Google Earth Enterprise Documentation Home | GEE Server configuration and security

Configure a GEE virtual host for LDAP authentication

You can use LDAP authentication, which is based on Microsoft Active Directory, to authenticate users to access your GEE virtual hosts. GEE server software is based on Apache httpd.

It's easy to administer and manage user accounts. You can use a simple .htpasswd to secure a GEE virtual host, then you can assign the permissions levels via groups or user level. If you have an existing Active Directory user catalog, you can use that instead of implementing a redundant authentication system. For information about enabling your Active Directory for LDAP, see the OpenLDAP documentation.

This article explains how to configure a virtual host for LDAP authentication using GEE Server 5.x.

To configure a GEE virtual host for LDAP authentication:

Make sure that the LDAP modules are loaded on your Apache server. For most GEE installations, these are loaded automatically.
Create a geserver Active Directory account that can access the user directory, and make sure to document the attributes.
Load the modules in your /opt/google/gehttpd/conf.d/virtual_servers/private_host.location file or your custom virtual host file.
After the modules are loaded, you can control access by querying the directory for particular attributes.
Point Apache to the LDAP server AuthLDAPUrl key directive.
An example of an AuthLDAPUrl directive is:

AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid
The key directive format declares the LDAP server, the distinguished name (DN), and the attribute to use in the search (typically the Uid attribute in the People organizational unit). You can also customize these filters for additional security constraints.
Restart the GEE server to load the modules into the system:
# /etc/init.d/geserver restart
Create a user account in Active Directory geserver.
This can be any user account that has limited access. The user account only needs access to the global catalog. Make sure that your user has the full organizational unit name.

To bind to Active Directory GUI:

If you don't know your LDAP domain name, ask your system administrator. You can also find your domain name by searching for it in the format Dn: CN=geserver,CN=Users,DC=location,DC=company,DC=com. In this example, the domain name is location.company.com.
Use your domain name to configure the Apache module. Alternatively, you can use the command prompt:
dsadd user UserDN [-samid SAMName] -pwd {Password|*}
Add the directives to your virtual server file at /opt/google/gehttp/conf.d/virtual_servers.
For testing purposes, add the lines below to the private_host.location file:
<Location /private/*> AuthType Basic AuthName "LDAP LOGIN" AuthBasicProvider ldap AuthLDAPURL "ldap://server.name.local:389/cn=Users,dc=domain,dc=google,dc=com?uid"\ AuthLDAPBindDN CN=geserver,OU=Users,OU=Yourorg,DC=DcNAME,DC=local AuthLDAPBindPassword localuserpassword AuthzLDAPAuthoritative Off Require valid-user </Location>
Restart your server and try to access the virtual server via the client.
A login screen appears. If you can't access Apache, open the file error log at /opt/google/gehttpd/logs/error_log and access_log.
If AuthzLDAPAuthoritative is on, the client might continually prompt for the username and password even though you entered a valid username and password and the client is functioning. To correct this, turn AuthzLDAPAuthoritative off.

Directives

require valid-user. Allows all users who log in with correct passwords.
AuthzLDAPAuthoritative. Tells Apache whether a failed authentication request can be passed to other Apache modules.
AuthLDAPBindDN. The distinguished name (DN) of the user account that Apache uses to connect to the directory system and authenticate the user.
AuthLDAPBindPassword. The password for the user account configured with the AuthLDAPBindDN directive.
AuthLDAPURL. The URL that tells where the directory server is, where to look for users at, which user attribute is used to identify a user, and other miscellaneous things that are specific to the LDAP query syntax.
AuthBasicProvider. Tells Apache which authentication module to use for Basic Authentication.

For more information, see the Apache mod_ldap and mod_auth_basic documentation.

To troubleshoot any connection issues, begin by checking the logs on the LDAP server to make sure GEE server is correctly making authentication requests.