Securing services with users and roles from an LDAP server
ArcGIS Server can leverage user and role information stored in an LDAP server such as Apache Directory Server or Microsoft Active Directory. ArcGIS Server treats the LDAP server as a read-only source of user/role information, and thus, you cannot use ArcGIS Server Manager to add or delete users and roles or edit their attributes.
ArcGIS web services can be secured with users and roles from an LDAP server by following these steps:
Configuring security settings
Follow the steps below to configure security using Manager:
- Open Manager and log in as the primary site administrator or a user with administrative access. If you need help with this step, see Logging in to Manager.
- Click Security > Settings.
-
Click the Edit button
next to Configuration Settings.
- On the User and Role Management page, choose the Users and roles in an existing enterprise system (LDAP or Windows Domain) option, then click Next.
- On the Enterprise Store Type page, choose the LDAP option and click Next.
- On the next page, you will need to enter the parameters to connect to the LDAP server. Click Test Connection to create a test connection to the LDAP server. If the connection attempt is successful, click Next. The table below describes the parameters on this page:
Parameter
Description
Example
Host Name
Name of the host machine on which the LDAP server is running.
myservername
Port
Port number on the host machine where the LDAP server is listening for incoming connections. If the LDAP server supports secure connections (ldaps), ArcGIS Server will automatically switch to the ldaps protocol. If the port specified is 10389, ArcGIS Server will make a secure connection to port 10636. If the port specified is 389, ArcGIS Server will make a secure connection to port 636.
10389
389
Base DN
The distinguished name (DN) of the node in the directory server under which user information is maintained.
ou=users,ou=arcgis,dc=mydomain,dc=com
URL
The LDAP URL that will be used to connect to the LDAP server (this is automatically generated). Edit this URL if it is incorrect or requires changes. If your LDAP server does not use the standard 636 port for secure connections, you should specify the custom port number here.
ldap://myservername:389/ou=users,ou=arcgis,dc=mydomain,dc=com
ldap://myservername:10389/ou=users,ou=arcgis,dc=mydomain,dc=com
ldaps://myservername:10300/ou=users,ou=arcgis,dc=mydomain,dc=com
RDN attribute
The relative distinguished name (RDN) attribute for user entries in the LDAP server.
For the DN "cn=john,ou=users,ou=arcgis,dc=mydomain,dc=com" the RDN is "cn=john" and the RDN attribute is cn.
For the DN "uid=john,ou=users,ou=arcgis,dc=mydomain,dc=com" the RDN is "uid=john" and the RDN attribute is uid.
Administrator's DN
The DN of an LDAP administrator account that has access to the node containing user information.
uid=admin,ou=administrators,dc=mydomain,dc=com
Password
The administrator's password.
adminpassword
- On the next page, enter the parameters to retrieve roles from the LDAP server. The table below describes the parameters in detail:
Parameter
Description
Example
Base DN
The DN of the node in the directory server under which role information is maintained.
ou=roles,ou=arcgis,dc=mydomain,dc=com
URL
The LDAP URL that will be used to connect to the server (this is automatically generated). Edit this URL if it is incorrect or requires changes.
ldap://myservername:10389/ou=roles,ou=arcgis,dc=mydomain,dc=com
User Attribute in Role Entry
The name of the attribute in the role entry that contains the DN of users that are members of this role.
In Apache Directory Server, the attribute name most commonly used is uniqueMember. In Microsoft Active Directory, the attribute name most commonly used is member.
- After entering the parameters, click Next.
- On the Authentication Tier page, choose where you want authentication to be done, then click Next. For more information about this option, see Configuring ArcGIS Server security.
- Review the summary of your selections. Click Back to make changes or Finish to apply and save the security configuration.
Reviewing users and roles
After configuring security to use the store for user and role management, review the users and roles to make sure they were imported correctly. To add, edit, or delete users and roles, you need to use the user management tools provided by your LDAP provider.
- In Manager, click Security > Users.
- Verify that users have been retrieved as expected from the LDAP server.
- Click Roles to review roles retrieved from the LDAP server.
- Verify that roles have been retrieved as expected from the LDAP server. Click the Edit button next to a role to check role membership. Modify the Role Type value as necessary. For information on role types, see Restricting access to ArcGIS Server.
Setting permissions for ArcGIS web services
Once you have configured your security settings and defined users and roles, you can set permissions for services to control who is allowed to access them.
ArcGIS Server controls access to the GIS web services hosted on your server using a role-based access control model. In a role-based access control model, the permission to access a secured service is controlled by assigning roles to that service. To consume a secured service, a user must be a member of a role that has been assigned permissions to access it.
Permissions may be assigned to an individual web service or to the parent folder containing a group of services. If you assign permissions to a folder, any service contained within inherits the folder's permissions. For example, if you grant a role access to the site (root) folder, users belonging to that role will be granted access to all the services hosted on that site. Also, to override permissions automatically inherited by a service from its parent folder, you can edit the service and explicitly remove the permissions that were inherited.
To set permissions for a service, see Editing permissions in Manager.