LDAP integration with MapStore
The purpose of this guide is to explain how to configure MapStore to use an LDAP repository for authentication and accounting (users, roles and user-groups) instead of the standard database.
Overview
By default the MapStore backend users service (also known as GeoStore), uses a relational database to store and fetch users details, implement authentication and assign resource access rights to users and groups (for maps, dashboards, etc.).
If you already have your users on an LDAP repository you can anyway configure MapStore to connect to your service and use it to authenticate users and associate user groups and roles, instead of using the default database. In this case the relational database will store only resources and accessory data (permissions, attributes ...) referring the users of your service.
Notice that the LDAP storage is read-only. This means that the MapStore User/Groups management UI cannot be used to manage users and groups. This makes sense because an LDAP repository is considered an external source and should be managed externally.
If this can create confusion, you can eventually fully disable the UI when using LDAP, by removing the corresponding plugin from the MapStore configuration.
The LDAP storage can be configured in two different ways:
- synchronized mode
- direct connection mode (experimental)
Synchronized mode
In synchronized mode, user data (users, groups, roles) is read from LDAP on every login and copied on the internal database.
Any other operation, for example getting user permissions on maps, always uses the internal database.
Synchronized mode is faster for normal use, but data may disalign when users are removed from the LDAP repository.
In general we suggest to use synchronized mode, since it is the most stable and tested one.
Direct connection mode (experimental)
In direct connection mode, user data is always read from LDAP, for any operation, so there is no risk of misaligned data.
Direct connection is still experimental and not tested in all the possible scenarios, but will hopefully become the standard mode in an early future, because the approach is simpler and avoids most the synchronized mode defects (e.g. misalignments).
Configuration
Configuring MapStore to use the LDAP storage requires:
- filling out the LDAP configuration properties in the java/web/src/main/resources/ldap.properties file to match your LDAP repository structure
- invoking the build with the ldap profile
1 |
|
Configuration properties
Configurable properties in the ldap.properties file include the following:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
|
Enabling direct connection mode
The default configuration enables the synchronized mode. To switch to direct connection mode you have to manually edit the final geostore-spring-security.xml
to uncomment the related section at the end of the file:
1 2 3 4 5 6 7 8 |
|
Testing LDAP support
If you don't have an LDAP repository at hand, a very light solution for testing is the acme-ldap java server included in the GeoServer LDAP documentation here.
You can easily customize the sample data tree, editing the java code.
The sample MapStore LDAP configuration in the default ldap.properties
file works seamlessly with acme-ldap.
Advanced Configuration
More information about the MapStore backend storage and security service, GeoStore, is available here.
In particular, more information about LDAP usage with GeoStore is in the following Wiki page.