Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 80

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 81

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

We cannot guarantee that the public LDAP Server will always be online, however, if you struggle with LDAP configuration then you might want to give it a try to have a working sample.

 

text
Code Block
language
linenumbers
titleMain Configuration - LDAP Authentification - Example Short example for public LDAP Server
truecollapsetrue
[users]
gauss=, all

[main]
# Public LDAP Server for testing purposes
# see http://www.forumsys.com/en/tutorials/integration-how-to/ldap/online-ldap-test-server/
 
# Active Directory realm configuration
# See http://shiro.apache.org/static/current/apidocs/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
 
ldapRealm.userDnTemplate = uid={0},dc=example,dc=com
ldapRealm.searchBase = dc=example,dc=com
ldapRealm.contextFactory.url = ldap://ldap.forumsys.com:389

ldapRealm.groupNameAttribute=ou
ldapRealm.userNameAttribute=uid
ldapRealm.userSearchFilter=(uniqueMember=uid=%s,dc=example,dc=com)

# Mapping of a LDAP group to roles. You can assign more than one role with separator sign |
ldapRealm.groupRolesMap = \
"scientists":"it_operator", \
"mathematicians":"administrator|application_manager"

rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver

securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 360000 

Assigning roles in the shiro.ini when using LDAP

 
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
 
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
 
# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 360000 

[roles] 
# Permissions can be assigned to roles with a comma separated list of permissions. Permissions may have * as a wildcard
 
all                 = sos:products
code
Code Block
languagetext
titleMain Configuration - LDAP Authentification - Example Complete example for public LDAP Server with explicitly assigned roles
linenumberstrue
collapsetrue
[users]
gauss=, application_manager, my_role
newton=, incident_manager, my_role

[main]
# Public LDAP Server for testing purposes
# see http://www.forumsys.com/en/tutorials/integration-how-to/ldap/online-ldap-test-server/
 
# Active Directory realm configuration
# See http://shiro.apache.org/static/current/apidocs/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
 
ldapRealm.userDnTemplate = uid={0},dc=example,dc=com
ldapRealm.searchBase = dc=example,dc=com
ldapRealm.contextFactory.url = ldap://ldap.forumsys.com:389
 
ldapRealm.groupNameAttribute=ou
ldapRealm.userNameAttribute=uid
ldapRealm.userSearchFilter=(uniqueMember=uid=%s,dc=example,dc=com)
 
# Mapping of a LDAP group to roles. You can assign more than one role with separator sign |
#ldapRealm.groupRolesMap In this example the LDAP group mapping is commented out. The user gauss will have the roles application_manager and my_role.
# You can mix both role sources, the shiro.ini file and the LDAP group mapping.
# ldapRealm.groupRolesMap = \
# "scientists":"it_operator", \
# "= \
"scientists":"it_operator", \
"mathematicians":"administrator|application_manager"
 
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
 
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
 
# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 360000 

Assigning roles in the shiro.ini when using LDAP

It is possible to mix LDAP authentication with local authorization from a shiro.ini file.

  • In the [users] section
    • specify the user name but do not specify a password for the user.
    • specify the list of roles that are assigned to this user.
    • Attention: The assignment must start with a comma to skip the password assignment.
  • In the [main] section
    • you do not have to specify the LDAP group mapping to roles.

    • The roles specified with the user assignment and the roles retrieved from the ldapRealm.groupRolesMap mapping wil be added to the user.

Example LDAP Configuration for a public LDAP Server with local roles

Code Block
titleMain Configuration - LDAP Authentification - Example for public LDAP Server with explicitly assigned roles
collapsetrue
[users]
gauss=, application_manager, my_role
newton=, incident_manager, my_role

[main]
# Public LDAP Server for testing purposes
# see http://www.forumsys.com/en/tutorials/integration-how-to/ldap/online-ldap-test-server/
 
# Active Directory realm configuration
# See http://shiro.apache.org/static/current/apidocs/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
 
ldapRealm.userDnTemplate = uid={0},dc=example,dc=com
ldapRealm.searchBase = dc=example,dc=com
ldapRealm.contextFactory.url = ldap://ldap.forumsys.com:389
 
ldapRealm.groupNameAttribute=ou
ldapRealm.userNameAttribute=uid
ldapRealm.userSearchFilter=(uniqueMember=uid=%s,dc=example,dc=com)
 
# Mapping of a LDAP group to roles. You can assign more than one role with separator sign |
# In this example the LDAP group mapping is commented out. The user gauss will have the roles application_manager and my_role.
# You can mix both role sources, the shiro.ini file and the LDAP group mapping.
# ldapRealm.groupRolesMap = \
# "scientists":"it_operator", \
# "mathematicians":"administrator|application_manager"
 
