POST
|
Hi. Glad I was able to provide some help. Here are some screen shots illustrating the entries I made and have worked for me within ArcGIS Server Manager using the security configuration wizard. Some entries are perhaps more intuitive than others. The Security screen ends up looking like: Note, afterwards you can view users and groups in the ArcGIS Server Admin interface. You may have to reassign the "role type" to a particular role (i.e., assign 'admin' role to 'Administrator' role type), but otherwise but everything else is administered via your LDAP admin application. Hope this helps, Pete
... View more
11-10-2014
12:40 PM
|
0
|
0
|
3390
|
POST
|
Hi Carlos, Sorry for the delay. I was able to establish HTTP Basic authentication after a lot of work. In summary, it involved the following steps: Prerequisites: Telnet/ssh client Ubuntu or root account access or the ability use sudo in front of commands if you are denied access. Make sure you make backup copies of config files before doing any editing so you can revert to them if needed. Install and configure Apache Tomcat On ubuntu that is done by entering running, "sudo apt-get update" and then "sudo apt-get install tomcat7" Install LDAP In my case, I installed and used OpenLDAP (shown as slapd in Linux), since it was also free. I entered, " sudo apt-get install slapd ldap-utils Configure LDAP After learning the basics, and configuring slapd with slapd.conf based on some web searching around, I decided to download a GUI for creating my LDAP hierarchies, mainly just Groups and Users, and then linking Users to Groups via group settings. There are GUIs available for this at least: Apache Directory Studio and Ldap Admin Tool (I downloaded for Mac OSX). I copied the groups and users used on ArcGIS Server so that there would not be any problems. Configure Tomcat and ArcGIS Server app to use LDAP for basic authentication Requires adding the right lines to both Tomcat server.xml file within the root conf directory. Here is a sample: <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL = "ldap://localhost:389" connectionName="cn=admin,dc=example,dc=com" connectionPassword="connectionAdminPassword" userPattern="cn={0},ou=users,dc=example,dc=com" roleBase="ou=roles,dc=example,dc=com" roleName="cn" roleSearch="(uniqueMember={0})" /> </Realm> Also add the right lines to the Tomcat manager web app's web.xml file in the web service's directory, e.g., /usr/local/apache-tomcat-7.0.47/webapps/manager/WEB-INF Here is a sample: <security-role-ref> <role-name>admin</role-name> <role-link>cn=admin,ou=roles,dc=example,dc=com</role-link> </security-role-ref> <security-role-ref> <role-name>arcgisserver</role-name> <role-link>cn=arcgisserver,ou=roles,dc=example,dc=com</role-link> </security-role-ref> <security-role-ref> <role-name>users</role-name> <role-link>cn=users,ou=roles,dc=example,dc=com</role-link> </security-role-ref> <security-constraint> <display-name>Your Portal Name</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> <role-name>arcgisserver</role-name> <role-name>users</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>Your Portal Name</realm-name> </login-config> <security-role> <description> The role that is required to access the admin pages </description> <role-name>admin</role-name> </security-role> <security-role> <description> The role that is required to access the internal pages </description> <role-name>arcgisserver</role-name> </security-role> <security-role> <description> The role that is for customer-accessed pages </description> <role-name>users</role-name> </security-role> Note that text/tags within these XML configuration files that all tags are case-sensitive! So make sure that they are used exactly like the example (Lesson-learned, I did not have one letter capitalized and the whole thing wouldn't work as a result). Restart Tomcat Install the ArcGIS Server Java Web Adaptor on the Apache Tomcat server On AWS/Ubuntu I had to extract the arcgis.war file and then use theTomcat Web Application Manager user interface to deploy the arcgis web manager application (load the arcgis.war file). There is now an arcgis directory within the [TomcatHome]/webapps directory. Go to the [TomcatHome/webapps/arcgis/WEB-INF folder and add the following template (or something like it) to the bottom of the web.xml file: Now that the LDAP server is configured properly, change your Security configuration settings within ArcGIS Server Manager from ArcGIS Server's built-in store to one of the LDAP options (I decided to go all LDAP to simplify administration). This helps some - http://resources.arcgis.com/en/help/main/10.2/index.html#/Securing_services_with_users_and_roles_from_an_LDAP_server/01540000050w000000/ Enter the following in the LDAP User Store screen: Host name IP Port (389 if you didn't change it) Base DN - an example is "dc=example,dc=com" (using the default LDAP namespace) The URL is populated based on settings