topic Re: Geoportal 10 LDAP/Active Directory setup in Esri Geoportal Server Questions

Geoportal 10 LDAP/Active Directory setup

DennisGeasan — Wed, 15 Sep 2010 00:28:36 GMT

I'm trying to get the portal to authenticate via Active Directory. I made the entries specified for Active Directory in the Portal Help section but I keep getting an error message from the portal web site login page that it cannot connect to the LDAP server. I am able to connect to Active Directory using JXplore. Although I'm not sure that it is quite right either. It stops after 1000 items have been read to the schema. In JXplore I raised the value to 10000 but it still stops at 1000.

So I'm guessing I don't have the parameters correctly defined to resolve to a distinguised name (DN). Anyone else been down this path and have any recommendations?

Dennis Geasan
GIS Technologies

Re: Geoportal 10 LDAP/Active Directory setup

CliveReece — Fri, 01 Oct 2010 13:09:54 GMT

Dennis,
My experience has been every time I've had problems in the past with AD-LDAP configuration, it could be traced to a typo somewhere. I would suggest you review the configuration and troubleshooting sections of http://help.arcgis.com/en/geoportal_extension/10.0/help/00t0/00t00000000z000000.htm again. Then if you're still having problems, contact esri tech support.
Clive

Re: Geoportal 10 LDAP/Active Directory setup

DennisGeasan — Wed, 13 Oct 2010 02:45:35 GMT

The problem was defining the search DIT for matching the portal roles to Active Directory Groups. I'm working with a large corporation that has a large Active Directory. Well over a few thousand items between users, groups, and organization units. The login process was timing out because there were more than 1000 items in the search path for the AD groups. Once I restricted the search for groups to a specific branch of the AD hierarchy that had only a few entries I was able to log in. Another sympton was that the login took over 2 minutes before getting a failure message.

I've submitted an enhancement request to esri to improve the documentation on using AD with the portal. Right now it is really weak. The link you posted is a start but doesn't help a lot if you are new to AD.

Thanks for the reply Clive. Are you the Clive I recently met at a client site in Toronto?

Dennis Geasan
GIS Technologies

Re: Geoportal 10 LDAP/Active Directory setup

CliveReece — Thu, 28 Oct 2010 12:35:44 GMT

Hi Dennis. Glad to hear you got it working. - Clive

Re: Geoportal 10 LDAP/Active Directory setup

RachelNoon — Mon, 29 Nov 2010 20:45:36 GMT

" The problem was defining the search DIT for matching the portal roles to Active Directory Groups. I'm working with a large corporation that has a large Active Directory. Well over a few thousand items between users, groups, and organization units. The login process was timing out because there were more than 1000 items in the search path for the AD groups. Once I restricted the search for groups to a specific branch of the AD hierarchy that had only a few entries I was able to log in. Another sympton was that the login took over 2 minutes before getting a failure message.

I've submitted an enhancement request to esri to improve the documentation on using AD with the portal. Right now it is really weak. The link you posted is a start but doesn't help a lot if you are new to AD. Dennis Geasan
"

Dennis:
I agree with your comment on documentation insufficiency. I don't have JXplorer or something similar. Not allowed to add Groups or Userids. Don't have any idea how this is supposed to verify a user against Active Directory, how it asks for or passes a password, how it lets me know if the user's group is admin or publisher. Can you tell me how you defined your groups and DIT search, and how you restricted the groups? Is a wildcard allowed? My security group is looking at me very suspiciously... (BTW, I have 9.3.1 if that makes a difference)

Thank you all. This forum is great!
Rachel Noon

Re: Geoportal 10 LDAP/Active Directory setup

JosephWallis — Mon, 07 Feb 2011 19:49:47 GMT

Does anyone have a live, working gpt.xml working with Active Directory they could share with me, sans passwords? I have followed the instructions for adjusting the search strings for active directory yet i still can't connect.

