Geoportal 10 LDAP/Active Directory setup

4543
19
09-14-2010 05:28 PM
DennisGeasan
Occasional Contributor II
I'm trying to get the portal to authenticate via Active Directory.  I made the entries specified for Active Directory in the Portal Help section but I keep getting an error message from the portal web site login page that it cannot connect to the LDAP server.  I am able to connect to Active Directory using JXplore.  Although I'm not sure that it is quite right either.  It stops after 1000 items have been read to the schema.  In JXplore I raised the value to 10000 but it still stops at 1000.

So I'm guessing I don't have the parameters correctly defined to resolve to a distinguised name (DN).  Anyone else been down this path and have any recommendations?

Dennis Geasan
GIS Technologies
Reply
0 Kudos
19 Replies
TomGiles
New Contributor
Thanks for your reply Dennis.

I've double checked that the user I am using to login is in fact a member of my 'geoportalAdmin' AD Group, which is configured properly in the gpt.xml file (a good suggestion to double check this to be sure).

In reference to: 'Can you see metadata in a search of your portal before you login?'

I haven't loaded anything into my geoportal yet. I am unsure how I would do this without being able to login as admin (perhaps there is a way, but I haven't investigated). Let me know if you know of a way to better test this with live data in the portal. When I search or browse through the portal before a login, I get zero returned results. It is unclear whether it needs auth. to return 0 results. Do you know?


What I can say, when I attempt a login with a fake user name, or a bad password, I get the error: "Your username or password was not valid, please try again...".

When I attempt to login with the correct user/pass I get the "A valid userid was not  auto-generate" error.

This leads me to believe that the system is 'passing' the AD login auth; although I could very well be mistaken.


Thanks again for yours and others continued support.

Cheers,
Tom
Reply
0 Kudos
DennisGeasan
Occasional Contributor II
Something to test.   Change the password for the 'geoportal10' database user in the geoportal.xml file. (C:\Program Files\Apache Software Foundation\Tomcat 6.0\conf\Catalina\localhost)  Then try a search.  See if you get an error about connecting to the database.  If you do then the portal is connecting to the Geoportal database (Postgress for you) and your problem is confined to AD. 

Check this stuff.  Items enclosed by < > are values I can't display.  You AD distinguished names will of course be different.

<users
              displayNameAttribute="sAMAccountName"
              passwordEncryptionAlgorithm="SHA"
              newUserDNPattern="cn={0},OU=<company>,DC=<domain>,DC=<company>,DC=com"
              usernameSearchPattern="(&amp;(objectclass=person)(sAMAccountName={0}))"
     searchDIT="OU=<company>,DC=<domain>,DC=<company>,DC=com">
    
              <requiredObjectClasses>
                  <objectClass name="top"/>
                  <objectClass name="person"/>
                  <objectClass name="organizationalPerson"/>
                  <objectClass name="inetOrgPerson"/>
              </requiredObjectClasses>
              <userAttributeMap>
                  <attribute key="username"     ldapName="sAMAccountName"/>
                  <attribute key="password"     ldapName="userPassword"/>
                  <attribute key="email"        ldapName="mail"/>
                  <attribute key="firstName"    ldapName="givenName"/>
                  <attribute key="lastName"     ldapName="sn"/>
                  <attribute key="organization" ldapName="o"/>
                  <attribute key="affiliation"  ldapName="businessCategory"/>
                  <attribute key="street"       ldapName="street"/>
                  <attribute key="city"         ldapName="l"/>
                  <attribute key="stateOrProv"  ldapName="st"/>
                  <attribute key="postalCode"   ldapName="postalCode"/>
                  <attribute key="country"      ldapName=""/>
                  <attribute key="phone"        ldapName="telephoneNumber"/>
              </userAttributeMap>
          </users>
      
          <groups
              displayNameAttribute="cn"
              dynamicMemberOfGroupsAttribute=""
              dynamicMembersAttribute=""
              memberAttribute="member"
              memberSearchPattern="(&amp;(objectclass=group)(member:1.2.840.113556.1.4.1941:={0}))"
              searchDIT="OU=Groups,OU=<city>,OU=Corporate,OU=<company>,DC=<domain>,DC=<company>,DC=com">
          </groups>
Reply
0 Kudos
TomGiles
New Contributor
Dennis,

I have to thankyou for including the sample code from your gpt.xml file. I had failed to change uniquemember to member in the groups tag section (both entries). After matching your settings I can now log in succesfully and view the 'Adminstration' tab.

I still do not see a repositories tab as specified in the GeoportalServer_Installation.pdf file, but I am now able to successfully run through the first phase of the smoke test.

My AD connection therefore appears to be working, as I can also see other testUsers I added to the three gpt AD groups, when I view users from the "Document Owner" combo box under the Manage Resources Tab.

My work continues... Thanks again Dennis. I'll be sure to check back in here if I have other questions 😉 and to help others.

