Configure web-tier authentication with an LDAP directory—ArcGIS Server | Documentation for ArcGIS Enterprise
Skip To Content

Configure web-tier authentication with an LDAP directory

You can configure a stand-alone ArcGIS Server site to use user and role information stored in an LDAP directory such as Apache Directory Server or Microsoft Active Directory. When this is configured, it replaces the use of the server's built-in identity store to manage users and roles. ArcGIS Server treats the LDAP directory as a read-only source of user/role information, and thus, you cannot use ArcGIS Server Manager to add or delete users and roles or edit their attributes.

Note:

When an ArcGIS Server site is federated with an ArcGIS Enterprise portal, it adopts the security and sharing settings of the portal. See Use your portal with LDAP or Active Directory and web-tier authentication for the equivalent workflow in the portal.

To use LDAP, you must deploy your Web Adaptor to a Java application server such as Apache Tomcat, IBM WebSphere, or Oracle WebLogic. You cannot use ArcGIS Web Adaptor (IIS) to perform web-tier authentication with LDAP.

You can configure an LDAP directory to manage your server's users and roles by following these steps:

  1. Configure security settings.
  2. Review users and roles.
  3. Set up web-tier authentication on your server's Web Adaptor
  4. Control permissions for your services.

Configure security settings

Follow the steps below to configure security using Manager:

  1. Open Manager and log in as the primary site administrator. You must use the primary site administrator account. If you need help with this step, see Log in to Manager.
  2. Click Security > Settings.
  3. Click the Edit button Edit next to Configuration Settings.
  4. On the User and Role Managementpage, choose the Users and roles in an existing enterprise system (LDAP or Windows Domain) option and click Next.
  5. On the Enterprise Store Type page, choose the LDAP option and click Next.
  6. On the next page, you will need to provide the parameters to connect to the LDAP directory. Click Test Connection to create a test connection to the LDAP directory. If the connection attempt is successful, click Next. The table below describes the parameters on this page:

    ParameterDescriptionExample

    Host Name

    Name of the host machine on which the LDAP directory is running.

    myservername

    Port

    Port number on the host machine where the LDAP directory is listening for incoming connections. If the LDAP directory supports secure connections (ldaps), ArcGIS Server will automatically switch to the ldaps protocol. If the port specified is 10389, ArcGIS Server will make a secure connection to port 10636. If the port specified is 389, ArcGIS Server will make a secure connection to port 636.

    10636

    636

    Base DN

    The distinguished name (DN) of the node in the directory server under which user information is maintained.

    ou=users,ou=arcgis,dc=mydomain,dc=com

    URL

    The LDAP URL that will be used to connect to the LDAP directory (this is automatically generated). Edit this URL if it is incorrect or requires changes. If your LDAP directory does not use the standard 636 port for secure connections, you should specify the custom port number here.

    ldaps://myservername:636/ou=users,ou=arcgis,dc=mydomain,dc=com

    ldaps://myservername:10636/ou=users,ou=arcgis,dc=mydomain,dc=com

    ldaps://myservername:10300/ou=users,ou=arcgis,dc=mydomain,dc=com (custom port)

    RDN attribute

    The relative distinguished name (RDN) attribute for user entries in the LDAP directory.

    For the DN "cn=john,ou=users,ou=arcgis,dc=mydomain,dc=com" the RDN is "cn=john" and the RDN attribute is cn.

    For the DN "uid=john,ou=users,ou=arcgis,dc=mydomain,dc=com" the RDN is "uid=john" and the RDN attribute is uid.

    Administrator's DN

    The DN of an LDAP administrator account that has access to the node containing user information.

    It is recommended that you specify an administrator account with a password that does not expire. If this is not possible, you'll need to repeat the steps in this section each time the password is changed.

    uid=admin,ou=administrators,dc=mydomain,dc=com

    Password

    The administrator's password.

    adminpassword

  7. On the next page, provide the parameters to retrieve roles from the LDAP directory. The table below describes the parameters in detail:

    ParameterDescriptionExample

    Base DN

    The DN of the node in the directory server under which role information is maintained.

    ou=roles,ou=arcgis,dc=mydomain,dc=com

    URL

    The LDAP URL that will be used to connect to the server (this is automatically generated). Edit this URL if it is incorrect or requires changes.

    ldaps://myservername:10636/ou=roles,ou=arcgis,dc=mydomain,dc=com

    User Attribute in Role Entry

    The name of the attribute in the role entry that contains the DN of users that are members of this role.

    In Apache Directory Server, the attribute name most commonly used is uniqueMember. In Microsoft Active Directory, the attribute name most commonly used is member.

  8. After providing the parameters, click Next.
  9. On the Authentication Tier page, choose where you want authentication to be done and click Next. For more information about this option, see Configure ArcGIS Server security.
  10. Review the summary of your selections. Click Back to make changes or Finish to apply and save the security configuration.

Review users and roles

After configuring security to use the store for user and role management, review the users and roles to make sure they were imported correctly. To add, edit, or delete users and roles, you need to use the user management tools provided by your LDAP provider.

  1. In Manager, click Security > Users.
  2. Verify that users have been retrieved as expected from the LDAP directory.
  3. Click Roles to review roles retrieved from the LDAP directory.
  4. Verify that roles have been retrieved as expected from the LDAP directory. Click the Edit button next to a role to check role membership. Modify the Role Type value as necessary. For information on role types, see Restrict access to ArcGIS Server.

Caching of users and roles

As of 10.5, LDAP users and roles will be cached on the server after a request for users or roles. This optimizes the performance of your secure services. By default, the users and roles will be cached for 30 minutes. You can modify this time period by setting the minutesToCacheUsersAndRoles property to another value in the ArcGIS Server Administrator Directory under system properties. You can also disable caching by setting the property to zero.

Set up web-tier authentication on your server's Web Adaptor

LDAP requires web-tier authentication, and this must be done with ArcGIS Web Adaptor (Java Platform). The web adaptor relies on the Java application server to authenticate the user and provide the web adaptor with the account name of the user. Once it has the account name, it passes that to the server.

Note:

When configuring the Web Adaptor, you must enable administration through the Web Adaptor. This allows users in your organization-specific identity store to publish services from ArcGIS Pro. When the users in these roles connect to the server in ArcGIS Pro, they must specify the Web Adaptor URL.

Once you've installed and configured ArcGIS Web Adaptor with your server, you'll need to configure an LDAP realm on your Java application server and configure the authentication method for the web adaptor. For instructions, consult the product documentation for your Java application server or your system administrator.

Control permissions for your services

Once you have configured your security settings and defined users and roles, you can set permissions for services to control who is allowed to access them.

ArcGIS Server controls access to services using a role-based access control model. In a role-based access control model, the permission to access a secured service is controlled by assigning roles to that service. To consume a secured service, a user must be a member of a role that has been assigned permissions to access it.

To change the permissions for a service, see Control access to your services.