Managing Users
|
<< Click to Display Table of Contents >> Navigation: Security > Managing Users |
In JMap Admin, the user manager configuration can be accessed by clicking on Users / Groups in the JMap Server section. Select the User manager tab.
The user manager allows you to define how JMap will manage user accounts and groups. There are two ways to manage this information with JMap:
•Using the JMap user account database: you create and delete the user accounts directly from JMap Admin;
•By connecting to an existing database of user accounts such as a Windows Active Directory system, an LDAP compatible system or a relational database.
Several systems can also be combined to be used simultaneously (e.g. the JMap database and Windows Active Directory). These systems are then used as a single system. When JMap Server connects to an existing database, user account management is simplified because no account or user group needs to be created and managed in JMap.
The following sections describe each available option.
JMap DB user manager
This type of user account management records users and groups directly into JMap Server's System database or in an external database containing the required tables and fields. The JMap administrator must create and manage all user accounts and groups.
Click on the User manager tab from the Users / Groups section. Select JMap DB user manager to indicate that user accounts will be managed within a relational database. To store information in JMap Server's System database, select the JMap Server database option.
You can also use any relational database that contains at least the required tables and fields by selecting the External database option. When you do this, an interface displays, allowing you to define the configuration parameters. Using this configuration interface, select the database you wish to use. Afterwards, select the tables and fields containing the various information pertaining to users and groups. If needed, you can select Read-only mode to prevent account information from being modified by JMap Admin.
Once this configuration has been defined, you can create, modify and delete user accounts directly from JMap Admin.
Active Directory user manager
You can connect to Windows Active Directory (in read-only mode) by selecting the option Active Directory user manager under User manager. When you select this option, a new interface is displayed, allowing you to specify the configuration parameters.
Active Directory |
|
Server address |
Address of the Windows domain controller server configured with Active Directory. |
DN |
Unique identifier (Distinguished Name) pointing at the root of the directory. Composed of a list of DC (Domain Component) entries. Example: dc=ABC,dc=COM |
Domain |
Name of the Windows domain (e.g. ABC.COM). |
User / SPN |
User name that JMap Server will use to connect to the Active Directory. It is recommended to create a user especially for JMap. Its password should never expire. If you wish to use single sign-on, you will have to create an SPN (Service Principal Name) associated with this user. See Single Sign-On for more details. |
Password |
Password of the user JMap Server will use to connect to the Active Directory. |
Admin. password |
A user named administrator must always exist in JMap. If no administrator user exists in the Active Directory, JMap will simulate one. In such a case, provide the password associated with this user. If the user administrator does exist in the Active Directory and a password is entered, this password will simply be ignored. |
Enable single sign-on |
Enables the single sign-on option. See Single Sign-On for more details. |
Default / Custom LDAP configuration |
Active Directory is based on LDAP. This option allows for the use of LDAP parameters that are most commonly used for Active Directory. However, if those parameters don't match the ones in use, it is possible to specify custom values. |
Max page size |
Active Directory limits the transaction size to a maximum number of records at a time (page size). The value of this parameter must not be greater than the maximum size authorized by Active Directory (1000 is the default value in Active Directory). If the size is too small, this can reduce performance. A size greater than the authorized limit will cause missing data in the user list. |
JMap LDAP user manager
You can connect to any LDAP compliant directory (in read-only mode). Unix, Linux and Windows systems offer many LDAP compliant directories.
To use this option, select JMap LDAP user manager under User manager. When you do so, a new interface is displayed, allowing you to specify the configuration parameters.
JMap LDAP user manager |
|
|---|---|
Server URL |
LDAP server address. |
DN |
Unique identifier (Distinguished Name) used to define the root of the directory. Includes a list of Domain Component entries. For example: dc=ABC,dc=COM |
User |
User name that will be used by JMap Server to connect to the LDAP directory. It is recommended to have a user created specifically for JMap purposes. This user's password should never expire. |
Password |
The user password that JMap Server will use to connect to the LDAP directory. |
Admin. password |
A user named administrator must always exist in JMap. If there is no administrator user in the LDAP directory, JMap will simulate one. In this case, you must provide the password associated with this user. If the administrator user exists in the LDAP directory and a password is entered, it will be ignored. |
Authentication prefix |
Some LDAP servers require a prefix to be concatenated with the user name in order to proceed with authentication. Example: Prefix: a_domain\ User: a_user Result: a_domain\a_user |
Authentication suffix |
Some LDAP servers require a suffix to be concatenated with the user name to proceed with authentication. Example: Suffix=@a_domain User=a_user Result: a_user@a_domain |
User class |
Name of the LDAP object class used to identify a user in the LDAP directory. |
Group class |
Name of the LDAP object class used to identify a group in the LDAP directory. |
User filter |
Search filter used to extract users from the LDAP directory. This filter must be formatted according to the standard LDAP syntax. |
Group filter |
Search filter used to extract groups from the LDAP directory. This filter must be formatted according to the standard LDAP syntax. |
User attribute |
The attribute of an LDAP user that defines this user's identity. |
Group attribute |
The attribute of an LDAP group that defines this group's identity. |
Member attribute |
The attribute of an LDAP group that defines which users are members of this group. |
Full name attribute |
The attribute of an LDAP user that defines this user's full name. |
Email attribute |
The attribute of an LDAP user that defines this user's email address. |
Max page size |
In LDAP directories, the size of transactions is limited to a maximum number of recordings at once (the size of the page). The value of this parameter must not exceed the maximum size permitted by the directory (1000 is the default value in LDAP directories). If the size is too small, this could affect performance. If the size is larger than the authorized limit, data will be missing in the user list. |
For more information on the LDAP protocol, refer to http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol.
Composite user manager
This type of user management allows you to combine several managers together. You can add as many user managers as necessary. All user managers will function as a single user manager. Refer to the previous sections for information on user manager configuration.
Synchronizing user permissions
When you connect to an existing user account database (Active Directory, LDAP or external relational database), it may be useful to synchronize JMap Server with the database for 2 reasons:
•When users or groups are deleted from the database and those deleted users or groups had been given permissions in JMap (e.g. to open a project or view certain layers), the permissions are not deleted from JMap Server permission lists. This can happen because JMap Server is not aware the users or groups have been deleted from the database. When synchronizing, JMap Server removes all existing permissions for deleted users and groups. However, even if you don't synchronize, there is no security problem because deleted users will fail at login.
•When the contents of user groups are modified (members added or removed), so that JMap Server can reload the lists of users that belong to the groups. JMap Server keeps the group member lists in memory for performance reasons.
You can automate the synchronization by selecting the option Synchronize automatically every... and specifying a time period.