Configuring LDAP as the security store
ArcGIS Server can leverage user and role information stored in an LDAP server. The server treats the LDAP server as a read-only source of user/role information, and thus, you cannot use Manager to add, edit, or delete users or roles from the LDAP server.
LDAP configuration options
The screen shot below shows the dialog box for configuring an LDAP server as a user store.
The following table describes the fields and buttons in the configure LDAP dialog box:
Field | Required/Optional | Description |
Host name | Required | Name of the host machine on which the LDAP server is running. |
Port | Required | Port number on the host machine where the LDAP server is listening for incoming connections. |
Base DN | Required | The Distinguished Name of the node in the directory server under which user information is maintained. E.g. ou=People,dc=esri,dc=com. |
Generate URL | N/A | Generates an LDAP URL that will be used to connect to the LDAP server. |
LDAP URL | Required | Contains the LDAP URL. Edit this URL if it is incorrect or requires changes. |
User ID Attribute | Required | The name of the attribute that contains the user name information. E.g. If the user DN is uid=alice,ou=people,dc=esri,dc=com, the user ID attribute is uid. |
Administrator's DN | Optional | The DN of an LDAP administrator account that has access to the node containing user information. |
Password | Optional | Administrator's password. |
Test Connection | N/A | Uses the LDAP URL to test the connect to the LDAP server. If the connection succeeds, the configuration can be saved. If the test fails, check the LDAP URL or the Administrator's DN and password |
ArcGIS Server can use the role information in an LDAP server maintained in two ways: Role as Entry or Role as Attribute
Role as Entry
Here, every role is an independent node in the LDAP tree. Each of these nodes is uniquely identifiable by its distinguished name (DN). Users (identified by their unique DNs) that have been assigned to this role are maintained as values to some attribute of this node.
For example: Roles maintained as independent entries within an LDAP
DN:CN=Editors,OU=Roles,DC=mycompany,DC=com
CN:Editors
Description:Groups of editors
uniqueMember: CN=User1,OU=Users,DC=mycompany,DC=com
uniqueMember: CN=User2,OU=Users,DC=mycompany,DC=com
uniqueMember: CN=User3,OU=Users,DC=mycompany,DC=com
The screen shot below shows the dialog box for configuring the LDAP as a role store when roles are maintained as an independent entry.
The following table describes each of the fields of the dialog box:
Field | Required/Optional | Description |
Role Type = Roles As Entry | Required | Use if Roles are always maintained in LDAP as Entries. |
Base DN | Required | The DN of the node in the directory server under which role information is stored. E.g. ou=People,dc=esri,dc=com |
Generate URL | Required | This is used to generate an LDAP URL for the role. |
LDAP URL | Required | Contains the generated LDAP URL. Edit the URL if incorrect. |
User Attribute in Role Entry | Required | The name of the attribute in the role entry\node that contains the user information. |
Test Connection | N/A | Tests the connection to the LDAP server using the LDAP URL. If the connection succeeds, save the configuration. If the test fails check and correct the LDAP parameters. |
Role as Attribute
Here, every role is maintained as a value of the user node's attribute. Each role can either be a string or some DN of a node that holds the role information.
For example: Roles maintained as attribute information for a user entry
DN: CN=User1,OU=Users,DC=mycompany,DC=com
CN=User1
SN=User1
Description:Editors
Description:Viewers
Description:Administrators
The illustration below shows the dialog box for configuring LDAP as a role store when the roles are maintained as attribute information of a user entry.
The following table describes the fields in the dialog box:
Field | Required/Optional | Description |
Role Type = Role As Attribute | Required | Selecte if roles are maintained in the LDAP as attributes of the user entry\node. |
Role Attribute in User Entry | Required | Name of the attribute in the user node that holds the role information. |
Test connection | N/A | Creates a test connection to the LDAP. If the connection fails, check the parameters entered in this dialog box. |