Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 20

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 21

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minor changes to text

...

The [users] section of the shiro.ini file can be deleted or completely commented out when LDAP authentication is to be used.Role names are mapped

The [main] section contains the following information:

  • specification of the LDAP service,
  • a mapping of the JOC Cockpit role names specified in the [roles] section of the file onto LDAP group names and
  • a timeout.

The information required in the [main] section for LDAP authentication This information is shown in the listing below.:

Code Block
languagetext
titleMain Configuration - LDAP Authentification - Default Information
linenumberstrue
[main]
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm

ldapRealm.userDnTemplate = cn={0},CN=myLDAPFolder,DC=localhost  
ldapRealm.searchBase = CN=myLDAPFolder,DC=localhost
ldapRealm.contextFactory.url = ldap://localhost:389

#ldapRealm.groupNameAttribute=memberOf
#ldapRealm.userNameAttribute=cn
ldapRealm.userSearchFilter=(&(objectClass=user)(cn=%s))


# Mapping of a ldap group to roles. You can assign more than one role with separator sign |
ldapRealm.groupRolesMap = \
"CN=JobScheduler_it_operator,CN=Roles,CN=ur_dell_partition,DC=localhost":"it_operator", \  
"CN=jobscheduler_admin,CN=Roles,CN=myLDAPFolder,DC=localhost":"administrator|application_manager"

rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver


securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

securityManager.sessionManager.globalSessionTimeout = 360000 

...

  • the LDAP service information in lines 4 to 6 of the listing,
  • the mapping of LDAP groups to roles in - here occupying lines 13 to 16 , and which id is described in the next sub-section and
  • the timeout setting for sessions as shown in the last line and which is specified in milliseconds.

...

The [users] and [roles] sections of this file can be deleted or completely commented out when database authentication is to be used. 

The information required in the [main] section for database authentication is shown in the following listing:

...

While access in order to manipulate authentication information a database requires the database password, a system administrator still has to manually enter and modify user passwords with the associated security risks and maintenance costs.

...

Jetty has to be restarted after changes are made to the shiro.ini file.

 

This view is read-only for all users - changes can only be made by a system administrator modifying the authentication and authorization configuration as described in the the Authentication and Authorization Configuration article.