above. RDN attribute: "cn" - the prefix of our user names Administrator's DN: "cn=UserWithAdminRoleName",ou=users,dc=example,dc=com" Password: Admin User's password Press the Test Connection button and make sure you get a happy result. If not, something is wrong with one of the LDAP parameters above or something within the LDAP server (e.g., admin user not assigned to admin group). Press the Next button to go to the LDAP Role Store configuration Enter the Base DN of the groups store within LDAP, example: ou=roles,dc=example,dc=com The URL should be populated based on your entry above User Attribute in Role Entry: I used the attribute called "uniqueMember" Press the Next button to select the Authentication Tier - change from GIS Server Tier to Web Tier You are not done yet...but close. The only way to configure the ArcGIS Server Web adaptor is to do it via a local server connection. On a headless AWS ubuntu server this is accomplished via X-Windows on your remote client. Here is an overview: http://resources.arcgis.com/en/help/main/10.2/index.html#//015500000679000000. For this you must do two things: In my case with a local WIndows7 environment, download and install Xming. Alter your terminal emulator settings (in my case, go to pUTTY, Connection, SSH, X11, and enable X11 forwarding). Re-login to your AWS ubuntu server. Run firefox within the terminal client and wait for it to pop up on your local machine within an Xwindow. Enter the address: http://localhost:XXXX/arcgis/webadaptor (the XXXX is the port number of Tomcat if necessary) Select ArcGIS for Server Next screen, enter: Enter GIS Server URL (for us it was http://localhost:6080) Enter ArcGIS Server Manager User Name and Password Optionally enable administrative access to the site via the Web Adaptor (I did). Click on the Configure button and hope for a green screen area result. Log in as ArcGIS Server Manager as the admin and check under Security that Users and Roles from LDAP are populated accordingly and ensure that Role Types are assigned properly. Also check, under Site - Web Adaptor that it shows the an entry for your ArcGIS WebAdaptor. You should now be able to close the padlock on your service and then have a user name/password prompt precede access to all your services capabilities, not just the proprietary ones. Sorry, this message has been a long one. My main hope is that it was instructive but also illustrative of the complexity involved. I originally thought "Basic authentication" would be easy that was definitely not the case. If you need anymore details about a particular section, we can continue the thread. My not-so-humble opinion is that for its cost, ArcGIS Server should be designed for complete solutions including OGC services. A robust best-in-class product ensures that nothing much needs to be done outside the ArcGIS Manager GUI once it is installed. An advanced GIS Practitioner should not require heavy linux/tomcat/etc implementation know-how. Is there a GIS program out there that teaches all this? I don't think so. Luckily I have grown to know enough unix to make me dangerous, and i'm pretty good at googling. So I managed to accomplish implementing "Basic" authentication with ArcGIS Server with only general guidelines but not without going through a share of turmoil. Lastly, just in case you think I actually exist to bash ESRI, I generally like and appreciate ESRI desktop applications. They are brilliant. However I see two areas that need improvement for this and other cases: complete support for OGC services (they are here to stay), and bringing up the level of support within the JAVA/linux server space compared to that provided to Microsoft environments. At the very least, I expected a white paper to address setting up web-tiered authentication rather than bupkis. Again, if you'd like any further help with accomplishing some or all of the above steps, then I am at your service. All the best, Pete
... View more
11-06-2014
02:42 PM
|
2
|
3
|
3390
|
POST
|
Hi, Recently an established elastic IP address was dropped and a new one was added and binded to the EC2 instance (e.g., 54.1.1.1 is now 54.2.2.2). As a result, an ArcGIS service won't start up giving the error message: SITEHOST null How did SITEHOST become null? This service is accessing an SDE instance running on the same machine. Other services start up find (file geodatabase-based). Is there any kind of config file that can be updated with the new address information without republishing from an ArcMap? Even worse, will republishing fail? Thanks, Pete
... View more
09-17-2014
09:55 AM
|
0
|
0
|
4322
|
POST
|
Need step-by-step instructions please. I'm running on Ubuntu linux box (AWS). I've tried several things based on general instructions about authentication and not I'm not getting anywhere. Need details about where in the ArcGIS Ubuntu directory structure to navigate, what files to edit, samples/templates, etc. Thanks in advance!
