Geoportal 10 LDAP/Active Directory setup

4619
19
09-14-2010 05:28 PM
DennisGeasan
Occasional Contributor II
I'm trying to get the portal to authenticate via Active Directory.  I made the entries specified for Active Directory in the Portal Help section but I keep getting an error message from the portal web site login page that it cannot connect to the LDAP server.  I am able to connect to Active Directory using JXplore.  Although I'm not sure that it is quite right either.  It stops after 1000 items have been read to the schema.  In JXplore I raised the value to 10000 but it still stops at 1000.

So I'm guessing I don't have the parameters correctly defined to resolve to a distinguised name (DN).  Anyone else been down this path and have any recommendations?

Dennis Geasan
GIS Technologies
0 Kudos
19 Replies
CliveReece
Esri Contributor
Dennis,
My experience has been every time I've had problems in the past with AD-LDAP configuration, it could be traced to a typo somewhere.  I would suggest you review the configuration and troubleshooting sections of http://help.arcgis.com/en/geoportal_extension/10.0/help/00t0/00t00000000z000000.htm again.  Then if you're still having problems, contact esri tech support.
Clive
0 Kudos
DennisGeasan
Occasional Contributor II
The problem was defining the search DIT for matching the portal roles to Active Directory Groups.  I'm working with a large corporation that has a large Active Directory.  Well over a few thousand items between users, groups, and organization units.  The login process was timing out because there were more than 1000 items in the search path for the AD groups.  Once I restricted the search for groups to a specific branch of the AD hierarchy that had only a few entries I was able to log in.  Another sympton was that the login took over 2 minutes before getting a failure message.

I've submitted an enhancement request to esri to improve the documentation on using AD with the portal. Right now it is really weak.  The link you posted is a start but doesn't help a lot if you are new to AD.

Thanks for the reply Clive.  Are you the Clive I recently met at a client site in Toronto?

Dennis Geasan
GIS Technologies
0 Kudos
CliveReece
Esri Contributor
Hi Dennis.  Glad to hear you got it working.  - Clive
0 Kudos
RachelNoon
New Contributor
"  The problem was defining the search DIT for matching the portal roles to Active Directory Groups. I'm working with a large corporation that has a large Active Directory. Well over a few thousand items between users, groups, and organization units. The login process was timing out because there were more than 1000 items in the search path for the AD groups. Once I restricted the search for groups to a specific branch of the AD hierarchy that had only a few entries I was able to log in. Another sympton was that the login took over 2 minutes before getting a failure message.

I've submitted an enhancement request to esri to improve the documentation on using AD with the portal. Right now it is really weak. The link you posted is a start but doesn't help a lot if you are new to AD. Dennis Geasan
"

Dennis:
I agree with your comment on documentation insufficiency. I don't have JXplorer or something similar. Not allowed to add Groups or Userids. Don't have any idea how this is supposed to verify a user against Active Directory, how it asks for or passes a password, how it lets me know if the user's group is admin or publisher. Can you tell me how you defined your groups and DIT search, and how you restricted the groups? Is a wildcard allowed? My security group is looking at me very suspiciously... (BTW, I have 9.3.1 if that makes a difference)

Thank you all. This forum is great!
Rachel Noon
0 Kudos
JosephWallis
New Contributor II
Does anyone have a live, working gpt.xml working with Active Directory they could share with me, sans passwords?  I have followed the instructions for adjusting the search strings for active directory yet i still can't connect.
0 Kudos
DennisGeasan
Occasional Contributor II
I've been negligent in replying.  Here is an example that works minus information that indicates the company.  I can't provide that.  In italics are the parts you would replace.  The entries for securityPrincipal and catalogAdminDN are an Active Directory (AD) "Distinguished Name" which you have to get from something that lets you browse the Active Directory database.  Check out Active Directory Explorer from Sysinternals (www.sysinternals.com).  I believe I got that from the Microsoft download site but the Help/About section of the app indicates the Sysinternals web site.

An AD "Distinguished Name" for an AD group also has to be assigned to the three roles.  Be sure to use AD groups that are fairly small.  If there are greater than 1000 members to a group the portal breaks on a user login and it takes close to 2 minutes to complete the login.  I think this is set in the source code.

<ldapConnectionProperties
              providerURL="ldap://<a URL to the LDAP server>:389"
              initialContextFactoryName="com.sun.jndi.ldap.LdapCtxFactory"
              securityAuthentication="simple"
              securityProtocol="">
              <ldapServiceAccount
         securityPrincipal="CN=Geasan\, Dennis (GIS Technologies),OU=Users,OU=Anchorage Alaska,OU=North America,OU=<the company name>,DC=<domain name>,DC=<company>,DC=com"
                  securityCredentials="<securityPrincipal password goes here>"
                  encrypted="false"
                  catalogAdminDN="CN=Geasan\, Dennis (GIS Technologies),OU=Users,OU=Anchorage Alaska,OU=North America,OU=<the company name>,DC=<domain name>,DC=<company>,DC=com"/>
          </ldapConnectionProperties>
0 Kudos
JosephWallis
New Contributor II
thank you this is helpful
0 Kudos
TomGiles
New Contributor
Hi all,

I've been following your conversation, very helpful. I may have posted my issue here, instead I used a new thread: http://forums.arcgis.com/threads/22981-Geoportal-Login-Fails-on-Connection-to-Postgresql

My issue is a little different, but I hope now to draw on your experiences with geoportal, as I realize now these issues are very similar (login to geoportal, generally).

If you read the thread above, you'll see my login connects to ldap and the postgres db, but then receives an error message from postgresql (I think) reporting: "a valid userid was not auto-generated..."

Have anyone encountered this before?
Thanks again.
Tom
0 Kudos
DennisGeasan
Occasional Contributor II
Check the definition of the Geoportal roles in your gpt.xml file. If the portal cannot find a user ID in one of the roles (AD Groups) it will complain. The portal authenticates with AD to establish a users ability to edit metadata and/or manage a profile. Can you see metadata in a search of your portal before you login? If so then your connection problem is with AD.

I also posted this to your thread.
http://forums.arcgis.com/threads/22981-Geoportal-Login-Fails-on-Connection-to-Postgresql

Dennis Geasan
GIS Technologies
0 Kudos