Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 4

changes.mady.by.user Uwe Risse

Saved on

compared with

New Version 5

changes.mady.by.user Uwe Risse

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Please not that the value of the group depends on the result of the search. It is the value of the attribute you have specified in the groupNameAttribute.

 

Example

ldapRealm.groupRolesMap = \
sos : it_operator, \
apl : administrator|application_manager

...

There are two options how to find the membership of the user.

Using

...

memberOf with User Search

Looking for the user entry and then reading the "memberOf" attribute.

Especially when using an AD LDAP Server or when "memberOf" is enabled in e.g. OpenLdap you can make use of the attribute "memberOf" for the given user. 

Define an userSearchFilter and a searchBase that will find the user (%s will be replaced by the username from the login without the domain)

Example for user group search

ldapRealm.searchBase = ou=People,dc=sos

ldapRealm.userSearchFilter = (uid=%s)

Example for AD
ldapRealm.searchBase = dc=example,dc=com
ldapRealm.userSearchFilter = (sAMACountName=%s)

To get the correct values for the searchBase and the userSearchFilter a LDAP client like the Softerra LDAP Browser is very helpful. Perform a directory search with the values. You should find exactly one entry. 

Image Added

The searchBase is the value of the base DN

Hint: When in your environment the attribute name is not the default "memberOf" you can specify the name of the attribute with groupNameAttribute key.

Using group search 

When the memberOf attribute is not available for the user, you can use the group search.

Define the groubSearchBase and the groupSearchFilter

ldapRealm.groupSearchBase = ou=Groups,dc=sos

ldapRealm.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)

To get the correct values for these key a LDAP client like the "Softerra LDAP Browser" is helpful.

Getting the value for the groupSearchBase

Identify the place where the groups are stored. This is your groupSearchBase.

Image Added

 

 

Image Added

 

Getting the value for the groupSearchFilter

Click one groupEntry and see how the members are stored there.

Image Added

 

 

The groupSearchFilter is

attr=val

where attr is name of the attribute and val is the content where the userid is replaced with %s. In this example

ldapRealm.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)

To verify this you can perform a directory search with you groupSearchBase and your groupSearchFilter. The result should show all groups the user is a member of.

Image Added

Now set the groupNameAttribute to the name of the attribute that contains the group name.

ldapRealm.groupNameAttribute = cn

The whole configuration looks like this

Code Block
titleGroup Search
[main]
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 
ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos

ldapRealm.groupSearchBase = ou=Groups,dc=sos
ldapRealm.groupNameAttribute = cnldapRealm.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)

# Mapping of a LDAP group to roles. You can assign more than one role with separator sign |
ldapRealm.groupRolesMap = \
sos : it_operator, \
apl : administrator|application_manager

rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 900000
 
Substitution of the username

Sometimes the values of the member to not contain the username from the login but e.g. the cn of the user. In that case you have to search the user first and specify the name of the attribute that should be used instead of the username from the login .

To achive this, specify a searchBase, a userSearchFilter and a userNameAttribute.

ldapRealm.searchBase = ou=People,dc=sos
ldapRealm.userSearchFilter = (uid=%s)

To check the user search perform a directory search with your LDAP client. You should find exactly the one user entry of the given username.

Image Added

 

Then identify the name of the attribute that contains the value for the substitution. E.g.

ldapRealm.userNameAttribute = cn

The whole information looks like this

Code Block
collapsetrue
[main]
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 
ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos

ldapRealm.userNameAttribute = cn
ldapRealm.searchBase = ou=People,dc=sos
ldapRealm.userSearchFilter = (uid=%s)

ldapRealm.groupSearchBase = ou=Groups,dc=sos
ldapRealm.groupNameAttribute = cn
ldapRealm.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)

# Mapping of a LDAP group to roles. You can assign more than one role with separator sign |
ldapRealm.groupRolesMap = \
sos : it_operator, \
apl : administrator|application_manager

rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 900000

Using group search 

Using more than one LDAP server

 

 

 

...