Latest Contributions by PeterVaziri

Hi.  Glad I was able to provide some help.  Here are some screen shots illustrating the entries I made and have worked for me within ArcGIS Server Manager using the security configuration wizard.  Some entries are perhaps more intuitive than others. The Security screen ends up looking like: Note, afterwards you can view users and groups in the ArcGIS Server Admin interface.  You may have to reassign the "role type" to a particular role (i.e., assign 'admin' role to 'Administrator' role type), but otherwise but everything else is administered via your LDAP admin application. Hope this helps, Pete ... View more

Hi Carlos, Sorry for the delay.  I was able to establish HTTP Basic authentication after a lot of work.  In summary, it involved the following steps: Prerequisites: Telnet/ssh client Ubuntu or root account access or the ability use sudo in front of commands if you are denied access. Make sure you make backup copies of config files before doing any editing so you can revert to them if needed. Install and configure Apache Tomcat On ubuntu that is done by entering running, "sudo apt-get update" and then "sudo apt-get install tomcat7" Install LDAP In my case, I installed and used OpenLDAP (shown as slapd in Linux), since it was also free.  I entered, " sudo apt-get install slapd ldap-utils Configure LDAP After learning the basics, and configuring slapd with slapd.conf based on some web searching around, I decided to download a GUI for creating my LDAP hierarchies, mainly just Groups and Users, and then linking Users to Groups via group settings. There are GUIs available for this at least: Apache Directory Studio and Ldap Admin Tool (I downloaded for Mac OSX). I copied the groups and users used on ArcGIS Server so that there would not be any problems. Configure Tomcat and ArcGIS Server app to use LDAP for basic authentication Requires adding the right lines to both Tomcat server.xml file within the root conf directory.  Here is a sample: <Realm className="org.apache.catalina.realm.JNDIRealm"         connectionURL = "ldap://localhost:389"         connectionName="cn=admin,dc=example,dc=com"         connectionPassword="connectionAdminPassword"         userPattern="cn={0},ou=users,dc=example,dc=com"         roleBase="ou=roles,dc=example,dc=com"         roleName="cn"         roleSearch="(uniqueMember={0})" /> </Realm> Also add the right lines to the Tomcat manager web app's web.xml file in the web service's directory, e.g., /usr/local/apache-tomcat-7.0.47/webapps/manager/WEB-INF  Here is a sample: <security-role-ref>         <role-name>admin</role-name>         <role-link>cn=admin,ou=roles,dc=example,dc=com</role-link>     </security-role-ref>     <security-role-ref>         <role-name>arcgisserver</role-name>         <role-link>cn=arcgisserver,ou=roles,dc=example,dc=com</role-link>     </security-role-ref>     <security-role-ref>         <role-name>users</role-name>         <role-link>cn=users,ou=roles,dc=example,dc=com</role-link>     </security-role-ref>     <security-constraint>         <display-name>Your Portal Name</display-name>         <web-resource-collection>                 <web-resource-name>Protected Area</web-resource-name>                 <url-pattern>/*</url-pattern>         </web-resource-collection>         <auth-constraint>                 <role-name>admin</role-name>                 <role-name>arcgisserver</role-name>                 <role-name>users</role-name>         </auth-constraint>     </security-constraint>     <login-config>         <auth-method>BASIC</auth-method>         <realm-name>Your Portal Name</realm-name>     </login-config>   <security-role>     <description>       The role that is required to access the admin pages     </description>     <role-name>admin</role-name>   </security-role>   <security-role>     <description>       The role that is required to access the internal pages     </description>     <role-name>arcgisserver</role-name>   </security-role>   <security-role>     <description>       The role that is for customer-accessed pages     </description>     <role-name>users</role-name>   </security-role> Note that text/tags within these XML configuration files that all tags are case-sensitive!  So make sure that they are used exactly like the example (Lesson-learned, I did not have one letter capitalized and the whole thing wouldn't work as a result). Restart Tomcat Install the ArcGIS Server Java  Web Adaptor on the Apache Tomcat server On AWS/Ubuntu I had to extract the arcgis.war file and then use theTomcat Web Application Manager user interface to deploy the arcgis web manager application (load the arcgis.war file). There is now an arcgis directory within the [TomcatHome]/webapps directory. Go to the [TomcatHome/webapps/arcgis/WEB-INF folder and add the following template (or something like it) to the bottom of the web.xml file: Now that the LDAP server is configured properly, change your Security configuration settings within ArcGIS Server Manager from ArcGIS Server's built-in store to one of the LDAP options (I decided to go all LDAP to simplify administration).  