...
The [users] section of the shiro.ini
file can be deleted or completely commented out when LDAP authentication is to be used.Role names are mapped
The [main] section contains the following information:
- specification of the LDAP service,
- a mapping of the JOC Cockpit role names specified in the [roles] section of the file onto LDAP group names and
- a timeout.
The information required in the [main] section for LDAP authentication This information is shown in the listing below.:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
[main] ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm.userDnTemplate = cn={0},CN=myLDAPFolder,DC=localhost ldapRealm.searchBase = CN=myLDAPFolder,DC=localhost ldapRealm.contextFactory.url = ldap://localhost:389 #ldapRealm.groupNameAttribute=memberOf #ldapRealm.userNameAttribute=cn ldapRealm.userSearchFilter=(&(objectClass=user)(cn=%s)) # Mapping of a ldap group to roles. You can assign more than one role with separator sign | ldapRealm.groupRolesMap = \ "CN=JobScheduler_it_operator,CN=Roles,CN=ur_dell_partition,DC=localhost":"it_operator", \ "CN=jobscheduler_admin,CN=Roles,CN=myLDAPFolder,DC=localhost":"administrator|application_manager" rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm ldapRealm.rolePermissionResolver = $rolePermissionResolver securityManager.realms = $ldapRealm cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager securityManager.sessionManager.globalSessionTimeout = 360000 |
...
- the LDAP service information in lines 4 to 6 of the listing,
- the mapping of LDAP groups to roles in - here occupying lines 13 to 16 , and which id is described in the next sub-section and
- the timeout setting for sessions as shown in the last line and which is specified in milliseconds.
...
The [users] and [roles] sections of this file can be deleted or completely commented out when database authentication is to be used.
The information required in the [main] section for database authentication is shown in the following listing:
...
While access in order to manipulate authentication information a database requires the database password, a system administrator still has to manually enter and modify user passwords with the associated security risks and maintenance costs.
...
Jetty has to be restarted after changes are made to the shiro.ini
file.
This view is read-only for all users - changes can only be made by a system administrator modifying the authentication and authorization configuration as described in the the Authentication and Authorization Configuration article.