[qgis-qwc2] Setting up LDAP authentication with QWC2
Cahill, Benjamin
bcahill at alertacademy.com
Tue Apr 29 09:40:22 PDT 2025
Daniel,
I cannot thank you enough for your timely and informative message.
With your help I was able to connect QWC2 with MS Active Directory
(actually a Samba4 server), and it now authenticates users and checks
group membership.
For the benefit of others, here is the docker-compose configuration that worked:
qwc-ldap-service:
container_name: qwc-ldap-service
image: sourcepole/qwc-ldap-auth:v2024.2-lts
restart: unless-stopped
environment:
<<: *qwc-service-variables
SERVICE_MOUNTPOINT: '/ldap'
LDAP_HOST: domaincontroller.mydomain.com
LDAP_PORT: 3269
LDAP_USE_SSL: True
LDAP_BASE_DN: dc=mydomain,dc=com
LDAP_USER_DN: ''
LDAP_BIND_USER_DN: CN=lookupUser,CN=Users,DC=mydomain,DC=com
LDAP_BIND_USER_PASSWORD: password
LDAP_USER_LOGIN_ATTR: sAMAccountName
LDAP_USER_SEARCH_SCOPE: SUBTREE
LDAP_SEARCH_FOR_GROUPS: True
LDAP_GROUP_DN: ''
LDAP_GROUP_SEARCH_SCOPE: SUBTREE
LDAP_GROUP_MEMBERS_ATTR: member
LDAP_GROUP_NAME_ATTRIBUTE: cn
volumes:
- /path/to/qwc-services/config:/srv/qwc_service/config:ro
The container did not start properly until the volume mount was added.
It appears to be an outstanding issue:
https://github.com/qwc-services/qwc-ldap-auth/issues/16
I wanted all unauthenticated sessions to be redirected to the login
page, so I used the following nginx configuration to accomplish that:
if ($cookie_session = "") {
return 301 https://$host/ldap/;
}
Thank you again for your time and effort. I really appreciate it.
- Benjamin
On Fri, Apr 25, 2025 at 2:28 AM Daniel Cebulla <daniel.cebulla at jena.de> wrote:
>
> Hi Benjamin,
>
> You have to configure the service endpoint also:
> https://qwc-services.github.io/master/configuration/ServiceConfiguration/#enabling-additional-services
>
> So for instance set
>
> SERVICE_MOUNTPOINT: '/ldap'
>
> as environment variable in the container.
>
>
> Then you have to set this endpoint in your tenantConfig.json on several
> positions.
>
> You have to set this as "auth_service_url" within the mapViewer Config:
> https://github.com/qwc-services/qwc-docker/blob/master/volumes/config-in/default/tenantConfig.json#L101
>
> "auth_service_url": "/ldap/",
>
>
> Authentication works for ogc-service, feature-info-service,
> legend-service and document-service. In their configs you have to set
> the service-URL there:
> https://qwc-services.github.io/master/references/qwc-ogc-service/#config_basic_auth_login_url
> https://qwc-services.github.io/master/references/qwc-feature-info-service/#config_basic_auth_login_url
> https://qwc-services.github.io/master/references/qwc-legend-service/#config_basic_auth_login_url
> https://qwc-services.github.io/master/references/qwc-document-service/#config_basic_auth_login_url
>
> Here you can specify the ldap service only (the exact url is related to
> your nginx config):
> "basic_auth_login_url": "http://qwc-ldap-service:9090/verify_login"
>
> Another posibility is to set an array of more than one service:
> "basic_auth_login_url": [
> "http://qwc-auth-service:9090/verify_login",
> "http://qwc-ldap-service:9090/verify_login"
> ],
>
> In this case, the authentication is tried with the db-auth-service first
> and if there is no match the ldap-service is used. The parameter name
> "basic_auth_login_url" is a little bit missleading here. As the ldap and
> oidc services are developed after the db-auth service the parameter name
> was kept for backward compatibility.
>
> The Container does not need any volume mounts to the configs.
>
> I think, you don't need the qwc-db-auth service anymore, if you just
> want to authenticate via the ldap-service.
>
> A hint: You can set up the permissions on group level only (and not on
> user level) within the admin-gui. Then you have to configure this groups
> as ldap-groups on your ldap-users aswell and the authentication should
> check the ldap groups against the configured groups within the config-db.
>
> Hope that helps!
> Greetings, Daniel
>
> Daniel Cebulla
> Application support GIS
> on behalf of Dr. Arndt Döhler
>
> Phone: +493641 49-5190 Mail: daniel.cebulla at jena.de
>
> Kommunale Informationstechnik und Telekommunikation (KITT)
>
> Municipal enterprise Director of Operations: Dr. Arndt Döhler
> of the city of Jena Paradiesstr. 6, 07743 Jena
>
>
> Am 24.04.25 um 17:35 schrieb Cahill, Benjamin via qgis-qwc2:
> > Hello,
> >
> > I am new to the QGIS world but loving it. I have set up QWC2 using
> > Docker and it is working well. I would like to set up LDAP
> > authentication, but I'm not sure where to start.
> >
> > The only documentation I found was on this page:
> > https://qwc-services.github.io/master/references/qwc-ldap-auth_readme/
> >
> > I added the qwc-ldap-auth container to my docker-compose
> > configuration, but I don't know what to do next.
> >
> > Do I need to add users to the qwc_admin area first before authenticating?
> >
> > Do I need to remove the qwc-db-auth container?
> >
> > Does the qwc-ldap-auth container need access to the qwc-services configuration?
> >
> > Do I need to change anything to the config-in directory?
> >
> > Is my docker-compose configuration for this correct, or do I need to
> > change anything? (sensitive details have been obfuscated)
> >
> > qwc-ldap-auth:
> > container_name: qwc-ldap-auth
> > image: sourcepole/qwc-ldap-auth:v2024.2-lts
> > restart: unless-stopped
> > environment:
> > LDAP_HOST: domaincontroller.mydomain.com
> > LDAP_PORT: 3269
> > LDAP_USE_SSL: True
> > LDAP_BASE_DN: DC=mydomain, DC=com
> > LDAP_USER_DN:
> > LDAP_BIND_USER_DN: CN=lookupUser, CN=Users, DC=mydomain, DC=com
> > LDAP_BIND_USER_PASSWORD: password
> > LDAP_USER_LOGIN_ATTR: sAMAccountName
> >
> > Thank you very much for your time.
> >
> > - Benjamin
> > _______________________________________________
> > qgis-qwc2 mailing list
> > qgis-qwc2 at lists.osgeo.org
> > https://lists.osgeo.org/mailman/listinfo/qgis-qwc2
>
More information about the qgis-qwc2
mailing list