ArcGIS for server security and LDAP Configuration

ArcGIS for server security and LDAP Configuration

1. Security Overview

ArcGIS Server uses role-based access control to manage access to protected resources. Permissions for accessing GIS resources can only be assigned to roles. Individual users can only obtain permissions by inheriting from their roles. There are two methods for identity authentication for GIS Resource Access Permissions: ID Authentication Based on ArcGIS tokens and web server identity authentication.

(1) ArcGIS Server account

The OS account specified when installing ArcGIS for server is the ArcGIS Server account. ArcGIS Server account usage:

• Start and Stop processes that support GIS servers and services.
• The GIS data after the service is read.
• Read the file and write it to the ArcGIS Server Directory. For example, when creating a map cache, The ArcGIS Server account writes the cache slices to the cache directory of the server.
• Read the file and write the file to the configuration storage. For example, when a new cluster is created in the Manager, The ArcGIS Server account writes the cluster configuration information to the file in the configuration storage.
• Read the file and write it into the installation location and temporary directory of ArcGIS Server. For example, this account will write a log file that can be used to troubleshoot server faults.
• Read log messages and write them into the log directory.

(2) precautions related to ArcGIS Server account during cluster deployment

• Each GIS server must have a local account and password that are identical.
• Grant the read permission to all folders in the ArcGIS for Server installation directory and full control permissions to the following folders:

<ArcGIS for server? Installation directory> \ framework

<ArcGIS for server? Installation directory> \ Geronimo

<ArcGIS for server? Installation directory> \ USR

<ArcGIS for server? Installation directory> \ bin

<ArcGIS for server? Installation directory> \ XMLSCHEMA

• Grant read and write permissions to the server directory (arcgisserver \ Directories.
• Grant read and write permissions to the configuration storage directory (arcgisserver \ config-store.
• Grant the read and write permissions of the log directory (logs.
• Grant the read and write permissions to the directory of the database connection file registered with ArcGIS Server.
• Grant the permission to read and write the GIS data directory registered with ArcGIS Server.

2. Storage of users and Roles

The storage of users and roles in ArcGIS Server is mainly 3:

(1) Users and roles using internal storage

By default, ArcGIS Server uses internal storage. The storage uses the file format.

(2) Use users and roles in the Enterprise System

ArcGIS Server can implement security protection for users and roles managed by external Microsoft Active Directory or LDAP servers. ArcGIS Server uses the Active Directory or LDAP server as read-only storage.

(3) Use users and internal storage roles in the Enterprise System

ArcGIS Server can be used for security protection by users managed in external Microsoft Active Directory or LDAP servers and roles managed in ArcGIS Server internal storage. ArcGIS Server uses the Active Directory or LDAP server as read-only storage.

In addition, user-defined management of user and role storage can be achieved through expansion.

3. Authentication

As mentioned above, there are two authentication methods in ArcGIS Server: ID verification based on ArcGIS tokens and web server identity verification.

ArcGIS token-based authentication is mainly used by applications developed using Web APIs. ArcGIS Server can be configured to entrust a third-party web server (such as Microsoft IIS or IBM WebSphere) for user authentication. In this way, the standard authentication mechanism provided by the Web server can be fully utilized, such as HTTP digest authentication and PKI client authentication.

To use Web Server Authentication, you must install Web adaptors on the Web server and enable management options. After Web Server authentication is configured, ArcGIS Server assigns a web adapter for authentication. After the user passes authentication, the Web adaptor encrypts the user information and appends it to the request, and then forwards it to ArcGIS Server. ArcGIS Server receives and decrypts user information to verify that the user has the right to access the requested GIS service.

4. Use users in OpenLDAP

For deployment and configuration of OpenLDAP, refer to the relevant technical documents. The user information defined in this document is as follows:

DN: DC = esrigz, Dc = com

Objectclass: domain

Objectclass: Top

O: ESRI Guangzhou

DC: esrigz

??

DN: ou = manager, Dc = esrigz, Dc = com

Objectclass: organizationalunit

Ou: Manager

Description: container for manager entries

??

DN: ou = user, Dc = esrigz, Dc = com

Objectclass: Top

Objectclass: organizationalunit

Ou: User

Description: User container

??

DN: uid = Xinli, ou = manager, Dc = esrigz, Dc = com

UID: Xinli

Objectclass: inetorgperson

Labeleduri: http://www.esri.com

Userpassword: ESRI

SN: Li

CN: Xinli Li

??

DN: uid = Yun, ou = manager, Dc = esrigz, Dc = com

UID: Yun

Objectclass: inetorgperson

Mail: [email protected]

Labeleduri: http://www.esri.com

SN: Xin

CN: Yun Xin

Userpassword: ESRI

??

DN: uid = ArcGIS, ou = user, Dc = esrigz, Dc = com

Objectclass: inetorgperson

UID: ArcGIS

Userpassword: ESRI

Labeleduri: http://www.esri.com

SN: ESRI

CN: ArcGIS ESRI

Mail: [email protected]

(1) Configure to use LDAP to store users on the ArcGIS Server Manager site

Port: the port set during OpenLDAP installation. The default value is 389.

Basic DN: the name of the directory server node that records user information. For example, the above user information is stored under the manager and user roles. Only one of them can be entered here.

URL: automatically obtained by the system.

Rdn attribute: relative Identification name, used to identify the user name.

Administrator's DN: the LDAP server administrator's DN.

(2) test LDAP user information reading

Click a user in the Manager to view the user information in LDAP.

??

??

ArcGIS for server security and LDAP Configuration