Table of Contents |
---|
Introduction
This article describes the configuration of the JOC Cockpit to use an LDAP Server for Authentication. This configuration is done in the JOC Cockpit's shiro.ini
file whose overall configuration is described in the Authentication and Authorization - Configuration article. A general introduction to authentication and authorization in the JOC Cockpit is provided in the JOC Cockpit - Authentication and Authorization article.
A Simple LDAP Test
A public LDAP server which can be accessed using a relatively simple configuration is available from Forum Systems. In this article we will refer to the authentication of two users, gauss and newton that are each members of a different group as shown in the following table:
Account Name | Password | Group |
---|---|---|
gauss | password | mathematicians |
newton | password | scientists |
Public Server
LDAP Configuration items
Table of Contents |
---|
We refer in this document to a public LDAP server. To configure a realm for accessing the public LDAP server please add the following lines to the [main] section of the shiro.ini
file.
Code Block | ||
---|---|---|
| ||
publicLdapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm publicLdapRealm.userDnTemplate = uid={0},dc=example,dc=com publicLdapRealm.searchBase = dc=example,dc=com publicLdapRealm.contextFactory.url = ldap://ldap.forumsys.com:389 publicLdapRealm.groupNameAttribute = ou publicLdapRealm.userNameAttribute = uid publicLdapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com) publicLdapRealm.groupRolesMap = \ scientists : it_operator, \ mathematicians: all |
...
ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -W -D "uid=gauss,dc=example,dc=com"
...
Follow these steps to set up the configuration
- Set up the basic LDAP configuration
- Set up the authentication
- Set up the authorization
- Defining the groupRolesMapping (optional)
- Defining the roles per user in the [users] section (optional)
- Defining the search for groups
...
1. Basic LDAP Configuration
There are some configuration items that configure the ldap realm. These items can not be changed with the Account Management in JOC.
...
Anchor | ||||
---|---|---|---|---|
|
2. Authentication
With the authentication you will check for a valid username/password combination. To achieve this, you have to specify the userDnTemplate
. The value for the userDnTemplate can be read from the properties page of an user.
...
Anchor | ||||
---|---|---|---|---|
|
3. Authorization
Authorization means the assignment of roles to users. A role have permissions that are listed in the shiro.ini configuration file. A user have all permissions coming from the assigned roles.
...
Code Block | ||
---|---|---|
| ||
# extended LDIF # # LDAPv3 # base <ou=Groups,dc=sos> with scope subtree # filter: uniqueMember=uid=ur,ou=People,dc=sos # requesting: ALL # # sos, Groups, sos dn: cn=sos,ou=Groups,dc=sos description: Employees of SOS GmbH objectClass: top objectClass: groupofuniquenames cn: sos uniqueMember: uid=ur,ou=People,dc=sos uniqueMember: uid=fTester,ou=People,dc=sos # apl, Groups, sos dn: cn=apl,ou=Groups,dc=sos objectClass: top objectClass: groupofuniquenames cn: apl uniqueMember: uid=ur,ou=People,dc=sos uniqueMember: uid=fTester,ou=People,dc=sos # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 |
Verification with LDAP Browser
...
This search should return the user with the given username. Please identify the attribute that should be used for the substitution in the group search base if it is not the username from the login.
Code Block | ||
---|---|---|
| ||
# extended LDIF # # LDAPv3 # base <ou=People,dc=sos> with scope subtree # filter: uid=fTester # requesting: ALL # # fTester, People, sos dn: uid=fTester,ou=People,dc=sos mail: info@sos-berlin.com uid: fTester givenName: Fritz objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: Tester cn: Fritz Tester # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 |
Verification with LDAP Browser
...