[qgis-qwc2] Setting up LDAP authentication with QWC2

Daniel Cebulla daniel.cebulla at jena.de
Fri Apr 25 00:28:39 PDT 2025 

Hi Benjamin,

You have to configure the service endpoint also:
https://qwc-services.github.io/master/configuration/ServiceConfiguration/#enabling-additional-services

So for instance set

SERVICE_MOUNTPOINT: '/ldap'

as environment variable in the container.


Then you have to set this endpoint in your tenantConfig.json on several 
positions.

You have to set this as "auth_service_url" within the mapViewer Config:
https://github.com/qwc-services/qwc-docker/blob/master/volumes/config-in/default/tenantConfig.json#L101

"auth_service_url": "/ldap/",


Authentication works for ogc-service, feature-info-service, 
legend-service and document-service. In their configs you have to set 
the service-URL there:
https://qwc-services.github.io/master/references/qwc-ogc-service/#config_basic_auth_login_url
https://qwc-services.github.io/master/references/qwc-feature-info-service/#config_basic_auth_login_url
https://qwc-services.github.io/master/references/qwc-legend-service/#config_basic_auth_login_url
https://qwc-services.github.io/master/references/qwc-document-service/#config_basic_auth_login_url

Here you can specify the ldap service only (the exact url is related to 
your nginx config):
"basic_auth_login_url": "http://qwc-ldap-service:9090/verify_login"

Another posibility is to set an array of more than one service:
"basic_auth_login_url": [
    "http://qwc-auth-service:9090/verify_login",
    "http://qwc-ldap-service:9090/verify_login"
],

In this case, the authentication is tried with the db-auth-service first 
and if there is no match the ldap-service is used. The parameter name 
"basic_auth_login_url" is a little bit missleading here. As the ldap and 
oidc services are developed after the db-auth service the parameter name 
was kept for backward compatibility.

The Container does not need any volume mounts to the configs.

I think, you don't need the qwc-db-auth service anymore, if you just 
want to authenticate via the ldap-service.

A hint: You can set up the permissions on group level only (and not on 
user level) within the admin-gui. Then you have to configure this groups 
as ldap-groups on your ldap-users aswell and the authentication should 
check the ldap groups against the configured groups within the config-db.

Hope that helps!
Greetings, Daniel

Daniel Cebulla
Application support GIS
on behalf of Dr. Arndt Döhler

Phone: +493641 49-5190      Mail: daniel.cebulla at jena.de

Kommunale Informationstechnik und Telekommunikation (KITT)

Municipal enterprise        Director of Operations: Dr. Arndt Döhler
of the city of Jena         Paradiesstr. 6, 07743 Jena


Am 24.04.25 um 17:35 schrieb Cahill, Benjamin via qgis-qwc2:
> Hello,
>
> I am new to the QGIS world but loving it. I have set up QWC2 using
> Docker and it is working well. I would like to set up LDAP
> authentication, but I'm not sure where to start.
>
> The only documentation I found was on this page:
> https://qwc-services.github.io/master/references/qwc-ldap-auth_readme/
>
> I added the qwc-ldap-auth container to my docker-compose
> configuration, but I don't know what to do next.
>
> Do I need to add users to the qwc_admin area first before authenticating?
>
> Do I need to remove the qwc-db-auth container?
>
> Does the qwc-ldap-auth container need access to the qwc-services configuration?
>
> Do I need to change anything to the config-in directory?
>
> Is my docker-compose configuration for this correct, or do I need to
> change anything? (sensitive details have been obfuscated)
>
>    qwc-ldap-auth:
>      container_name: qwc-ldap-auth
>      image: sourcepole/qwc-ldap-auth:v2024.2-lts
>      restart: unless-stopped
>      environment:
>        LDAP_HOST: domaincontroller.mydomain.com
>        LDAP_PORT: 3269
>        LDAP_USE_SSL: True
>        LDAP_BASE_DN: DC=mydomain, DC=com
>        LDAP_USER_DN:
>        LDAP_BIND_USER_DN: CN=lookupUser, CN=Users, DC=mydomain, DC=com
>        LDAP_BIND_USER_PASSWORD: password
>        LDAP_USER_LOGIN_ATTR: sAMAccountName
>
> Thank you very much for your time.
>
>   - Benjamin
> _______________________________________________
> qgis-qwc2 mailing list
> qgis-qwc2 at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/qgis-qwc2

More information about the qgis-qwc2 mailing list