This helps some - http://resources.arcgis.com/en/help/main/10.2/index.html#/Securing_services_with_users_and_roles_from_an_LDAP_server/01540000050w000000/ Enter the following in the LDAP User Store screen: Host name IP Port (389 if you didn't change it) Base DN - an example is "dc=example,dc=com" (using the default LDAP namespace) The URL is populated based on settings above. RDN attribute: "cn" - the prefix of our user names Administrator's DN: "cn=UserWithAdminRoleName",ou=users,dc=example,dc=com" Password: Admin User's password Press the Test Connection button and make sure you get a happy result.  If not, something is wrong with one of the LDAP parameters above or something within the LDAP server (e.g., admin user not assigned to admin group). Press the Next button to go to the LDAP Role Store configuration Enter the Base DN of the groups store within LDAP, example: ou=roles,dc=example,dc=com The URL should be populated based on your entry above User Attribute in Role Entry: I used the attribute called "uniqueMember" Press the Next button to select the Authentication Tier - change from GIS Server Tier to Web Tier You are not done yet...but close.  The only way to configure the ArcGIS Server Web adaptor is to do it via a local server connection.  On a headless AWS ubuntu server this is accomplished via X-Windows on your remote client.  Here is an overview: http://resources.arcgis.com/en/help/main/10.2/index.html#//015500000679000000. For this you must do two things: In my case with a local WIndows7 environment, download and install Xming. Alter your terminal emulator settings (in my case, go to pUTTY, Connection, SSH, X11, and enable X11 forwarding). Re-login to your AWS ubuntu server. Run firefox within the terminal client and wait for it to pop up on your local machine within an Xwindow. Enter the address: http://localhost:XXXX/arcgis/webadaptor (the XXXX is the port number of Tomcat if necessary) Select ArcGIS for Server Next screen, enter: Enter GIS Server URL (for us it was http://localhost:6080) Enter ArcGIS Server Manager User Name and Password Optionally enable administrative access to the site via the Web Adaptor (I did). Click on the Configure button and hope for a green screen area result. Log in as ArcGIS Server Manager as the admin and check under Security that Users and Roles from LDAP are populated accordingly and ensure that Role Types are assigned properly.  Also check, under Site - Web Adaptor that it shows the an entry for your ArcGIS WebAdaptor. You should now be able to close the padlock on your service and then have a user name/password prompt precede access to all your services capabilities, not just the proprietary ones.  Sorry, this message has been a long one.  My main hope is that it was instructive but also illustrative of the complexity involved.  I originally thought "Basic authentication" would be easy that was definitely not the case. If you need anymore details about a particular section, we can continue the thread. My not-so-humble opinion is that for its cost, ArcGIS Server should be designed for complete solutions including OGC services.   A robust best-in-class product ensures that nothing much needs to be done outside the ArcGIS Manager GUI once it is installed. An advanced GIS Practitioner should not require heavy linux/tomcat/etc implementation know-how.  Is there a GIS program out there that teaches all this?  I don't think so.  Luckily I have grown to know enough unix to make me dangerous, and i'm pretty good at googling.  So I managed to accomplish implementing "Basic" authentication with ArcGIS Server with only general guidelines but not without going through a share of turmoil.   Lastly, just in case you think I actually exist to bash ESRI, I generally like and appreciate ESRI desktop applications.  They are brilliant.  However I see two areas that need improvement for this and other cases:  complete support for OGC services (they are here to stay), and bringing up the level of support within the JAVA/linux server space compared to that provided to Microsoft environments. At the very least, I expected a white paper to address setting up web-tiered authentication rather than bupkis. Again, if you'd like any further help with accomplishing some or all of the above steps, then I am at your service. All the best, Pete ... View more

Hi Riyas, Thanks for the quick and helpful reply.  I was making the mistake (I guess) or thinking it could all be done on the server-side and not having to directly link a local directory reference with server directory reference prior to publishing.  I still would like to be able to change things on the server side should things change in that environment, e.g., adding a new disk and moving data to that disk without having to create links, etc.  There seems to be an unnecessary coupling between the local ArcGIS Desktop platform and the remote ArcGIS Server platform.  I understand that ArcMap is needed to create service components, but why is that umbilical have to be something permanently maintained? I would like to basically be able to, as a Server Manager: 1.) move file gdb to another disk:folder 2.) select a map service 3.) change the map service data source (i.e., make Service Workspace database property value/path editable). Seems like it should be a standard admin capability yes?  If not, why? Thanks again for being able to address my problem. All the best, Pete ... View more