... View more
09-10-2014
01:57 PM
|
0
|
0
|
2969
|
POST
|
Hi Riyas, Thanks for the quick and helpful reply. I was making the mistake (I guess) or thinking it could all be done on the server-side and not having to directly link a local directory reference with server directory reference prior to publishing. I still would like to be able to change things on the server side should things change in that environment, e.g., adding a new disk and moving data to that disk without having to create links, etc. There seems to be an unnecessary coupling between the local ArcGIS Desktop platform and the remote ArcGIS Server platform. I understand that ArcMap is needed to create service components, but why is that umbilical have to be something permanently maintained? I would like to basically be able to, as a Server Manager: 1.) move file gdb to another disk:folder 2.) select a map service 3.) change the map service data source (i.e., make Service Workspace database property value/path editable). Seems like it should be a standard admin capability yes? If not, why? Thanks again for being able to address my problem. All the best, Pete
... View more
09-08-2014
11:58 AM
|
0
|
0
|
812
|
POST
|
Hi, I've been hunting around for what I thought would be an easy answer. Does anyone know, or know of a resource that I can access, which lets me assign users/passwords to potential WFS or WMS users? Currently, once a service is locked for private access via ArcGIS Server Manager, the only way you can access it is via the default service mapping capability via ArcGIS Server and not WMS or WFS. I need to be able to expose my OGC web services to a limited set of user accounts. I know that the "help" says that I'm to rely on knowing how to set up HTTP Basic or HTTP Digest for OGC service authentication since it is decoupled from ESRI's ArcGIS Server implementation. However, I'm having a difficult time finding where to find files like .htaccess. I'm running ArcGIS Server 10.2 on an AWS EC2 linux box. The web server is server is listed as cloudflare-ngnix and I have no clue about how it works. So...I'm thinking that since this isn't a straight-forward Apache config edit operation, it is currently above my head. Does anybody have experience setting up OGC web mapping service authorization running ArcGIS Server 10.2 within an EC2 AWS Linux environment? I'd just love a step-by-step guide. Thanks in advance, Pete
... View more
09-08-2014
11:04 AM
|
0
|
7
|
13731
|
POST
|
I'm working with an Amazon EC2 Linux instance running ArcGIS Server. I have no way of connecting to it via ArcCatalog. So, my .mxd has a local data source definition (e.g., D:\Data\file_geo.gdb). When I change the data source to the unix path the data is also located at, the sd file will not generate since the path is not valid on my local machine (e.g., /gisdata/fileGDBs/file_geo.gdb) and that generates a red alert. Is there a way to do a "disconnected" service definition, and if not, why? On the ArcGIS Server Manager side, why is there no way to change the base table definition (or if there is a way I haven't found, how?). Changing a path either ArcMap, ArcCatalog, or ArcGIS Server Manager should be a trivial capability. If there is no workaround on the ESRI side, has anyone successfully created an instance of a shared Linux EC2 directory available via Windows 7? Thanks in advance for your help. Again, all I thought I needed to do is edit the base table definition string/path and I am extremely frustrated that this is not doable. Why? Thanks in advance, Pete Vaziri pvaziri@whitestar.com
... View more
09-05-2014
11:39 AM
|
0
|
2
|
2912
|
Title | Kudos | Posted |
---|---|---|
2 | 11-06-2014 02:42 PM |
Online Status |
Offline
|
Date Last Visited |
11-11-2020
02:24 AM
|