How To: Configure the Version 9.3.1 Geoportal Extension to Reference Windows Active Direct

Summary

The version 9.3.1 ArcGIS Server Geoportal extension supports user management through integration with various LDAP providers. Instructions provided in this article describe considerations for configuring an LDAP integration using Windows Active Directory, Oracle Internet Directory, and IBM Tivoli Directory Server. Use these steps and examples as a starting point; it's likely that your organization's configuration may vary from the examples provided.

By default, the Geoportal extension configuration file is configured for Apache Directory Server.

Procedure

For organizations that use Microsoft Windows Active Directory, Oracle Internet Directory, or IBM Tivoli Directory Server instead of Apache Directory Server, the entries in the gpt.xml file’s <ldapadapter> users and groups elements should be adjusted.

Examples of configured gpt.xml files for each directory server software are provided below. In the following examples, Distinguished Names (DN) are placeholders representing a sample organization's LDAP structure. Elements that may need to be changed to support the specific directory server software are shown in yellow. To configure the gpt.xml file according to the directory server software, follow the steps below.

Microsoft Active Directroy
[O-Image]

Oracle Internet Directory
[O-Image]

IBM Tivoli
[O-Image]

Navigate to the \\geoportal\WEB-INF\classes\gpt\config folder and open the gpt.xml file in a text editor, such as Notepad.
In the gpt.xml file, scroll down to the section where the LDAP connection information is defined, beginning with the <ldapAdapter> tag.
Configure the LDAP definition section as instructed in the Geoportal extension installation guide, adding the relevant entries for the LDAP connection, roles, users, and groups. Save the file.
If the directory server software is Windows Active Directory, do the following. If not, proceed to Step 5 or 6:

In displayNameAttribute in the <users> tag, replace "cn" with "sAMAccountName".

In the usernameSearchPattern attribute, change "(&(objectclass=person)(cn={0}))" to read "(&(objectclass=person)(sAMAccountName={0}))".

In the <userAttributeMap> <attribute> element, find the key for username. Change the ldapName for this from "uid" to "sAMAccountName".

In the <groups> element memberAttribute, change "uniquemember" to "member".

In memberSearchPattern change "(&(objectclass=groupOfUniqueNames)(uniquemember={0}))" to "(&(objectclass=group)(member:1.2.840.113556.1.4.1941:={0}))".

Proceed to Step 7.
If the directory server software is Oracle Internet Directory, do the following. If not, proceed to Step 6:

In displayNameAttribute in the <users> tag, replace "cn" with "uid".

In the usernameSearchPattern attribute, change "(&(objectclass=person)(cn={0}))" to read "(&(objectclass=person)(uid={0}))".

In the <userAttributeMap> <attribute> element, find the key for username. Verify that the ldapName for this is "uid".

In the <groups> element, find the DynamicMemberOfGroupsAttribute attribute, and enter "controlid=2.16.840.1.113894.1.8.3".

Proceed to Step 7.
If the directory server software is IBM Trivoli, do the following:

In the dynamicMemberOfGroupsAttribute in the <groups> tag, enter "ibm-allgroups".

In the dynamicMembersAttribute, enter "ibm-allmembers".

In the memberAttribute, change "uniquemember" to "member".

In the memberSearchPattern, change "&(objectclass=groupOfNames)(uniquemember={0}))" to "(&(objectclass=groupOfNames)(member={0}))".

Proceed to Step 7.
Save the gpt.xml file, and restart the Geoportal Web application for the changes to take effect.

Article ID:000010746

Software:

Legacy Products

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options

Configure the version 9.3.1 Geoportal extension to reference Windows Active Directory, Oracle Internet Directory, or IBM Tivoli Directory Server

Summary

Procedure

Discover more on this topic