convert the user’s LDAP groups into roles
Employ a user/group service
The following LDAP database will illustrate the first option:
dn: ou=people,dc=acme,dc=com objectclass: organizationalUnit ou: people dn: uid=bob,ou=people,dc=acme,dc=com objectclass: person uid: bob dn: ou=groups,dc=acme,dc=com objectclass: organizationalUnit ou: groups dn: cn=workers,ou=groups,dc=acme,dc=com objectclass: groupOfNames cn: users member: uid=bob,ou=people,dc=acme,dc=com
The above scenario defines a user with the
bob, and a
workers of which
bob is a member. After authentication,
bob will be assigned the role
ROLE_WORKERS. The role name is generated by concatenating
ROLE_ with the name of the group in upper case.
When the LDAP server doesn’t allow searching in an anonymous context, the bindBeforeGroupSearch option should be enabled to avoid errors.
In the case of using a user/group service, the user/group service is queried for the user following authentication, and the role assignment is performed by both the user/group service and the active role service. When using this option, any password defined for the user in the user/group service database is ignored.
Secure LDAP connections¶
There are two ways to create a secure LDAP connection with the server. The first is to directly specify a secure connection by using the ldaps protocol as part of the Server URL. This typically requires changing the connection port to port 636 rather than 389.
The second method involves using STARTTLS (Transport Layer Security) to negotiate a secure connection over a non-secure one. The negotiation takes place over the non-secure URL using the “ldap” protocol on port 389. To use this option, the Use TLS flag must be set.
Using TLS for connections will prevent GeoServer from being able to pool LDAP connections. This means a new LDAP connection will be created and destroyed for each authentication, resulting in loss of performance.
The JDBC authentication provider authenticates by connecting to a database over JDBC.
The provider takes the username/password from the incoming request and attempts to create a database connection using those credentials. Optionally the provider may use a user/group service to load user information after a successful authentication. In this context the user/group service will not be used for password verification, only for role assignment.
To use the user/group service for password verification, please see the section on Username/password authentication.