Configuring Active Directory as the security store
ArcGIS Server can leverage user and role information stored in Microsoft's Active Directory. The Server treats Active Directory as a read-only source of user/role information, and thus, administrators cannot use the Manager to add, edit, or delete users or roles.
Active Directory configuration options
The screen shot below shows the dialog box for configuring Active Directory as a user store.
The following table describes the fields in the dialog box:
Field | Required/Optional | Description |
Host name | Required | Name of the host machine on which the Active Directory instance is running |
Port | Required | Port number on the host machine where the Active Directory server is listening for incoming connections |
Base DN | Required | The Distinguished Name of the node in the directory server under which user information is maintained. E.g. ou=people,ou=arcgis,dc=esri,dc=com |
Generate URL | N/A | Generates the URL that will be used to connect to the Active Directory instance, by using the values entered for the Hostname, Port and Base DN fields. |
Active Directory URL | Required | Contains the generated Active Directory URL. Optionally, edit this URL if it is incorrect or requires changes. |
User ID Attribute | Required | The name of the attribute that contains the user name information. E.g. If the user DN is sAMAccountName=alice,ou=people,ou=arcgis,dc=esri,dc=com, the user id attribute is sAMAccountName. |
Administrator's DN | Optional | The DN of an account that has administrator level access to the organizational unit containing the users. |
Password | Optional | The Administrator's password. |
Test Connection | N/A | Uses the Active Directory URL to test the connect to the server. If the test fails, check the Active Directory connection parameters. |
ArcGIS Server can leverage role information maintained in either of the following ways:
Role as Entry
Here, every role is an independent node in the Active Directory tree. Each of these nodes is uniquely identifiable by its DN. Users (identified by their unique DNs) that have been assigned to this role are maintained as values to some attribute of this node.
For example: Roles maintained as independent entries within an Active Directory
DN:CN=Editors,OU=Roles,DC=mycompany,DC=com
CN:Editors
Description:Groups of editors
member: CN=User1,OU=Users,DC=mycompany,DC=com
member: CN=User2,OU=Users,DC=mycompany,DC=com
member: CN=User3,OU=Users,DC=mycompany,DC=com
The screen shot below shows the dialog box for configuring the Active Directory as a role store when roles are maintained as an independent entry.
The following table describes the fields in the dialog box:
Field | Required/Optional | Description |
Role Type = Role As Entry | Required | Roles are maintained in the Active Directory as entries |
Base DN | Required | The Distinguished Name of the node in the directory server under which roles information is maintained. E.g. ou=roles,ou=arcgis,dc=esri,dc=com. |
Generate URL | Required | Generates the URL to retrieve the roles. |
Active Directory URL | Required | Editable text field containing the manager generated Active Directory URL. |
User Attribute in Role Entry | Required | The name of the attribute in the role node that contains the user information. |
Test Connection | N/A | Tests the connection to the Active Directory by using the Active Directory URL. If the test fails recheck the parameters on this dialog box. |
Role as Attribute
Here, every role is maintained as a value of the user node's attribute. Each role can either be a string or some DN of a node that holds the role information.
For example: Roles maintained as attribute information for a user entry
DN: CN=User1,OU=Users,DC=mycompany,DC=com
CN=User1
SN=User1
Description:Editors
Description:Viewers
Description:Administrators
The screen shot below shows the dialog box for configuring the Active Directory as a role store when roles are maintained as attribute information of user entries.
The following table describes the fields in the dialog box:
Field | Required/Optional | Description |
Role Type = Role as Attribute | Required | Roles are maintained in the Active Directory as attributes of the user node |
Role Attribute in User Entry | Required | Name of the attribute in the user node that holds the role information. |
Test Connection | N/A | Uses the parameters entered to test the connection to Active Directory. |