Re: Geoportal 10 LDAP/Active Directory setup

DennisGeasan — Tue, 08 Feb 2011 01:03:40 GMT

I've been negligent in replying. Here is an example that works minus information that indicates the company. I can't provide that. In italics are the parts you would replace. The entries for securityPrincipal and catalogAdminDN are an Active Directory (AD) "Distinguished Name" which you have to get from something that lets you browse the Active Directory database. Check out Active Directory Explorer from Sysinternals (www.sysinternals.com). I believe I got that from the Microsoft download site but the Help/About section of the app indicates the Sysinternals web site.

An AD "Distinguished Name" for an AD group also has to be assigned to the three roles. Be sure to use AD groups that are fairly small. If there are greater than 1000 members to a group the portal breaks on a user login and it takes close to 2 minutes to complete the login. I think this is set in the source code.

<ldapConnectionProperties
              providerURL="ldap://<a URL to the LDAP server>:389"
              initialContextFactoryName="com.sun.jndi.ldap.LdapCtxFactory"
              securityAuthentication="simple"
              securityProtocol="">
              <ldapServiceAccount
         securityPrincipal="CN=Geasan\, Dennis (GIS Technologies),OU=Users,OU=Anchorage Alaska,OU=North America,OU=<the company name>,DC=<domain name>,DC=<company>,DC=com"
                  securityCredentials="<securityPrincipal password goes here>"
                  encrypted="false"
                  catalogAdminDN="CN=Geasan\, Dennis (GIS Technologies),OU=Users,OU=Anchorage Alaska,OU=North America,OU=<the company name>,DC=<domain name>,DC=<company>,DC=com"/>
          </ldapConnectionProperties>

Re: Geoportal 10 LDAP/Active Directory setup

JosephWallis — Tue, 08 Feb 2011 11:31:21 GMT

thank you this is helpful

Re: Geoportal 10 LDAP/Active Directory setup

TomGiles — Tue, 08 Feb 2011 13:40:11 GMT

Hi all,

I've been following your conversation, very helpful. I may have posted my issue here, instead I used a new thread: http://forums.arcgis.com/threads/22981-Geoportal-Login-Fails-on-Connection-to-Postgresql

My issue is a little different, but I hope now to draw on your experiences with geoportal, as I realize now these issues are very similar (login to geoportal, generally).

If you read the thread above, you'll see my login connects to ldap and the postgres db, but then receives an error message from postgresql (I think) reporting: "a valid userid was not auto-generated..."

Have anyone encountered this before?
Thanks again.
Tom

Re: Geoportal 10 LDAP/Active Directory setup

DennisGeasan — Tue, 08 Feb 2011 15:56:09 GMT

Check the definition of the Geoportal roles in your gpt.xml file. If the portal cannot find a user ID in one of the roles (AD Groups) it will complain. The portal authenticates with AD to establish a users ability to edit metadata and/or manage a profile. Can you see metadata in a search of your portal before you login? If so then your connection problem is with AD.

I also posted this to your thread.
http://forums.arcgis.com/threads/22981-Geoportal-Login-Fails-on-Connection-to-Postgresql

Dennis Geasan
GIS Technologies

Re: Geoportal 10 LDAP/Active Directory setup

TomGiles — Tue, 08 Feb 2011 17:04:47 GMT

Thanks for your reply Dennis.

I've double checked that the user I am using to login is in fact a member of my 'geoportalAdmin' AD Group, which is configured properly in the gpt.xml file (a good suggestion to double check this to be sure).

In reference to: 'Can you see metadata in a search of your portal before you login?'

I haven't loaded anything into my geoportal yet. I am unsure how I would do this without being able to login as admin (perhaps there is a way, but I haven't investigated). Let me know if you know of a way to better test this with live data in the portal. When I search or browse through the portal before a login, I get zero returned results. It is unclear whether it needs auth. to return 0 results. Do you know?

What I can say, when I attempt a login with a fake user name, or a bad password, I get the error: "Your username or password was not valid, please try again...".

When I attempt to login with the correct user/pass I get the "A valid userid was not auto-generate" error.

This leads me to believe that the system is 'passing' the AD login auth; although I could very well be mistaken.

Thanks again for yours and others continued support.

