When using Lightweight Directory Access Protocol (LDAP) to authenticate users, you can use a public key infrastructure (PKI) to secure access to your ArcGIS Enterprise organization.
To use LDAP and PKI, you must set up PKI-based client certificate authentication using ArcGIS Web Adaptor (Java Platform) deployed to a Java application server. You cannot use ArcGIS Web Adaptor (IIS) to perform PKI-based client certificate authentication with LDAP. If you haven't done so already, install and configure ArcGIS Web Adaptor (Java Platform) with your portal.
Configure your organization with LDAP
By default, the ArcGIS Enterprise organization enforces HTTPS for all communication. If you have previously changed this option to allow both HTTP and HTTPS communication, you will need to reconfigure the portal to use HTTPS-only communication by following the steps below.
Configure the organization to use HTTPS for all communication
Complete the following steps to configure the organization to use HTTPS:
- Sign in to the organization website as an administrator.
The URL is in the format https://webadaptorhost.domain.com/webadaptorname/home.
- Click Organization and click the Settings tab, and then click Security on the left side of the page.
- Enable Allow access to the portal through HTTPS only.
Update your portal's identity store
Next, update your portal's identity store to use LDAP users and groups.
- Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
- Click Security > Config > Update Identity Store.
- In the User store configuration (in JSON format) text box, paste your organization's LDAP user configuration information (in JSON format). Alternatively, you can update the following sample with user information specific to your organization:
{ "type": "LDAP", "properties": { "userPassword": "secret", "isPasswordEncrypted": "false", "user": "uid=admin,ou=system", "userFullnameAttribute": "cn", "userGivenNameAttribute": "givenName", "userSurnameAttribute": "sn", "ldapURLForUsers": "ldaps://bar2:10636/ou=users,ou=ags,dc=example,dc=com", "userEmailAttribute": "mail", "usernameAttribute": "uid", "caseSensitive": "false", "userSearchAttribute": "dn" } }
In most cases, you'll only need to alter values for the user, userPassword, ldapURLForUsers, and userSearchAttribute parameters. The userSearchAttribute is the value of the Subject parameter of the PKI certificate. If your organization uses another attribute in the PKI certificate, such as email, you must update the userSearchAttribute parameter to match the Subject parameter in the PKI certificate. The URL to your LDAP will need to be provided by your LDAP administrator.
In the above example, the LDAP URL refers to users within a specific OU (ou=users). If users exist in multiple OUs, the LDAP URL can point to a higher-level OU or even the root level if needed. In that case, the URL would instead look like this:
"ldapURLForUsers": "ldaps://bar2:10636/dc=example,dc=com",
The account you use for the user parameter needs permissions to look up the email address and user names of users in your organization. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below).
If your LDAP is configured to be case sensitive, set the caseSensitive parameter to true.
- If you want to create groups in the portal that leverage the existing LDAP groups in your identity store, paste your organization's LDAP group configuration information (in JSON format) in the Group store configuration (in JSON format) text box as shown below. Alternatively, you can update the following sample with group information specific to your organization. If you only want to use the portal's built-in groups, delete any information in the text box and skip this step.
{ "type": "LDAP", "properties": { "userPassword": "secret", "isPasswordEncrypted": "false", "user": "uid=admin,ou=system", "ldapURLForUsers": "ldaps://bar2:10636/ou=users,ou=ags,dc=example,dc=com", "ldapURLForRoles": "ldaps://bar2:10636/dc=example,dc=com", "usernameAttribute": "uid", "caseSensitive": "false", "userSearchAttribute": "dn", "memberAttributeInRoles": "member", "rolenameAttribute":"cn" } }
In most cases, you'll only need to alter values for the user, userPassword, ldapURLForUsers, ldapURLForGroups, and userSearchAttribute parameters. The userSearchAttribute is the value of the Subject parameter of the PKI certificate. If your organization uses another attribute in the PKI certificate, such as email, you must update the userSearchAttribute parameter to match the Subject parameter in the PKI certificate. The URL to your LDAP will need to be provided by your LDAP administrator.
In the example above, the LDAP URL refers to users within a specific OU (ou=users). If users exist in multiple OUs, the LDAP URL can point to a higher-level OU or even the root level if needed. In that case, the URL would instead look like this:
"ldapURLForUsers": "ldaps://bar2:10636/dc=example,dc=com",
The account you use for the user parameter needs permissions to look up the names of groups in your organization. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below).
If your LDAP is configured to be case sensitive, set the caseSensitive parameter to true.
- Click Update Configuration to save your changes.
- If you've configured a highly available portal, restart each portal machine. See Stopping and starting the portal for full instructions.
Add organization-specific accounts
By default, organization-specific users can access the ArcGIS Enterprise organization. However, they can only view items that have been shared with everyone in the organization. This is because the organization-specific accounts have not been added and granted access privileges.
Add accounts to your organization using one of the following methods:
- Individually or in bulk (one at a time, in bulk from a .csv file, or from existing Active Directory groups)
- Command line utility
- Automatically
It's recommended that you designate at least one organization-specific account as an Administrator of your portal. You can do this by choosing the Administrator role when adding the account. When you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.
Once the accounts have been added and you complete the steps below, users will be able to sign in to the organization and access content.
Configure ArcGIS Web Adaptor to use PKI authentication
Once you've installed and configured ArcGIS Web Adaptor (Java Platform) with your organization, configure an LDAP realm on your Java application server and configure PKI-based client certificate authentication for ArcGIS Web Adaptor. For instructions, consult your system administrator or the product documentation for your Java application server.
Verify organization access using LDAP and PKI
To verify you can access the portal using LDAP and PKI, complete the following steps:
- Open the ArcGIS Enterprise portal. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/home.The URL is in the format https://organization.example.com/<context>/home.
- Verify that you are prompted for your security credentials and can access the website.
Prevent users from creating their own built-in accounts
You can prevent users from creating their own built-in accounts by disabling the ability for users to create new built-in accounts in the organization settings.