English

FAQ: What are some ways to diagnose and fix connection problems between the GIS Portal Toolkit and LDAP?

Question

What are some ways to diagnose and fix connection problems between the GIS Portal Toolkit and LDAP?

Answer

When problems exist with LDAP information being passed into the GIS Portal Toolkit (GPT), in most cases there is a problem with one of the following:

1. The Distinguished Name (DN) for one or more of the parameters in the <roles>, <users>, or <groups> section of the gpt.xml file is incorrect.

2. The 'users' branch of the LDAP Directory Information Tree (DIT) is not accessible to the GPT.

3. There is an issue with the <ldapServiceAccount> parameter in gpt.xml.

Note:
This article assumes an understanding of LDAP concepts outlined in the knowledge base article titled, "What are Important Concepts for Connecting GPT LDAP to an Active Directory?".
<a href='http://support.esri.com/en/knowledgebase/techarticles/detail/36411' target='_blank'>FAQ: What are important concepts for connecting the GIS Portal Toolkit (GPT) LDAP to an Active Directory?</a>


ISSUE #1: Incorrect DNs

Follow the steps below:
1. Open the gpt.xml file, located at <Tomcat Installation Directory>\webapps\GPT9\WEB-INF\classes\gpt\config.

2. Scroll to the <ldapAdapter> section.

3. Check the following values, and verify that the correct DN is associated with each parameter. Remember that the exact DN of a user or group can be found by right-clicking the appropriate node and selecting 'Copy DN' from inside JXplorer. The examples below map to the screen shot below. If any of these values are changed in the gpt.xml file, the file has to be saved and Tomcat needs to be restarted for the changes to take place:

[O-Image]

o ldapConnectionProperties\ldapServiceAccount\catalogAdminDN
This will be the DN of a member in the gpt_administrators group.
Example: cn=gptadmin,ou=users,ou=system

o roles\role\ groupDN
Three such settings exist and will point to the DN’s of the three GPT role groups: gpt_registeredUsers, gpt_publishers, and gpt_administrators.
Example: cn=gpt_registeredUsers,ou=groups,ou=system

o users\newUserDNPattern
This will be the DN path indicating where to insert a user entry when a new user is created in the Portal registration page.
Example: cn={0},ou=users,ou=system

o users\searchDIT
This will be the DN path indicating how to navigate through the DIT to find users.
Example: ou=users,ou=system

o groups\searchDIT
This will be the DN path indicating how to navigate through the DIT to find the Portal role groups
Example: ou=groups,ou=system

-------------------------------------
ISSUE #2: Problems with the searchDIT

If the 'users' branch of the LDAP Directory Information Tree (DIT) is not accessible to the GPT, then the users mapped to the groups cannot be located. This is a matter of having the correct values in the searchDIT parameters. The GPT may be able to find the groups, but it also needs to be able to find the users assigned to those groups.

Follow the bulleted points below:

· Open JXplorer, connect to the LDAP configuration, and note the location of the users branch in the Directory Information Tree.

· Now note the location of the GPT groups branch.

· Double-check the parameters for the searchDIT for the <users> and <groups> sections in the gpt.xml file. Make sure to indicate correctly how to navigate the Directory Information Tree to get to both the users and groups branches.

-------------------------------------
ISSUE #3: <ldapServiceAccount> parameter

The gpt.xml file has a section called '<ldapConnectionProperties>'. Within that section, there is a <ldapServiceAccount> parameter where two users are defined. The two users are the securityPrincipal user and the catalogAdminDN user.
Code:
<ldapConnectionProperties
providerURL="ldap://serverName:10389"
initialContextFactoryName="com.sun.jndi.ldap.LdapCtxFactory"
securityAuthentication="simple"
securityProtocol="">
<ldapServiceAccount
securityPrincipal="uid=admin,ou=system"
securityCredentials="secret"
encrypted="false"
catalogAdminDN="cn=gptadmin,ou=users,ou=system"/>
</ldapConnectionProperties>



These two users have different functions, and do not have to be the same user.

· The securityPrincipal user is for connecting to the LDAP system, and need not be, and usually is not, a user from the gpt_administrators group.

· The catalogAdminDN is for the GPT catalog admin user, and must be a user from the gpt_administrators group.

Verify that the securityPrincipal is set to point to the DN of the user who has privileges to connect to the LDAP, and that the catalogAdminDN is configured to the DN of a GPT Administrator user. The graphic below shows that these are two different users, and where they would be in the example Directory Information Tree.
[O-Image]

Related Information