Cheers,
Tom

Re: Geoportal 10 LDAP/Active Directory setup

DennisGeasan — Tue, 08 Feb 2011 18:23:31 GMT

Something to test.   Change the password for the 'geoportal10' database user in the geoportal.xml file. (C:\Program Files\Apache Software Foundation\Tomcat 6.0\conf\Catalina\localhost) Then try a search. See if you get an error about connecting to the database. If you do then the portal is connecting to the Geoportal database (Postgress for you) and your problem is confined to AD.

Check this stuff. Items enclosed by < > are values I can't display. You AD distinguished names will of course be different.

<users
              displayNameAttribute="sAMAccountName"
              passwordEncryptionAlgorithm="SHA"
              newUserDNPattern="cn={0},OU=<company>,DC=<domain>,DC=<company>,DC=com"
              usernameSearchPattern="(&(objectclass=person)(sAMAccountName={0}))"
     searchDIT="OU=<company>,DC=<domain>,DC=<company>,DC=com">

              <requiredObjectClasses>
                  <objectClass name="top"/>
                  <objectClass name="person"/>
                  <objectClass name="organizationalPerson"/>
                  <objectClass name="inetOrgPerson"/>
              </requiredObjectClasses>
              <userAttributeMap>
                  <attribute key="username"     ldapName="sAMAccountName"/>
                  <attribute key="password"     ldapName="userPassword"/>
                  <attribute key="email"        ldapName="mail"/>
                  <attribute key="firstName"    ldapName="givenName"/>
                  <attribute key="lastName"     ldapName="sn"/>
                  <attribute key="organization" ldapName="o"/>
                  <attribute key="affiliation" ldapName="businessCategory"/>
                  <attribute key="street"       ldapName="street"/>
                  <attribute key="city"         ldapName="l"/>
                  <attribute key="stateOrProv" ldapName="st"/>
                  <attribute key="postalCode"   ldapName="postalCode"/>
                  <attribute key="country"      ldapName=""/>
                  <attribute key="phone"        ldapName="telephoneNumber"/>
              </userAttributeMap>
          </users>

          <groups
              displayNameAttribute="cn"
              dynamicMemberOfGroupsAttribute=""
              dynamicMembersAttribute=""
              memberAttribute="member"
              memberSearchPattern="(&(objectclass=group)(member:1.2.840.113556.1.4.1941:={0}))"
              searchDIT="OU=Groups,OU=<city>,OU=Corporate,OU=<company>,DC=<domain>,DC=<company>,DC=com">
          </groups>

Re: Geoportal 10 LDAP/Active Directory setup

TomGiles — Tue, 08 Feb 2011 20:04:56 GMT

Dennis,

I have to thankyou for including the sample code from your gpt.xml file. I had failed to change uniquemember to member in the groups tag section (both entries). After matching your settings I can now log in succesfully and view the 'Adminstration' tab.

I still do not see a repositories tab as specified in the GeoportalServer_Installation.pdf file, but I am now able to successfully run through the first phase of the smoke test.

My AD connection therefore appears to be working, as I can also see other testUsers I added to the three gpt AD groups, when I view users from the "Document Owner" combo box under the Manage Resources Tab.

My work continues... Thanks again Dennis. I'll be sure to check back in here if I have other questions 😉 and to help others.

Cheers mate!
Tom

PS If you have any ideas about the repo tab please let me know!

Re: Geoportal 10 LDAP/Active Directory setup

PaulRichards — Mon, 25 Mar 2013 07:07:20 GMT

Hi Tom,
Seems it has been too late to open this thread again. I've been trying to make my Geoportal server working via LDAP and not able to achieve it. I've tried out all the possible links through sourceforge.net and esri to get this work but still not able to make it work. I am attaching the gpt.xml file which I am using in my application (I've removed all unwanted sections apart from LDAP setting in order to reduce the file size to upload in this thread). I've removed the CN,OU,SearchDIT pattern since I cannot reveal it here. I've picked the actual DN name using JExplorer from where I am able to see the actual DIT structure. For your additional note, I am able to successfully connect to LDAP using the same credentials which I am using in gpt.xml which tells me that Geoportal server is not able to communicate to this LDAP.

And further, I am using the same SearchDIT structure in other web applications and successfully able to validate the user through LDAP and give access. When I found the log file there were no related info or SEVERE message as well.

Not sure, where is the actual problem???

Could you please guide me here and provide me some help...

