Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 130

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 131

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minor change to section order

...

Code Block
languagetext
titleMain Configuration - LDAP Authentification - Complete example for public LDAP Server
linenumberstrue
collapsetrue
[main]
# Public LDAP Server for testing purposes
# see http://www.forumsys.com/en/tutorials/integration-how-to/ldap/online-ldap-test-server/

# Active Directory realm configuration
# See http://shiro.apache.org/static/current/apidocs/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm

ldapRealm.userDnTemplate = uid={0},dc=example,dc=com
ldapRealm.searchBase = dc=example,dc=com
ldapRealm.contextFactory.url = ldap://ldap.forumsys.com:389

ldapRealm.groupNameAttribute=ou
ldapRealm.userNameAttribute=uid
ldapRealm.userSearchFilter=(uniqueMember=uid=%s,dc=example,dc=com)

# Mapping of a LDAP group to roles. You can assign more than one role with separator sign |
ldapRealm.groupRolesMap = \
"scientists":"it_operator", \
"mathematicians":"administrator|application_manager"

rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver

securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 360000 

Example LDAP Configuration with a Several LDAP Servers

LDAP configuration with sevaral LDAP servers is achieved by defining more than one LDAP realm as shown in the next code block.

Code Block
languagetext
titleExample LDAP Configuration with Several LDAP Servers
linenumberstrue
collapsetrue
ldapRealm1 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm1.userDnTemplate = cn={0},cn=sos,dc=berlin,dc=com
ldapRealm1.searchBase = cn=sos,dc=berlin,dc=com
ldapRealm1.contextFactory.url = ldap://host1:389
ldapRealm1.groupNameAttribute = ou
ldapRealm1.userNameAttribute = cn
ldapRealm1.userSearchFilter = (cn=%s,cn=sos,dc=berlin,dc=com)

ldapRealm2 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm2.userDnTemplate = cn={0},cn=sos,dc=berlin,dc=com
ldapRealm2.searchBase = cn=sos,dc=berlin,dc=com
ldapRealm2.contextFactory.url = ldap://host2:389
ldapRealm2.groupNameAttribute = ou
ldapRealm2.userNameAttribute = cn
ldapRealm2.userSearchFilter = (cn=%s,cn=sos,dc=berlin,dc=com)

securityManager.realms = $ldapRealm1, $ldapRealm2

 

 

Assigning roles in the shiro.ini when using LDAP

...

Code Block
languagetext
titleMain Configuration - LDAP Authentification - Example for public LDAP Server with explicitly assigned roles
linenumberstrue
collapsetrue
[users]
gauss=, application_manager, my_role
newton=, incident_manager, my_role

[main]
# Public LDAP Server for testing purposes
# see http://www.forumsys.com/en/tutorials/integration-how-to/ldap/online-ldap-test-server/
 
# Active Directory realm configuration
# See http://shiro.apache.org/static/current/apidocs/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
 
ldapRealm.userDnTemplate = uid={0},dc=example,dc=com
ldapRealm.searchBase = dc=example,dc=com
ldapRealm.contextFactory.url = ldap://ldap.forumsys.com:389
 
ldapRealm.groupNameAttribute=ou
ldapRealm.userNameAttribute=uid
ldapRealm.userSearchFilter=(uniqueMember=uid=%s,dc=example,dc=com)
 
# Mapping of a LDAP group to roles. You can assign more than one role with separator sign |
# In this example the LDAP group mapping is commented out. The user gauss will have the roles application_manager and my_role.
# You can mix both role sources, the shiro.ini file and the LDAP group mapping.
# ldapRealm.groupRolesMap = \
# "scientists":"it_operator", \
# "mathematicians":"administrator|application_manager"
 
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
 
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
 
# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 360000 

[roles] 
# Permissions can be assigned to roles with a comma separated list of permissions. Permissions may have * as a wildcard

all                 = sos:products

administrator       = sos:products:joc_cockpit:jobscheduler_master:view, \
                      sos:products:joc_cockpit:jobscheduler_master:execute:pause, \
                      sos:products:joc_cockpit:jobscheduler_master:execute:continue, \
                      sos:products:joc_cockpit:jobscheduler_master:execute:restart, \
                      sos:products:joc_cockpit:jobscheduler_master:execute:terminate, \
                      sos:products:joc_cockpit:jobscheduler_master:execute:abort, \
                      sos:products:joc_cockpit:jobscheduler_master:administration:edit_permissions, \
                      sos:products:joc_cockpit:jobscheduler_master:administration:remove_old_instances, \
                      sos:products:joc_cockpit:jobscheduler_master_cluster, \
                      sos:products:joc_cockpit:jobscheduler_universal_agent