Cheers mate!
Tom

PS If you have any ideas about the repo tab please let me know!
Reply
0 Kudos
PaulRichards
New Contributor
Hi Tom,
Seems it has been too late to open this thread again.  I've been trying to make my Geoportal server working via LDAP and not able to achieve it.  I've tried out all the possible links through sourceforge.net and esri to get this work but still not able to make it work.  I am attaching the gpt.xml file which I am using in my application (I've removed all unwanted sections apart from LDAP setting in order to reduce the file size to upload in this thread).  I've removed the CN,OU,SearchDIT pattern since I cannot reveal it here.  I've picked the actual DN name using JExplorer from where I am able to see the actual DIT structure.  For your additional note, I am able to successfully connect to LDAP using the same credentials which I am using in gpt.xml which tells me that Geoportal server is not able to communicate to this LDAP.

And further, I am using the same SearchDIT structure in other web applications and successfully able to validate the user through LDAP and give access.  When I found the log file there were no related info or SEVERE message as well.

Not sure, where is the actual problem???

Could you please guide me here and provide me some help...

Error Message which I am getting when logging in is: "Your username or password was not valid. Please try again..."

Is anyone has ever come across this kind of issue; your suggestions are most welcome...

Environment details:
1. Oracle 11g database
2. Apache tomcate 6.0.32
3. JDK - 1.7.0_03

Thanks and Regards,
~Paul
Reply
0 Kudos
CliveReece
Esri Contributor
Paul,
Did you check that the passwordEncryptionAlgorithm setting in gpt.xml corresponds to what your AD is using for passwords?
Here's my thinking:
The "username or password was not valid" error (with no LDAP errors in the log file) may actually indicate you are connecting to the LDAP, but that it is rejecting the username/password credentials as wrong. 
How could that happen if you are providing the right credentials?  One reason that would cause that is if the Geoportal Server is hashing your passwords using the wrong algorithm (for example, SHA instead of MD5).
Worth looking into it.  (also setting your log file reporting to FINEST while you are troubleshooting)
-C
Reply
0 Kudos
DouglasOlcott
New Contributor
Does anyone have an example of how to set up a connection to multiple domains at an organization in AD?

The advice at https://github.com/ESRI/geoportal-server/wiki/Connecting-to-a-User-Directory does not seem to address this requirement. There is only one providerURL provided in the <ldapConnectionProperties> in the default gpt.xml.  Can the <ldapConnectionProperties> be replicated within this file for multiple domains or do you have to create a separate gpt.xml for each domain?
Reply
0 Kudos
DennisGeasan
Occasional Contributor II
I'm thinking that would be something you do within Active Directory.  AD worries about establishing trust between different domains.  Once established you need only work with the user names for each domain.  DG
Reply
0 Kudos
DouglasOlcott
New Contributor
Dennis,
It looks like our AD people can solve the multiple domain issue.  Another question I/they have concerns the ldapServiceAccount, requiring naming a securityPrincipal and providing a password for the its securityCredentials. Can this be any AD user we have set up, or should it be a separate account, and what permissions does it require to service the AD?
Reply
0 Kudos
DennisGeasan
Occasional Contributor II
I recommend you define a dedicated Active Directory (AD) account, one where the password does not time out.  Otherwise you will have to edit the "D:\ProgramFiles\Apache Software Foundation\Tomcat7.0\webapps\geoportal\WEB-INF\classes\gpt\config\gpt.xml" file after the password timeout period.  Read-only access to AD is all that is required.  You can't administer AD from the Geoportal admin section.  The only purpose of this account is to connect to the AD database for user authentication.

To ID the user who can administer Geoportal, assign any AD user to the <ldapServiceAccount> parameter "catalogAdminDN". The value here has to be the full user name as defined in AD.  It will look something like this:
(Values between <> indicate values I can't provide. The string representing a user name will most likely be different.  Each 'OU' value represents an organization unit.  The whole string appears to define a users location in the company AD hierarchy. )


<ldapServiceAccount
    securityPrincipal="<USERID>"
    securityCredentials="<PASSWORD>"
    encrypted="false"
    catalogAdminDN="CN=<AD USER NAME>,OU=Users,OU=California,OU=North America,OU=<COMPANY NAME>,DC=<DOMAIN>,DC=<COMPANY>,DC=com"/>/>


DG
Reply
0 Kudos
DennisGeasan
Occasional Contributor II
Something to test.   Change the password for the 'geoportal10' database user in the geoportal.xml file. (C:\Program Files\Apache Software Foundation\Tomcat 6.0\conf\Catalina\localhost)


I see, after many years, that I described the wrong location.  It is this file:

"D:\ProgramFiles\Apache Software Foundation\Tomcat7.0\webapps\geoportal\WEB-INF\classes\gpt\config\gpt.xml"

Sorry to have misled anyone.

DG
Reply
0 Kudos