...
How to set up an LDAP configuration
...
Carry out the following steps:
- Set up the basic LDAP configuration
- Set up the authentication
- Set up the authorization
- Defining the groupRolesMapping (optional)
- Defining the roles per user in the [users] section (optional)
- Defining the search for groups
...
There are some configuration items that configure the ldap LDAP realm. These items can not cannot be changed with the Account Management in JOC.
Key | Value | Description |
---|---|---|
ldapReam | com.sos.auth.shiro.SOSLdapAuthorizingRealm | The key is the name of the realm. You can define any name. The name is taken as a reference to set the properties of the realm. The value is the name of the class that implements the realm. The implementation from SOS extends Please note that you can have more than one ldap LDAP configuration. |
ldapRealm.contextFactory.url | ldap://host:port | The host and the port of your LDAP server. You can check whether the server is reachable with Make sure that the firewall is open for the given port. |
ldapRealm.useStartTls | true|false | To enable starttls set the value to true (Default is Please note the the server must be prepared to serve with Starttls. To check this, you can use a LDAP browser like "Softerra LDAP Browser". Configure your LDAP Server there and click the "Enable Starttls Button" On Client Site client site you will need the certificate and you have to add the certificate to your truststore. The path of your truststore is definied defined in the JOC configuration file joc.properties configuration file.
e.g.
|
ldapRealm.hostNameVerification | on|off true|false | To enable the host name verification of the certificate. The default is off. |
rolePermissionResolver | com.sos.auth.shiro.SOSPermissionResolverAdapter | The implementation of the permission resolver. The SOS implementation sets an org.apache.shiro.realm.text.IniRealm to resolve the permissions. That means that the permissions a role have are specified in the configuration file shiro.ini in the same way it is done when using the iniRealm . |
ldapRealm.rolePermissionResolver | $rolePermissionResolver | Sets the role permission resolver for the ldap LDAP realm. |
securityManager.realms | $ldapRealm | Sets the list of realm that should be used for authentication. This is a comma seperated separated list of realms. e.g.
|
...
- username@domain
- domain\username
- username
The username may have blanks blank spaces if they are stored in a LDAP directory. Usernames stored in the configuration file shiro.ini
configuration file may not have blankscontain blank spaces.
When referring to usernames from the LDAP directory to keys in the [users] section to assign roles to the user, you have to change blanks to %20. The password must be empty. When you login with a domain the reference must contain the whole domain/username pattern e.g. user@domain
The JOC Account Manager will consider considers the handling of blanks. Please note that you have to specify the user with the domain in the JOC Account Manager and without password.
...
ldapsearch -h localhost -p 389 -b "uid=ur,ou=People, dc=sos" -x
Should This should give a result likesuch as:
Code Block | ||||
---|---|---|---|---|
| ||||
# ur, People, sos dn: uid=ur,ou=People,dc=sos mail: uwe.risse@sos-berlin.com uid: ur givenName: Uwe objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: Risse cn: Uwe Risse preferredLanguage: de # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 |
Example with
...
a public server
ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -x
...
Authorization means the assignment of roles to users. A role have permissions that are listed in the shiro.ini
configuration file. A user have has all permissions coming from the assigned roles.
There are two options how to assigns roles for assigning Roles to users. Both options can be mixed. The result of the mix is the union of all assigned rolesRoles.
Assigning roles in the shiro.ini
File
The roles Roles assignment in the shiro.ini
file is managed with configured in the Manage Accounts view of the JOC Account ManagerCockpit.
The JOC Account Manager writes the roles assigned roles to an entry are saved in the [users] section of the shiro.ini
configuration file.
In the [users] section you list the users that are available in the LDAP.
...
Please refer to the chapter "Username" to see how to specify the username.
The list_of_roles is a comma separated list of roles e.g. it_operator,administrator
...
The groupSearchFilter is attr=val
where attr
is name of the attribute and val
is the content where the userid is replaced with %s. In this example
...
This search should return the group entries the user is a member. Please identify the attribute that contains containing the group name that should is to be used in the user roles mapping.
...
Hint: Please note that the whole content of this attribute must be used in the groupRolesMap
attribute. Sometimes here is something like Typical contents of the attribute could be ou=Groups, dc=sos, cn=groupname
. Please take the whole value for the mapping.
...
This search should return the user with the given username. Please identify the attribute that should be used for the substitution in the group search base if it is not the username from the login.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# extended LDIF # # LDAPv3 # base <ou=People,dc=sos> with scope subtree # filter: uid=fTester # requesting: ALL # # fTester, People, sos dn: uid=fTester,ou=People,dc=sos mail: info@sos-berlin.com uid: fTester givenName: Fritz objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: Tester cn: Fritz Tester # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 |
...
Then identify the name of the attribute that contains the value for the substitution. E.g.For example:
ldapRealm.userNameAttribute = cn
The whole configuration looks like this
...