Your users can sign in to VertiGIS FM via Lightweight Directory Access Protocol (LDAP) using their Windows login credentials. This topic outlines required configuration steps.
If you want to use the roles assigned to users in the Active Directory to assign permissions to users in VertiGIS FM, you must first create the roles in VertiGIS FM. The roles you create must match the names of the roles in the Active Directly exactly.
LDAP Configuration in VertiGIS FM
You can configure LDAP settings in VertiGIS FM on the Administration > Interfaces > External Authentication page. Select the LDAP entry and click the Edit (
) icon to configure LDAP authentication.
LDAP Authentication on the External Authentication Page in VertiGIS FM
Details that need to be entered in the LDAP configuration are outlined below.
LDAP Configuration
Field or Section |
Details |
|---|---|
LDAP Server URL |
Enter an LDAP server URL including the port (default is 389). If using an LDAP with TLS encryption, the port default is 636. Example: ldap://hostname:636 |
Service User and Password |
Enter the user (domain\Windows user) and password. The service user checks the validity of all users in the Active Directory. If their password expires, the login for all users on the server is blocked. |
LDAP Roles |
You can select the Transfer Roles check box if you want groups in the Active Directory to be converted to roles FM. If a user's group in the Active Directory matches a role that exists in VertiGIS FM, the user will automatically be assigned the role when they authenticate in VertiGIS FM for the first time. You must have already created roles with names identical to the ones in the directory for this functionality to work. You can also specify a Default Role that will be assigned to a user in the Active Directory when they authenticate in VertiGIS FM. Any role you've already created in VertiGIS FM can be selected. If you want to manually add roles to users created via LDAP, do not select any default role. Select the Ignore Role Referrals check box if you want the system to ignore existing groupings in the Active Directory.
|
LDAP User |
In the LDAP User section, you can enter user details that are inherited by any user on the server when they sign into VertiGIS FM for the first time. If you select the Always Overwrite check box, the user will be updated with the settings stored here each time they log in, not just the first time.
|
Run a Test
When you've configured LDAP according to your Active Directory, you can click the Test button at the bottom of the form.
Test Button on the LDAP Configuration Form
This generates a log file (LdapLog.txt) that indicates the users (usr) and group names (grp) in the specified directory.
grp |
VertiGIS FM Group (LDAP://VertiGIS.VertiGIS.local/CN=VertiGIS FM Group OU=VertiGIS Groups DC=VertiGIS DC=local) |
usr |
VertiGIS\xyzUser – First name Last name |
If the groups and users appear in the file without any error messages, you can active LDAP by selecting the Active check box on the form and saving the configuration.
LDAP Active
Enable Windows Authentication
To enable LDAP with your implementation of VertiGIS FM, Windows authentication must be activated in the Internet Information Services (IIS) configuration.
To Enable Windows Authentication
1.Open the Control Panel on your computer.
2.Click Programs.
3.Under Programs and Features, click Turn Windows features on or off.
4.Expand Internet Information Services > World Wide Web Services > Security and select the Windows Authentication check box.
5.Click OK.
Activate Windows Integrated Authentication in the IIS Manager
To ensure roles can be transferred from the Active Directory to the LDAP system, you also have to activate Windows Integrated Authentication in the Internet Information Services (IIS) Manager.
To Activate Windows Integrated Authentication in the IIS Manager
1.Open the IIS Manager.
2.In the left pane, expand Default Web Site and select the VertiGIS FM site for your implementation.
3.Double-click Application Manager.
4.Right-click GeoManLogin.NTEnabled and select Edit.
5.In the Value text box, type true and click OK.
6.Right-click the VertiGIS FM website in the left pane and select Switch to Content View.
7.In the contents that appear, right-click GeoManLogin.aspx and select Switch to Features View.
8.Under IIS, double-click Authentication.
9.Right-click the following authentications and select Enable.
oAnonymous Authentication
oWindows Authentication
10.After enabling Windows Authentication, right-click it and select Providers.
11.Select NTLM and click Move Up.
12.Click OK.
After completing the procedure above, you can navigate to VertiGIS FM in a new web browser. You will be signed in automatically via LDAP, and a new VertiGIS FM user will be created for your Windows user.
Accessing VertiGIS FM Outside of Company Network
If you want users in your Active Directory who authenticate using LDAP to be able to access VertiGIS FM when outside the company network, you need to create internal users and passwords for them on the Administration > Roles and Permissions > User Management page. Refer to User Management for more information.
Overwrite Settings Check Box
