Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



The key is the name of the realm. You can define any name. The name is taken as a reference to set the properties of the realm.

The value is the name of the class that implements the realm. The implementation from SOS extends org.apache.shiro.realm.ldap.JndiLdapRealm

Please note that you can have more than one LDAP realm configuration but each realm requires a unique name.


The host and the port of your LDAP server. You can check whether the server is reachable with telnet host port

Make sure that the firewall is open for the given port.


To enable Starttls set the value to true (Default is false)

Please note that the server must be prepared to serve with Starttls. To check this, you can use an LDAP browser such as the "Softerra LDAP Browser". Configure your LDAP Server there and click the "Enable Starttls Button"

On client side you will need the certificate and you have to add the certificate to your truststore. The path to your truststore is defined in the configuration file.

truststore_path = path to your truststore.

Example values:

  • C:/Program Files/Java/jdk1.8.0_131/jre/lib/security/cacerts or 
  • ../../etc/joc.jks

See Documentation LDAP With SSL


we habe had difficulties when using Starttls with the JRE 1.8.0_151 and have overcome these by installing the corresponding JDK.

on|off true|falseEnables the host name verification of the certificate. The default value is off.
The implementation of the permission resolver. The SOS implementation uses the  org.apache.shiro.realm.text.IniRealm class to resolve the permissions. This means that the permissions a role is assigned are specified with the configuration file shiro.ini in the same way as it is done when using the iniRealm.
Sets the role permission resolver for the LDAP realm.
$ldapRealm [, $ldapRealm [, $iniRealm]]

Sets the list of realms that should be used for authentication. This is a comma separated list of items.

Example values:

  • $ldapRealm --> Only one realm is specified.

  • $ldapRealm, $iniRealm --> You can login with an account from the LDAP Directory Service or with an account specified in the [users] section in the configuration file shiro.ini.

  • $ldapRealm1, $ldapRealm2 --> You can login with an account available from the LDAP Directory Service specified with the $ldapRealm1 realm or with the $ldapRealm2 realm.


Authentication can be configured for a multi-realm environment made up of one or more LDAP realms, with or without an ini realm. The A simple multi-realm configuration is shown in the mixed LDAP and Shiro Authentication example lmixed LDAP and Shiro Authentication example below shows a simple multi-realm configuration.