Error Message which I am getting when logging in is: "Your username or password was not valid. Please try again..."

Is anyone has ever come across this kind of issue; your suggestions are most welcome...

Environment details:
1. Oracle 11g database
2. Apache tomcate 6.0.32
3. JDK - 1.7.0_03

Thanks and Regards,
~Paul

Re: Geoportal 10 LDAP/Active Directory setup

CliveReece — Mon, 25 Mar 2013 12:12:31 GMT

Paul,
Did you check that the passwordEncryptionAlgorithm setting in gpt.xml corresponds to what your AD is using for passwords?
Here's my thinking:
The "username or password was not valid" error (with no LDAP errors in the log file) may actually indicate you are connecting to the LDAP, but that it is rejecting the username/password credentials as wrong.
How could that happen if you are providing the right credentials? One reason that would cause that is if the Geoportal Server is hashing your passwords using the wrong algorithm (for example, SHA instead of MD5).
Worth looking into it. (also setting your log file reporting to FINEST while you are troubleshooting)
-C

Re: Geoportal 10 LDAP/Active Directory setup

DouglasOlcott — Thu, 27 Mar 2014 20:19:22 GMT

Does anyone have an example of how to set up a connection to multiple domains at an organization in AD?

The advice at https://github.com/ESRI/geoportal-server/wiki/Connecting-to-a-User-Directory does not seem to address this requirement. There is only one providerURL provided in the <ldapConnectionProperties> in the default gpt.xml. Can the <ldapConnectionProperties> be replicated within this file for multiple domains or do you have to create a separate gpt.xml for each domain?

Re: Geoportal 10 LDAP/Active Directory setup

DennisGeasan — Thu, 27 Mar 2014 21:46:39 GMT

I'm thinking that would be something you do within Active Directory. AD worries about establishing trust between different domains. Once established you need only work with the user names for each domain. DG

Re: Geoportal 10 LDAP/Active Directory setup

DouglasOlcott — Wed, 09 Apr 2014 15:21:22 GMT

Dennis,
It looks like our AD people can solve the multiple domain issue. Another question I/they have concerns the ldapServiceAccount, requiring naming a securityPrincipal and providing a password for the its securityCredentials. Can this be any AD user we have set up, or should it be a separate account, and what permissions does it require to service the AD?

Re: Geoportal 10 LDAP/Active Directory setup

DennisGeasan — Sat, 11 Dec 2021 08:54:57 GMT

I recommend you define a dedicated Active Directory (AD) account, one where the password does not time out. Otherwise you will have to edit the "D:\ProgramFiles\Apache Software Foundation\Tomcat7.0\webapps\geoportal\WEB-INF\classes\gpt\config\gpt.xml" file after the password timeout period. Read-only access to AD is all that is required. You can't administer AD from the Geoportal admin section. The only purpose of this account is to connect to the AD database for user authentication.

To ID the user who can administer Geoportal, assign any AD user to the <ldapServiceAccount> parameter "catalogAdminDN". The value here has to be the full user name as defined in AD. It will look something like this:
(Values between <> indicate values I can't provide. The string representing a user name will most likely be different. Each 'OU' value represents an organization unit. The whole string appears to define a users location in the company AD hierarchy. )

<ldapServiceAccount
    securityPrincipal="<USERID>"
    securityCredentials="<PASSWORD>"
    encrypted="false"
    catalogAdminDN="CN=<AD USER NAME>,OU=Users,OU=California,OU=North America,OU=<COMPANY NAME>,DC=<DOMAIN>,DC=<COMPANY>,DC=com"/>/>

Re: Geoportal 10 LDAP/Active Directory setup

DennisGeasan — Wed, 09 Apr 2014 16:41:00 GMT

Something to test. Change the password for the 'geoportal10' database user in the geoportal.xml file. (C:\Program Files\Apache Software Foundation\Tomcat 6.0\conf\Catalina\localhost)

I see, after many years, that I described the wrong location. It is this file:

"D:\ProgramFiles\Apache Software Foundation\Tomcat7.0\webapps\geoportal\WEB-INF\classes\gpt\config\gpt.xml"

Sorry to have misled anyone.

DG