Skip to content

LDAP module

Jump to bottom Edit New page
Andrea Aime edited this page Oct 6, 2014 · 1 revision

LDAP module

This module allows to externalize users and groups management using an LDAP server. Since Geoserver already has the capability of using the same LDAP server for authentication, and this is true for also for many components used in a complete webgis system (such as apache http server) this permits to have a single user/group repository for the complete infrastructure.

The LDAP module:

  • Is a pluggable and optional module, able to integrate users and groups fetching from an LDAP server
  • Disables writing actions on users and groups in the Admin interface

LDAP module specification

The LDAP module defines alternative implementations for the GSUserDAO and UserGroupDAO interfaces to:

  • fetch users and groups, respectively, from the configured LDAP server
  • disable write actions on user and groups

Moreover, the module defines also an alternative RuleDAO implementation to:

  • synchronize internal (db) users and groups with LDAP ones when access rules are created / changed

Configuration

The LDAP module is shipped with the default GeoFence distribution, but is initially disabled.

To enable and configure it you need to:

  • change the web.xml file located in WEB-INF folder, to include a new applicationContext-ldap.xml file
<!-- pick up all spring application contexts -->
<context-param>
	<param-name>contextConfigLocation</param-name>
	<param-value>
            classpath*:/applicationContext-common.xml
            classpath:applicationContext-client.xml
            classpath*:applicationContext.xml
			classpath:applicationContext-ldap.xml
	</param-value>
</context-param>
  • create an applicationContext-ldap.xml file in WEB-INF with the following content:
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"

       xmlns:cxf="http://cxf.apache.org/core"
       xmlns:jaxws="http://cxf.apache.org/jaxws"
       xmlns:jaxrs="http://cxf.apache.org/jaxrs"

       xmlns:geofence="http://geosolutions.it/geofence"

       xsi:schemaLocation="
            http://www.springframework.org/schema/beans     http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/context   http://www.springframework.org/schema/context/spring-context-3.0.xsd
            http://cxf.apache.org/jaxws                     http://cxf.apache.org/schemas/jaxws.xsd
            http://cxf.apache.org/jaxrs                     http://cxf.apache.org/schemas/jaxrs.xsd
            http://cxf.apache.org/core                      http://cxf.apache.org/schemas/core.xsd"

       default-autowire="byName">

    <context:annotation-config />

	<bean id="baseUserDAO" class="org.geoserver.geofence.core.dao.impl.GSUserDAOImpl" >
		<property name="searchProcessor" ref="geofenceSearchProcessor" />
	</bean>
	
	<bean id="baseUserGroupDAO" class="org.geoserver.geofence.core.dao.impl.UserGroupDAOImpl" >
		<property name="searchProcessor" ref="geofenceSearchProcessor" />
	</bean>
	
	<bean id="gsUserDAO" class="org.geoserver.geofence.ldap.dao.impl.GSUserDAOLdapImpl">
		<property name="ldapTemplate" ref="geofenceLdapTemplate" />
		<property name="attributesMapper" ref="geofenceLdapUserAttributesMapper" />
		<property name="groupsAttributesMapper" ref="geofenceLdapUserGroupAttributesMapper" />
		<property name="dao" ref="baseUserDAO" />
	</bean>
	
	<bean id="userGroupDAO" class="org.geoserver.geofence.ldap.dao.impl.UserGroupDAOLdapImpl">
		<property name="ldapTemplate" ref="geofenceLdapTemplate" />
		<property name="attributesMapper" ref="geofenceLdapUserGroupAttributesMapper" />
		<property name="dao" ref="baseUserGroupDAO" />
	</bean>
	
	
	
	<bean id="ruleDAO" class="org.geoserver.geofence.ldap.dao.impl.RuleDAOLdapImpl" >
		<property name="searchProcessor" ref="geofenceSearchProcessor" />
		<property name="userDao" ref="baseUserDAO" />
		<property name="userGroupDao" ref="baseUserGroupDAO" />
	</bean>

