Skip To Content

Securing services with users and roles from an LDAP server

ArcGIS Server can leverage user and role information stored in an LDAP server such as Apache Directory Server or Microsoft Active Directory. ArcGIS Server treats the LDAP server as a read-only source of user/role information, and thus, you cannot use ArcGIS Server Manager to add or delete users and roles or edit their attributes.

To use LDAP, you must deploy your Web Adaptor to a Java application server such as Apache Tomcat, IBM WebSphere, or Oracle WebLogic. You cannot use ArcGIS Web Adaptor (IIS) to perform web-tier authentication with LDAP.

ArcGIS web services can be secured with users and roles from an LDAP server by following these steps:

  1. Configure security settings.
  2. Review users and roles.
  3. Set up web-tier authentication on your server's Web Adaptor
  4. Set permissions for services.

Configure security settings

Follow the steps below to configure security using Manager:

  1. Open Manager and log in as the primary site administrator. You must use the primary site administrator account. If you need help with this step, see Logging in to Manager.
  2. Click Security > Settings.
  3. Click the Edit button Edit next to Configuration Settings.
  4. On the User and Role Managementpage, choose the Users and roles in an existing enterprise system (LDAP or Windows Domain) option and click Next.
  5. On the Enterprise Store Type page, choose the LDAP option and click Next.
  6. On the next page, you will need to enter the parameters to connect to the LDAP server. Click Test Connection to create a test connection to the LDAP server. If the connection attempt is successful, click Next. The table below describes the parameters on this page:

    ParameterDescriptionExample

    Host Name

    Name of the host machine on which the LDAP server is running.

    myservername

    Port

    Port number on the host machine where the LDAP server is listening for incoming connections. If the LDAP server supports secure connections (ldaps), ArcGIS Server will automatically switch to the ldaps protocol. If the port specified is 10389, ArcGIS Server will make a secure connection to port 10636. If the port specified is 389, ArcGIS Server will make a secure connection to port 636.

    10636

    636

    Base DN

    The distinguished name (DN) of the node in the directory server under which user information is maintained.

    ou=users,ou=arcgis,dc=mydomain,dc=com

    URL

    The LDAP URL that will be used to connect to the LDAP server (this is automatically generated). Edit this URL if it is incorrect or requires changes. If your LDAP server does not use the standard 636 port for secure connections, you should specify the custom port number here.

    ldaps://myservername:636/ou=users,ou=arcgis,dc=mydomain,dc=com

    ldaps://myservername:10636/ou=users,ou=arcgis,dc=mydomain,dc=com

    ldaps://myservername:10300/ou=users,ou=arcgis,dc=mydomain,dc=com (custom port)

    RDN attribute

    The relative distinguished name (RDN) attribute for user entries in the LDAP server.

    For the DN "cn=john,ou=users,ou=arcgis,dc=mydomain,dc=com" the RDN is "cn=john" and the RDN attribute is cn.

    For the DN "uid=john,ou=users,ou=arcgis,dc=mydomain,dc=com" the RDN is "uid=john" and the RDN attribute is uid.

    Administrator's DN

    The DN of an LDAP administrator account that has access to the node containing user information.

    It is recommended that you specify an administrator account with a password that does not expire. If this is not possible, you'll need to repeat the steps in this section each time the password of the account is changed.

    uid=admin,ou=administrators,dc=mydomain,dc=com

    Password

    The administrator's password.

    adminpassword

  7. On the next page, enter the parameters to retrieve roles from the LDAP server. The table below describes the parameters in detail:

    ParameterDescriptionExample

    Base DN

    The DN of the node in the directory server under which role information is maintained.

    ou=roles,ou=arcgis,dc=mydomain,dc=com

    URL

    The LDAP URL that will be used to connect to the server (this is automatically generated). Edit this URL if it is incorrect or requires changes.

    ldaps://myservername:10636/ou=roles,ou=arcgis,dc=mydomain,dc=com

    User Attribute in Role Entry

    The name of the attribute in the role entry that contains the DN of users that are members of this role.

    In Apache Directory Server, the attribute name most commonly used is uniqueMember. In Microsoft Active Directory, the attribute name most commonly used is member.

  8. After entering the parameters, click Next.
  9. On the Authentication Tier page, choose where you want authentication to be done and click Next. For more information about this option, see Configuring ArcGIS Server security.
  10. Review the summary of your selections. Click Back to make changes or Finish to apply and save the security configuration.

Review users and roles

After configuring security to use the store for user and role management, review the users and roles to make sure they were imported correctly. To add, edit, or delete users and roles, you need to use the user management tools provided by your LDAP provider.

  1. In Manager, click Security > Users.
  2. Verify that users have been retrieved as expected from the LDAP server.
  3. Click Roles to review roles retrieved from the LDAP server.
  4. Verify that roles have been retrieved as expected from the LDAP server. Click the Edit button next to a role to check role membership. Modify the Role Type value as necessary. For information on role types, see Restricting access to ArcGIS Server.

Caching of users and roles

As of ArcGIS 10.5, LDAP users and roles will be cached on the server after a request for users or roles. This optimizes the performance of your secure services. By default, the users and roles will be cached for 30 minutes. You can modify this time period by setting the minutesToCacheUserRoles property to another value in the ArcGIS Server Administrator Directory under system properties. You can also disable caching by setting the property to zero.

Set up web-tier authentication on your server's Web Adaptor

LDAP requires web-tier authentication, and this must be done with ArcGIS Web Adaptor (Java Platform). The Web Adaptor relies on the Java application server to authenticate the user and provide the Web Adaptor with the account name of the user. Once it has the account name, it passes that to the server.

Note:

When configuring the Web Adaptor, you must enable administration through the Web Adaptor. This allows users in LDAP to publish services from ArcGIS Desktop. When the users in these roles connect to the server in ArcGIS Desktop, they must specify the Web Adaptor URL.

Once you've installed and configured ArcGIS Web Adaptor (Java Platform) with your server, you'll need to configure an LDAP realm on your Java application server and configure the authentication method for the Web Adaptor. For instructions, consult the product documentation for your Java application server or your system administrator.

Set permissions for ArcGIS web services

Once you have configured your security settings and defined users and roles, you can set permissions for services to control who is allowed to access them.

ArcGIS Server controls access to the GIS web services hosted on your server using a role-based access control model. In a role-based access control model, the permission to access a secured service is controlled by assigning roles to that service. To consume a secured service, a user must be a member of a role that has been assigned permissions to access it.

Permissions may be assigned to an individual web service or to the parent folder containing a group of services. If you assign permissions to a folder, any service contained within inherits the folder's permissions. For example, if you grant a role access to the site (root) folder, users belonging to that role will be granted access to all the services hosted on that site. Also, to override permissions automatically inherited by a service from its parent folder, you can edit the service and explicitly remove the permissions that were inherited.

To set permissions for a service, see Editing permissions in Manager.