FAQ: What are important concepts for connecting the GIS Portal Toolkit (GPT) LDAP to an Active Directory?
What are important concepts for connecting the GIS Portal Toolkit (GPT) LDAP to an Active Directory?
The three concepts below provide important background information for understanding how to connect GPT LDAP to an Active Directory.
JXplorer is a widely-used open source client for browsing a directory server. It is not an ESRI product, and GPT is not dependent on JXplorer. However, because it is available for free at http://www.jxplorer.org , and a directory server client is necessary for these troubleshooting steps, the instructions within the GPT Installation documents and the article referenced below assume that JXplorer has been installed and configured. Instructions on installing and configuring JXplorer can be found on the JXplorer website, or in the JXplorer Installation guide on the GPT Installation CD (in the <GPT Distribution>\Documentation\Installation folder).
2. LDAP Directory Tree
The LDAP directory is set up in a tree structure called the Directory Information Tree (DIT). The tree can have many branches with users and groups defined as sub-branches. Below is a simple tree with users located in the 'system\users' branch, and groups located in the 'system\groups' branch.
In most organizations, the DIT is more complex. There may be groups for different regions, authority levels, project teams, etc.
ESRI strongly recommends creating a group structure that maps directly to the pre-defined GPT roles. If this is not possible, coordinate with the LDAP system administrator to decide what the best possible mapping is of the existing groups to the GPT roles.
3. Distinguished Names
Every user or group in the DIT has a unique identifier: its Distinguished Name (DN). An example of the DN for the 'gptadmin' user in the screen shot above is 'cn=gptadmin,ou=users,ou=system'. The DN is made up of a unique identifier (the 'cn' portion), and the path that allows the Portal to navigate to that user or group within the DIT structure (the branches of the DIT, which are the 'ou' portions).
JXplorer can be used to copy the DN for a user or group in the DIT and populate the gpt.xml file with correct values. Connect to the LDAP with JXplorer, and then highlight the user or group, whose DN is needed, with the mouse. Right-click, and select the 'Copy DN' option. This value can now be pasted into the gpt.xml file. 'Copy DN' can also be used when assigning users to groups within JXplorer itself.