Problems Connecting the Geoportal to a user directory LDAP
Release 9.3.1 E-mail This Topic Printable Version Give Us Feedback

Problems Connecting the Geoportal to a user Directory LDAP

This section has two subtopics:

Important LDAP Concepts

Listed below are important concepts to understand to configure your Geoportal with a user directory.

  1. JXplorer

    JXplorer is a widely used open source client for browsing a directory server. It is not an ESRI product, and Geoportal is not dependent on JXplorer. However, because it is freely available, and a directory server client is necessary for these troubleshooting steps, the instructions below assume you have installed and configured JXplorer.

  2. LDAP Directory Tree

    The LDAP directory is set up in a tree structure called the Directory Information Tree (DIT). The tree can have many branches, with users and groups defined as sub-branches. Below is a simple tree, with users located in the "system\users" branch, and groups located in the "system\groups" branch.







    In most organizations, the DIT is more complex. There may be groups for different regions, authority levels, project teams, etc.

    It is strongly recommended that the group structure created maps directly to the pre-defined Geoportal roles. If this is not possible, you will need to coordinate with your LDAP system administrator to decide what the best possible mapping is of your existing groups to the Geoportal roles.

  3. Distinguished Names

    Every user or group in the DIT has a unique identifier: its Distinguished Name (DN). An example of the DN for the 'gptadmin' user in the screenshot above is "cn=gptadmin,ou=users,ou=system". The DN is made up of a unique identifier (the "cn" part), and then the path that allows the Geoportal to navigate to that user or group within the DIT structure (the branches of the DIT, which are the "ou" parts). You can use JXplorer to copy the DN for a user or group in the DIT and populate the gpt.xml file with correct values. Connect to your LDAP with JXplorer, and then highlight the user or group whose DN you need with your mouse. Right click, and select the "Copy DN" option. You can now paste this value into your gpt.xml file. "Copy DN" can also be used when assigning users to groups within JXplorer itself.

Troubleshooting for Connecting Geoportal to a user directory LDAP

This section assumes an understanding of LDAP concepts outlined in the article Important LDAP Concepts. For specific information on connecting the Geoportal to Microsoft Windows Active Directory, see the knowledge base article Configure the Geoportal extension 9.3.1 to reference Windows Active Directory
.

When problems exist with LDAP information being passed into the Geoportal, in most cases one of the following is the cause:

  1. The Distinguished Name (DN) for one or more of the parameters in the <roles>, <users>, or <groups> section of the gpt.xml file is incorrect
  2. The "users" branch of the LDAP Directory Information Tree (DIT) is not accessible to the Geoportal
  3. There is an issue with the <ldapServiceAccount> parameter in gpt.xml

---------------------------------------------

  1. Troubleshooting Issue #1: Incorrect DN's

    What to Do:

    • Open your gpt.xml file
    • Scroll to the <ldapAdapter> section
    • Check the following values, and verify that the correct DN is associated with each parameter. Remember that you can get the exact DN of a user or group by right clicking and copying the DN in JXplorer. The examples below map to the previous screenshot. If you change any of these values in your gpt.xml file, you will have to save the file and restart Tomcat for the changes to take place:
      • ldapConnectionProperties\ldapServiceAccount\catalogAdminDN
        1. This will be the DN of a member in the gptAdministrators group
        2. Example: cn=gptadmin,ou=users,ou=system
      • roles\role\ groupDN
        1. Three such settings exist and will point to the DN's of the three Geoportal role groups: Geoportal Registered Users, Publishers, and Administrators.
        2. Example: cn=gpt_registeredUsers,ou=groups,ou=system
      • users\newUserDNPattern
        1. This will be the DN path indicating where to insert a user entry when a new user is created in the Portal registration page.
        2. Example: cn={0},ou=users,ou=system
      • users\searchDIT
        1. This will be the DN path indicating how to navigate through the DIT to find users.
        2. Example: ou=users,ou=system
      • groups\searchDIT
        • This will be the DN path indicating how to navigate through the DIT to find the Portal role groups
        • Example: ou=groups,ou=system

  2. Troubleshooting Issue #2: Problems with the searchDIT

    If the "users" branch of the LDAP Directory Information Tree (DIT) is not accessible to the Geoportal, then the users mapped to the groups cannot be located. This is a matter of having the correct values in the searchDIT parameters. The Geoportal may be able to find your groups, but it also needs to be able to find the users assigned to those groups.

    What to Do:

    • Open JXplorer, connect to your LDAP configuration, and note the location of your users in the DIT
    • Now note the location of the Geoportal groups
    • Doublecheck the parameters for the searchDIT for the <users> and <groups> sections in the gpt.xml file. Make sure you have indicated correctly how to navigate the DIT to get to both the users and groups branches.

  3. Troubleshooting Issue #3: <ldapServiceAccount> parameter

    The gpt.xml file has a section called "<ldapConnectionProperties>". Within that section, there is a <ldapServiceAccount> parameter where two users are defined. The two users are the securityPrincipal user and the catalogAdminDN user.

    <ldapConnectionProperties

    providerURL="ldap://serverName:10389"

    initialContextFactoryName="com.sun.jndi.ldap.LdapCtxFactory"

    securityAuthentication="simple"

    securityProtocol="">

    <ldapServiceAccount

    securityPrincipal="uid=admin,ou=system"

    securityCredentials="secret"

    encrypted="false"

    catalogAdminDN="cn=gptadmin,ou=users,ou=system"/>

    </ldapConnectionProperties>

    These two users have different functions, and do not have to be the same user.

    • The securityPrincipal user is for connecting to the LDAP system, and need not be, and usually is not, a user from the gptAdministrators group.
    • The catalogAdminDN is for the Geoportal catalog admin user, and must be a user from the gptAdministrators group.


    Verify that your securityPrincipal is set to point to the DN of the user who has privileges to connect to the LDAP, and that your catalogAdminDN is configured to the DN of a Geoportal Administrator user. The graphic below shows that these are two different users, and where they would be in our example DIT.