
Google Earth Enterprise Documentation Home | GEE Server configuration and security
PostgreSQL authentication
Client authentication determines which users are allowed to view published databases. By default, the GEE Server does not require authentication for user access. However, you can configure authentication for your server.
If you use a load-balanced grid of GEE servers, a single common authentication source (such as PostgreSQL or LDAP) makes user administration easier. When you add users, you can add them to a single database instead of to each virtual server.
Authentication encrypts passwords before transmitting and storing them. Besides the security benefits, there are performance benefits to encrypting passwords instead of storing them in plaintext. As a plaintext password file grows to more than 200 users, there will likely be a noticeable slowdown. This is because the entire password file is read into memory each time the virtual server is accessed to search for a password.
If you have a PostgreSQL database, you can use standard Apache authentication methods such as Digest authentication to control user access. This is useful if you already store user passwords in a PostgreSQL table, or if you want to use a unified authentication mechanism other than LDAP for your GEE Server and other systems.
Before you begin
- Don't use the PostgreSQL database that ships with GEE. Instead, install PostgreSQL on a separate port or a different host.
- You must set up client authentication for each virtual server you want to use authentication with.
Apache modules
The Apache configuration below uses these modules:
- The mod_authn_dbdmodule provides the authentication back-end with a PostgreSQL server. For more information about the module, see the mod_authn_dbd section in the Apache documentation.
- The mod_auth_digestmodule is used for Digest authentication. For more information aboutmod_auth_digest, see the mod_auth_digest section in the Apache documentation.
Terms
In the steps below, you can replace these names with the names you want to use. For example, you can replace geeauthdb with the name of your database.
- geeauthdb. The database to connect to.
- geepasswd. The table that stores user information.
- geeuser. The user login to connect to the database.
- postgres. The default PostgreSQL adminstrator user on Ubuntu.
To configure client authentication for PostgreSQL:
- 
Connect to the PostgreSQL server: 
 sudo su - postgres
 psql --port=5433
- 
Create the database and user: 
 CREATE USER geeuser WITH PASSWORD 'geeuserpasswd';
 CREATE DATABASE geeauthdb;
 GRANT ALL PRIVILEGES ON DATABASE geeauthdb to mypguser;
 \q
- Create a table to store the passwords:
 psql --port=5433 --username=geeuser geauthdb
 CREATE TABLE geepasswd (username varchar(32) NOT NULL, realm varchar(255)
 NOT NULL, passwd varchar(255) NOT NULL,
 realname varchar(255), PRIMARY KEY (username, realm));
 \q- 
The table includes these fields:
- username.
- realm.
- password.
- realname. Optional. The realname field doesn't require a value, but is included in case you want to use it. You can also add other optional fields if needed.
 
- 
Create the encrypted password by inserting encyption functions into the database with the pgcryptocontributed module:
 psql --port=5433 --username=geeuser geauthdb < /usr/share/postgresql/8.4/contrib/pgcrypto.sqlNote: You can substitute a different method for this step. The Password Formats section in the Apache documentation gives examples in multiple programming languages for encrypting the password so that it is readable by Apache. 
- 
Make sure the database works by inserting a test user: 
 psql --port=5433 --username=geeuser geauthdb
 INSERT INTO geepasswd VALUES ('jsmith', 'realm', encode(digest( 'jsmith' || ':' || 'realm' || ':' ||'password', 'md5'), 'hex'), 'Jane Smith');
 \qReplace "jsmith", "realm", "password" and "Jane Smith" with the values you want to use. Note: The password is hashed with MD5 because the Apache mod_authn_dbdmodule requires it. This also prevents the password from appearing in plaintext.
- 
Create a file named pgsql-auth.confat/opt/google/gehttpd/conf/extra/pgsql-auth.conf.
- 
Add these lines to the pgsql-auth.conffile:
 DBDriver pgsql
 DBDParams "hostaddr=yourpgserver port=yourport user=geuser password=yourpassword dbname=gee_auth"
 DBDMin 4
 DBDKeep 8
 DBDMax 20
 DBDExptime 300Replace yourpgserverandyourportwith the address or hostname of your PostgreSQL database. Replacegeuserandyourpasswordwith the username and password of your test user.
- 
Open the /opt/google/gehttpd/conf/gehttpd.conffile and insert the line:
 Include /opt/google/gehttpd/conf/extra/pgsql-auth.confabove the line: 
 Include conf.d/*.confThe result is: 
 # Include Google Earth Server-specific files
 Include /opt/google/gehttpd/conf/extra/pgsql-auth.conf
 Include conf.d/*.conf
- 
Add the following lines at the beginning of the <Location>directive of your virtual server:
 AuthType Digest
 AuthName "realm"
 AuthDigestDomain '/default_map/'
 AuthDigestProvider dbd
 AuthDBDUserRealmQuery "SELECT passwd FROM geeauth WHERE username = %s and realm = %s"
 BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=OnIf this is a _ge_ virtualserver, add:
 BrowserMatch "GoogleEarth" AuthDigestEnableQueryStringHack=OnIf this is a _map_ virtualserver, add:
 BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=OnFor more information about AuthDigestEnableQueryStringHack, see the mod_auth_digest section in the Apache documentation.The final <Location>directive looks like:
 <Location "/default_map/*">
 AuthType Digest
 AuthName "realm"
 AuthDigestDomain '/default_map/'
 
 AuthDigestProvider dbd
 AuthDBDUserRealmQuery "SELECT passwd FROM geeauth WHERE username = %s and realm = %s"
 BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
 
 Require valid-user
 SetHandler gedb-handler
 Include
 conf.d/virtual_servers/runtime/default_map_runtime
 </Location>
- 
Save and close the virtual server configuration file. 
- 
Restart the server: 
 /etc/init.d/geserver restartAfter you verify the configuration with your test user, you can add your users to the database.