Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 10

changes.mady.by.user Uwe Risse

Saved on

compared with

New Version 11

changes.mady.by.user Uwe Risse

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

With the authentication you will check for a valid username/password combination. To achive this, you have to specify the userDnTemplate.

Anchor
username
username

Username

The username is part of the login patterns

...

The JOC Account Manager will consider the handling of blanks. Please note that you have to specify the user with the domain in the JOC Account Manager and without password.

Configuration in the configuration file shiro.ini

Main section with the user authentication. The roles are assigned in the [users] section.

...

ldapsearch -h localhost -p 389 -b "uid=ur,ou=People, dc=sos" -x

Should give a result like:

...

ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -x

Code Block
titleldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -x
collapsetrue
# extended LDIF
#
# LDAPv3
# base <uid=gauss,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
 
# gauss, example.com
dn: uid=gauss,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Carl Friedrich Gauss
sn: Gauss
uid: gauss
mail: gauss@ldap.forumsys.com
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1

...

Try to login with a username from LDAP and a password. Use a username with for which you have verified the correctnis by executing the ldapSearch from above. When you see this screen, the authentication works.

...

Please refere to the chapter "Username" to see how to specify the username

...

Here is a typical coniguration with LDAP Authentication and shirishiro.ini authorization.

Code Block
titleLDAP Authentication and shiri.ini Authoriziation
collapsetrue
[users]
gauss = ,all
newton = ,it_operator,administrator

[main]
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos
ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.sessionManager.globalSessionTimeout = 900000

 

...

Assigning roles from LDAP Groups

The group roles mapping

When assigning the roles from the LDAP Groups the user is a member of the groups the groups will be mapped to the roles that are defined in the configuration file shiro.ini. This will be done with the groupRolesMap

...

where list_of_roles is a list of roles that are defined in the configuration file shiro.ini separated with a bar |

Please not that the value of the group depends on the result of the search. It is the value of the attribute you have specified in the groupNameAttribute.

...

Using memberOf with User Search

Looking This approach is ooking for the user entry and then reading the "memberOf" attribute.

Especially when using an AD LDAP Server or when "memberOf" is enabled in e.g. OpenLdap you can make use of the attribute "memberOf" for the given user. 

Define an userSearchFilter and a searchBase that will find the user (%s will be replaced by the username from the login without the domain)

...

ldapRealm.searchBase = dc=example,dc=com
ldapRealm.userSearchFilter = (sAMACountNamesAMAcountName=%s)

To get the correct values for the searchBase and the userSearchFilter a LDAP client like the "Softerra LDAP Browser" is very helpful. Perform a directory search with the values. You should find exactly one entry. 

...

Hint: When in your environment the attribute name is not the default "memberOf" you can specify the name of the attribute with groupNameAttribute key.

Anchor
groupsearch
groupsearch

Using group search 

When the memberOf attribute is not available for the user, you can use the group search.

...

To verify this you can perform a directory search with you groupSearchBase and your groupSearchFilter. The result should show all groups the user is a member of.

...

Sometimes the values of the member to not contain the username from the login but e.g. the cn of the user. In that case you have to search the user first and specify the name of the attribute that should be used instead of the username from the login .

To achive this, specify a searchBase, a userSearchFilter and a userNameAttribute.

ldapRealm.searchBase = ou=People,dc=sos
ldapRealm.userSearchFilter = (uid=%s)

...