application_manager = sos:products:joc_cockpit:jobscheduler_master:view, \
                      sos:products:joc_cockpit:jobscheduler_master:execute:pause, \
                      sos:products:joc_cockpit:jobscheduler_master:execute:continue, \
                      sos:products:joc_cockpit:jobscheduler_master:administration:manage_categories, \
                      sos:products:joc_cockpit:jobscheduler_master_cluster:view:status, \
                      sos:products:joc_cockpit:jobscheduler_universal_agent:view:status, \
                      sos:products:joc_cockpit:daily_plan:view:status, \
                      sos:products:joc_cockpit:history:view, \
                      sos:products:joc_cockpit:order:view:status, \
                      sos:products:joc_cockpit:job_chaindaily_plan:view:status, \
                      sos:products:joc_cockpit:jobhistory:view, \
                      sos:products:joc_cockpit:process_classorder, \
                      sos:products:joc_cockpit:schedulejob_chain, \
                      sos:products:joc_cockpit:lockjob, \
                      sos:products:joc_cockpit:eventprocess_class, \
                      sos:products:joc_cockpit:event_actionschedule, \
                      sos:products:joc_cockpit:holiday_calendar:view:statuslock, \
                      sos:products:joc_cockpit:maintenance_window:viewevent, \
                      sos:products:joc_cockpit:maintenance_window:enable_disable_maintenance_windowevent_action, \
                      sos:products:joc_cockpit:auditholiday_logcalendar:view:status, \
                      sos:products:joc_cockpit:customization:share

it_operator         = sos:products:joc_cockpit:jobscheduler_master:maintenance_window:view, \
                      sos:products:joc_cockpit:jobscheduler_master_cluster:view:status:maintenance_window:enable_disable_maintenance_window, \
                      sos:products:joc_cockpit:jobscheduleraudit_universal_agentlog:view:status, \
                      sos:products:joc_cockpit:daily_plan:view:status, \
       customization:share

it_operator             =  sos:products:joc_cockpit:historyjobscheduler_master:view, \
                      sos:products:joc_cockpit:orderjobscheduler_master_cluster:view:status, \
                      sos:products:joc_cockpit:job_chainjobscheduler_universal_agent:view:status, \
                      sos:products:joc_cockpit:jobdaily_plan:view:status, \
                      sos:products:joc_cockpit:process_classhistory:view, \
                      sos:products:joc_cockpit:scheduleorder, \
                      sos:products:joc_cockpit:lockjob_chain, \
                      sos:products:joc_cockpit:eventjob, \
                      sos:products:joc_cockpit:eventprocess_actionclass, \
                      sos:products:joc_cockpit:holiday_calendar:view:statusschedule, \
                      sos:products:joc_cockpit:maintenance_window:viewlock, \
                      sos:products:joc_cockpit:audit_log:view:statusevent, \
                      sos:products:joc_cockpit:customization:share:view

incident_manager    = sos:products:joc_cockpit:jobscheduler_master:viewevent_action, \
                      sos:products:joc_cockpit:jobschedulerholiday_master_clustercalendar:view:status, \
                      sos:products:joc_cockpit:jobschedulermaintenance_universal_agentwindow:view:status, \
                      sos:products:joc_cockpit:dailyaudit_planlog:view:status, \
, \
                      sos:products:joc_cockpit:customization:share:view

incident_manager    = sos:products:joc_cockpit:historyjobscheduler_master:view, \
                      sos:products:joc_cockpit:orderjobscheduler_master_cluster:view:status, \
                      sos:products:joc_cockpit:order:remove_setbackjobscheduler_universal_agent:view:status, \
                      sos:products:joc_cockpit:jobdaily_chainplan:view:status, \
                      sos:products:joc_cockpit:jobhistory:view, \
                      sos:products:joc_cockpit:process_classorder:view, \
                      sos:products:joc_cockpit:scheduleorder:viewremove_setback, \
                      sos:products:joc_cockpit:lockjob_chain:view, \
                      sos:products:joc_cockpit:eventjob:view, \
                      sos:products:joc_cockpit:eventprocess_actionclass:view, \
                      sos:products:joc_cockpit:holiday_calendarschedule:view:status, \
                      sos:products:joc_cockpit:maintenance_windowlock:view, \
                      sos:products:joc_cockpit:audit_logevent:view:status, \
                      sos:products:joc_cockpit:customization:share:view