</beans>
  • change the geofence-datasource.properties file located in WEB-INF/classes folder, to edit the LDAP server connection properties:
  • geofenceLdapSource.url: connection url of the LDAP server
  • geofenceLdapSource.base: base node for LDAP searches and lookups
  • geofenceLdapSource.user: user to bind to the LDAP server
  • geofenceLdapSource.password: password for the user to bind to the LDAP server

Advanced Configuration

The default configuration shipped with the LDAP module is compatible with the latest OpenLDAP servers. To use a different type of server, you could need to change some advanced settings. To do advanced configuration, you need to change the previously created applicationContext-ldap.xml to add or modify some beans properties. This is a summary of the settings you can change.

gsUserDAO

<bean id="gsUserDAO" class="org.geoserver.geofence.ldap.dao.impl.GSUserDAOLdapImpl">
	...
        <property name="searchBase" value="ou=People" />
        <property name="searchFilter" value="objectClass=inetOrgPerson" />
        <property name="groupsBase" value="ou=Groups" />
        <property name="userDn" value="uid=%s,ou=People" />
	<property name="attributesMapper" ref="geofenceLdapUserAttributesMapper" />
	<property name="groupsAttributesMapper" ref="geofenceLdapUserGroupAttributesMapper" />
	...
</bean>
  • searchBase: the base path for user searches/lookups
  • searchFilter: the filter for user searches/lookups inside the base path
  • groupsBase: the base path for groups searches/lookups
  • userDn: the dn path for users objects; it's a template, where %s means the unique identifier (username) of the user
  • attributesMapper: you can use a different mapper if your LDAP server uses a different set of attributes than the ones used by OpenLDAP to describe users. The default ones are the following:
<bean id="geofenceLdapUserAttributesMapper" class="org.geoserver.geofence.ldap.dao.impl.GSUserAttributesMapper">
	<property name="ldapAttributeMappings">
		<map>
			<entry key="id" value="uidNumber"/>
			<entry key="username" value="uid"/>
			<entry key="email" value="mail"/>
			<entry key="name" value="cn"/>
			<entry key="surname" value="sn"/>    			
			<entry key="password" value="userPassword"/>    			    		
		</map>
	</property>
</bean>
  • groupsAttributesMapper: you can use a different mapper if your LDAP server uses a different set of attributes than the ones used by OpenLDAP to describe groups. The default ones are the following:
<bean id="geofenceLdapUserGroupAttributesMapper" class="org.geoserver.geofence.ldap.dao.impl.UserGroupAttributesMapper">
	<property name="ldapAttributeMappings">
		<map>
			<entry key="id" value="gidNumber"/>
			<entry key="groupname" value="cn"/>
			<entry key="member" value="memberUid"/>		
		</map>
	</property>
</bean>

userGroupDAO

<bean id="userGroupDAO" class="org.geoserver.geofence.ldap.dao.impl.UserGroupDAOLdapImpl">
	...
        <property name="searchBase" value="ou=Groups" />
        <property name="searchFilter" value="objectClass=posixGroup" />
	<property name="attributesMapper" ref="geofenceLdapUserGroupAttributesMapper" />
        ...					
</bean>
  • searchBase: the base path for groups searches/lookups
  • searchFilter: the filter for groups searches/lookups inside the base path
  • attributesMapper: you can use a different mapper if your LDAP server uses a different set of attributes than the ones used by OpenLDAP to describe groups. The default ones are the following:
<bean id="geofenceLdapUserGroupAttributesMapper" class="org.geoserver.geofence.ldap.dao.impl.UserGroupAttributesMapper">
	<property name="ldapAttributeMappings">
		<map>
			<entry key="id" value="gidNumber"/>
			<entry key="groupname" value="cn"/>
			<entry key="member" value="memberUid"/>		
		</map>
	</property>
</bean>
Add a custom footer
Clone this wiki locally