...
With the authentication you will check for a valid username/password combination. To achive this, you have to specify the userDnTemplate
.
Anchor | ||||
---|---|---|---|---|
|
Username
The username is part of the login patterns
...
The JOC Account Manager will consider the handling of blanks. Please note that you have to specify the user with the domain in the JOC Account Manager and without password.
Configuration in the configuration file shiro.ini
Main section with the user authentication. The roles are assigned in the [users] section.
...
ldapsearch -h localhost -p 389 -b "uid=ur,ou=People, dc=sos" -x
Should give a result like:
...
ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -x
Code Block | ||||
---|---|---|---|---|
| ||||
# extended LDIF # # LDAPv3 # base <uid=gauss,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # gauss, example.com dn: uid=gauss,dc=example,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top cn: Carl Friedrich Gauss sn: Gauss uid: gauss mail: gauss@ldap.forumsys.com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 |
...
Try to login with a username from LDAP and a password. Use a username with for which you have verified the correctnis by executing the ldapSearch from above. When you see this screen, the authentication works.
...
Please refere to the chapter "Username" to see how to specify the username
...
Here is a typical coniguration with LDAP Authentication and shirishiro.ini authorization.
Code Block | ||||
---|---|---|---|---|
| ||||
[users] gauss = ,all newton = ,it_operator,administrator [main] ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm ldapRealm.rolePermissionResolver = $rolePermissionResolver securityManager.realms = $ldapRealm cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager securityManager.sessionManager.globalSessionTimeout = 900000 |
...
Assigning roles from LDAP Groups
The group roles mapping
When assigning the roles from the LDAP Groups the user is a member of the groups the groups will be mapped to the roles that are defined in the configuration file shiro.ini. This will be done with the groupRolesMap
...
where list_of_roles is a list of roles that are defined in the configuration file shiro.ini separated with a bar |
Please not that the value of the group depends on the result of the search. It is the value of the attribute you have specified in the groupNameAttribute
.
...
Using memberOf with User Search
Looking This approach is ooking for the user entry and then reading the "memberOf" attribute.
Especially when using an AD LDAP Server or when "memberOf" is enabled in e.g. OpenLdap you can make use of the attribute "memberOf" for the given user.
Define an userSearchFilter
and a searchBase
that will find the user (%s will be replaced by the username from the login without the domain)
...
ldapRealm.searchBase = dc=example,dc=com ldapRealm.userSearchFilter = (sAMACountNamesAMAcountName=%s)
To get the correct values for the searchBase
and the userSearchFilter
a LDAP client like the "Softerra LDAP Browser" is very helpful. Perform a directory search with the values. You should find exactly one entry.
...
Hint: When in your environment the attribute name is not the default "memberOf" you can specify the name of the attribute with groupNameAttribute
key.
Anchor | ||||
---|---|---|---|---|
|
Using group search
When the memberOf
attribute is not available for the user, you can use the group search.
...
To verify this you can perform a directory search with you groupSearchBase
and your groupSearchFilter
. The result should show all groups the user is a member of.
...
Sometimes the values of the member to not contain the username from the login but e.g. the cn of the user. In that case you have to search the user first and specify the name of the attribute that should be used instead of the username from the login .
To achive this, specify a searchBase
, a userSearchFilter
and a userNameAttribute
.
ldapRealm.searchBase = ou=People,dc=sos
ldapRealm.userSearchFilter = (uid=%s)
...