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
 
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
 
# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 360000 

[roles] 
# Permissions can be assigned to roles with a comma separated list of permissions. Permissions may have * as a wildcard
all                 = sos:products

administrator       = sos:products:joc_cockpit:jobscheduler_master:view, \
                      sos:products:joc_cockpit:jobscheduler_master:execute:pause, \               
    360000 

[roles] 
#Permissions can be assigned to roles with a comma seperated list of permissions. Permissions may have * as a wildcard
all                 = sos:products

administrator:joc_cockpit:jobscheduler_master:execute:continue, \
                     = sos:products:joc_cockpit:jobscheduler_master:execute:viewrestart, \
                      sos:products:joc_cockpit:jobscheduler_master:execute:pauseterminate, \               
                      sos:products:joc_cockpit:jobscheduler_master:continueexecute:abort, \
                      sos:products:joc_cockpit:jobscheduler_master:restart_cluster, \
                      sos:products:joc_cockpit:jobscheduler_universal_agent 
                
application_manager = sos:products:joc_cockpit:jobscheduler_master:view, \
                      sos:products:joc_cockpit:jobscheduler_master:manage_categories, \
                      sos:products:joc_cockpit:jobscheduler_master:execute:pause, \
                      sos:products:joc_cockpit:jobscheduler_master:execute:continue, \
                      sos:products:joc_cockpit:jobscheduler_master_cluster:view:status, \
                      sos:products:joc_cockpit:jobscheduler_universal_agent:view:status, \
                      sos:products:joc_cockpit:daily_plan:view_:status, \
                      sos:products:joc_cockpit:history:view, \
                      sos:products:joc_cockpit:order, \
                      sos:products:joc_cockpit:job_chain, \
                      sos:products:joc_cockpit:job, \
                      sos:products:joc_cockpit:process_class, \
                      sos:products:joc_cockpit:schedule, \
                      sos:products:joc_cockpit:lock, \
                      sos:products:joc_cockpit:event, \
                      sos:products:joc_cockpit:event_action, \
                      sos:products:joc_cockpit:holiday_calendar:view:status, \
                      sos:products:joc_cockpit:maintenance_window:view, \
                      sos:products:joc_cockpit:holidaymaintenance_calendar:viewwindow:enable_disable_maintenance_window, \
                      sos:products:joc_cockpit:maintenanceaudit_windowlog:view:status, \
                      sos:products:joc_cockpit:maintenance_window:enable_disable_mainenance_window          
customization:share
it_operator         = sos:products:joc_cockpit:jobscheduler_master:view, \
                      sos:products:joc_cockpit:jobscheduler_master_cluster:view:status, \
                      sos:products:joc_cockpit:jobscheduler_universal_agent:view:status, \
                      sos:products:joc_cockpit:daily_plan:view_:status, \
                      sos:products:joc_cockpit:history:view, \
                      sos:products:joc_cockpit:order, \
                      sos:products:joc_cockpit:job_chain, \
                      sos:products:joc_cockpit:job, \
                      sos:products:joc_cockpit:process_class, \
                      sos:products:joc_cockpit:schedule, \
                      sos:products:joc_cockpit:lock, \
                      sos:products:joc_cockpit:event, \
                      sos:products:joc_cockpit:event_action, \
                      sos:products:joc_cockpit:holiday_calendar:view:status, \
                      sos:products:joc_cockpit::maintenance_window:view, \  
                      sos:products:joc_cockpit:holidayaudit_calendarlog:view:status, \
                      sos:products:joc_cockpit:maintenance_windowcustomization:share:view       

incident_manager    = sos:products:joc_cockpit:jobscheduler_master:view, \
                      sos:products:joc_cockpit:jobscheduler_master_cluster:view:status, \
                      sos:products:joc_cockpit:jobscheduler_universal_agent:view:status, \
                      sos:products:joc_cockpit:daily_plan:view_:status, \
                      sos:products:joc_cockpit:history:view, \
                      sos:products:joc_cockpit:order:view, \
                      sos:products:joc_cockpit:order:remove_setback, \
                      sos:products:joc_cockpit:job_chain:view, \
                      sos:products:joc_cockpit:job:view, \
                      sos:products:joc_cockpit:process_class:view, \
                      sos:products:joc_cockpit:schedule:view, \
                      sos:products:joc_cockpit:lock:view, \
                      sos:products:joc_cockpit:event:view, \
                      sos:products:joc_cockpit:event_action:view, \
                      sos:products:joc_cockpit:sos:products:joc_cockpit:holiday_calendar:view:status, \
                      sos:products:joc_cockpit:maintenance_window:view, \
                      sos:products:joc_cockpit:audit_log:view:status, \
                                                                      