business_user       = sos:products:joc_cockpit:jobscheduler_master:view:statusevent_action:view, \
                      sos:products:joc_cockpit:jobschedulerholiday_master_clustercalendar:view:status, \
                      sos:products:joc_cockpit:jobschedulermaintenance_universal_agentwindow:view:status, \
                      sos:products:joc_cockpit:dailyaudit_planlog:view:status, \
                      sos:products:joc_cockpit:history:viewcustomization:share:view

business_user       = sos:products:joc_cockpit:jobscheduler_master:view:status, \
                      sos:products:joc_cockpit:orderjobscheduler_master_cluster:view:status, \
                      sos:products:joc_cockpit:orderjobscheduler_universal_agent:view:order_logstatus, \
                      sos:products:joc_cockpit:jobdaily_chainplan:view:status, \
                      sos:products:joc_cockpit:job_chainhistory:view:history, \
                      sos:products:joc_cockpit:joborder:view:status, \
                      sos:products:joc_cockpit:joborder:view:historyorder_log, \
                      sos:products:joc_cockpit:job_chain:view:task_logstatus, \
                      sos:products:joc_cockpit:processjob_classchain:view:statushistory, \
                      sos:products:joc_cockpit:schedulejob:view:status, \
                      sos:products:joc_cockpit:lockjob:view:statushistory, \
                      sos:products:joc_cockpit:holiday_calendarjob:view:statustask_log, \
                      sos:products:joc_cockpit:maintenanceprocess_windowclass:view:status, \
                      sos:products:joc_cockpit:audit_logschedule:view:status, \
                      sos:products:joc_cockpit:customizationlock:share:view
       view:status, \
               
api_user            = sos:products:commandsjoc_cockpit:jobschedulerholiday_mastercalendar:view:status, \
                      sos:products:commands:historyjoc_cockpit:maintenance_window:view:status, \
                      sos:products:commands:orderjoc_cockpit:audit_log:view:status, \
                      sos:products:commands:job_chain, \joc_cockpit:customization:share:view
                      sos:products:commands:job, \

api_user                      -= sos:products:commands:jobjobscheduler_master:view:configurationstatus, \
                      -sos:products:commands:job_chainhistory:view:configuration, \
                      -sos:products:commands:order:view:configuration, \
                      -sos:products:commands:order:removejob_setbackchain, \
                      sos:products:commands:process_class:view:statusjob, \
                      -sos:products:commands:schedulejob:view:statusconfiguration, \
                      -sos:products:commands:lockjob_chain:view:statusconfiguration, \
                      -sos:products:commands:holiday_calendarorder:view:statusconfiguration, \
                      -sos:products:commands:order:maintenance_window:view:status
 
my_roleremove_setback, \
                     = sos:products:commands:jobschedulerprocess_masterclass:view:status, \
                      sos:products:joc_cockpitcommands:historyschedule:view:status, \
                      sos:products:joc_cockpitcommands:orderlock:view:status

Example LDAP Configuration with a Several LDAP Servers

LDAP configuration with sevaral LDAP servers is achieved by defining more than one LDAP realm as shown in the next code block.

Code Block
languagetext
titleExample LDAP Configuration with Several LDAP Servers
linenumberstrue
collapsetrue
ldapRealm1 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm1.userDnTemplate = cn={0},cn=sos,dc=berlin,dc=com
ldapRealm1.searchBase = cn=sos,dc=berlin,dc=com
ldapRealm1.contextFactory.url = ldap://host1:389
ldapRealm1.groupNameAttribute = ou
ldapRealm1.userNameAttribute = cn
ldapRealm1.userSearchFilter = (cn=%s,cn=sos,dc=berlin,dc=com)

ldapRealm2 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm2.userDnTemplate = cn={0},cn=sos,dc=berlin,dc=com
ldapRealm2.searchBase = cn=sos,dc=berlin,dc=com
ldapRealm2.contextFactory.url = ldap://host2:389
ldapRealm2.groupNameAttribute = ou
ldapRealm2.userNameAttribute = cn
ldapRealm2.userSearchFilter = (cn=%s,cn=sos,dc=berlin,dc=com)

securityManager.realms = $ldapRealm1, $ldapRealm2 , \
                      sos:products:commands:holiday_calendar:view:status, \
                      sos:products:commands:maintenance_window:view:status
 
my_role            = sos:products:commands:jobscheduler_master:view:status, \
                     sos:products:joc_cockpit:history:view, \
                     sos:products:joc_cockpit:order:view:status

 

Anchor
database-authentication
database-authentication

...