sos:products:joc_cockpit:customization:share:view
business_user       = sos:products:joc_cockpit:jobscheduler_master:view:status, \
                      sos:products:joc_cockpit:jobscheduler_master_cluster:view:status, \
                      sos:products:joc_cockpit:jobscheduler_universal_agent:view:status, \
                      sos:products:joc_cockpit:daily_plan:view_:status, \
                      sos:products:joc_cockpit:history:view, \
                      sos:products:joc_cockpit:order:view:status, \
                      sos:products:joc_cockpit:order:view:order_log, \
                      sos:products:joc_cockpit:order:view:status, \
                      sos:products:joc_cockpit:job_chain:view:status, \
                      sos:products:joc_cockpit:job_chain:view:history, \
                      sos:products:joc_cockpit:job:view:status, \
                      sos:products:joc_cockpit:job:view:history, \
                      sos:products:joc_cockpit:job:view:task_log, \
                      sos:products:joc_cockpit:process_class:view:_status, \
                      sos:products:joc_cockpit:schedule:view:status, \
                      sos:products:joc_cockpit:lock:view:status, \
                      sos:products:joc_cockpit:sos:products:joc_cockpit:holiday_calendar:view:status, \
                      sos:products:joc_cockpit:maintenance_window:view:status       
                      
api_user            = sos:products:joc_cockpit:history:view, \
                      sos:products:joc_cockpit:orderaudit_log:view:status, \
                      sos:products:joc_cockpit:order, \
  :customization:share:view
					  
api_user                    = sos:products:commands:jocjobscheduler_cockpit:job_chainmaster:view:status, \
                      sos:products:commands:joc_cockpithistory:jobview, \
                      sos:products:joc_cockpitcommands:order, \
                      -sos:products:joc_cockpitcommands:job:view:configuration_chain, \
                      -sos:products:joc_cockpitcommands:job_chain:view:configuration, \
                      -sos:products:joc_cockpitcommands:orderjob:view:configuration, \
                      -sos:products:commands:jocjob_cockpitchain:orderview:remove_setbackconfiguration, \
                      -sos:products:joc_cockpit:process_classcommands:order:view:_statusconfiguration, \
                      -sos:products:joc_cockpitcommands:schedule:view:statusorder:remove_setback, \
                      sos:products:commands:jocprocess_cockpit:lockclass:view:status, \
                      sos:products:joc_cockpit:sos:products:joc_cockpit:holiday_calendar:commands:schedule:view:status, \
                      sos:products:joc_cockpit:maintenance_windowcommands:lock:view:status, \
      

my_role               = sos:products:commands:jocholiday_cockpitcalendar:historyview:viewstatus, \
                      sos:products:commands:jocmaintenance_cockpitwindow:order:view:status

It is possible to assign the roles directly in the shiro.ini.Please add a  [users] section with the ldap user as the key and a comma seperated list of roles that are assigned to the user. This roles and the roles coming from the ldap group2roles mapping wil be added to the user.

Attention: The list must start with a comma to overread the password.

Shortest shiro.ini with ldap

Code Block
titleShortest shiro.ini with ldap
collapsetrue
[users]
gauss=, all

[main]
# Public LDAP Server for testing purposes
# see http://www.forumsys.com/en/tutorials/integration-how-to/ldap/online-ldap-test-server/
 
# Active Directory realm configuration
# See http://shiro.apache.org/static/current/apidocs/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
 
ldapRealm.userDnTemplate = uid={0},dc=example,dc=com
ldapRealm.searchBase = dc=example,dc=com
ldapRealm.contextFactory.url = ldap://ldap.forumsys.com:389
 
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
 
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
 
# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 360000 

[roles] 
#Permissions can be assigned to roles with a comma seperated list of permissions. Permissions may have * as a wildcard
all, \
                      sos:products:joc_cockpit:history:view, \
                      sos:products:joc_cockpit:order:view, \
                      sos:products:joc_cockpit:customization:share
 
my_role            = sos:products:commands:jobscheduler_master:view:status, \
                     sos:products:joc_cockpit:history:view, \
                    = sos:products

...

:joc_cockpit:order:view:status


Database Authentication

System administrators can implement database authentication manually, using a separate database to the JobScheduler(s) and eventually a separate DBMS.

...