Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 31

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 32

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: 'Basic LDAP Configuration' updated

...

A public LDAP server which can be accessed using a relatively simple configuration is available from Forum Systems. This server can be used to set up a test environment with LDAP authentication. In this article we will refer to the authentication of two user accounts on this server - gauss and newton - that are each members of a different LDAP group as shown in the following table:

...

To configure a realm for accessing this public LDAP server, add the following lines to the the [main] section of the shiro.ini file, either before or after the line:

...

Save the modified shiro.ini file and you . (It is not necessary to restart the Jetty web server.)

You will now be able to use the JOC Cockpit to authenticate the two User Account names name:password combinations listed in the table above with the LDAP server. (It is not necessary to restart the Jetty web server.)

The Shiro authentication (using, for example, the default root:root User Account) will still be active alongside the LDAP users listed above.

The LDAP group memberships will be mapped onto the default roles configured in the shiro.ini [roles] section as can be seen in lines 15-17 of the code listing above. This can be checked in the JOC Cockpit by looking at the Permissions section of the relevant User Profiles - the User Account gauss, for example, will have all permissions.

...

  1. Set up the basic LDAP configuration
  2. Set up the authentication
  3. Set up the authorization

1. Basic LDAP Configuration

There are some configuration items that configure the The following table lists the basic items used to configure an LDAP realm. These items are configured in the [main] section of the shiro.ini file and cannot be changed with the Account Management in JOC.

(See the Authentication and Authorization - Configuration article for more information about the shiro.ini file)

KeyValueDescription
ldapReam
com.sos.auth.shiro.SOSLdapAuthorizingRealm

The key is the name of the realm. You can define any name. The name is taken as a reference to set the properties of the realm.

The value is the name of the class that implements the realm. The implementation from SOS extends org.apache.shiro.realm.ldap.JndiLdapRealm

Please note that you can have more than one LDAP configuration.

ldapRealm.contextFactory.url
ldap://host:port

The host and the port of your LDAP server. You can check whether the server is reachable with telnet host port

Make sure that the firewall is open for the given port.

ldapRealm.useStartTls
true|false

To enable starttls set the value to true (Default is false)

Please note the the server must be prepared to serve with Starttls. To check this, you can use a LDAP browser like such as the "Softerra LDAP Browser". Configure your LDAP Server there and click the "Enable Starttls Button"

On client site you will need the certificate and you have to add the certificate to your truststore. The path of for your truststore is defined in the joc.properties configuration file.

truststore_path = path to your truststore. e.g.

Example values:

  • C:/Program Files/Java/jdk1.8.0_131/jre/lib/security/cacerts or 
  • ../../etc/joc.jks
ldapRealm.hostNameVerification
on|off true|falseTo enable the host name verification of the certificate. The default is off.
rolePermissionResolver  
com.sos.auth.shiro.SOSPermissionResolverAdapter
The implementation of the permission resolver. The SOS implementation sets an  org.apache.shiro.realm.text.IniRealm to resolve the permissions. That means that the permissions a role have are specified in the configuration file shiro.ini in the same way it is done when using the iniRealm.
ldapRealm.rolePermissionResolver 
$rolePermissionResolver
Sets the role permission resolver for the LDAP realm.
securityManager.realms 
$ldapRealm

Sets the list of realm realms that should be used for authentication. This is a comma separated list of realmsitems.e.g.

Example values:

  • $ldapRealm

    -->

    Only

    one

    realm

    specified

  • $ldapRealm,

    $iniRealm

    -->

    You

    can

    login

    with

    a

    user

    from

    LDAP

    or

    with

    a

    user

    specified

    in

    the

    [users]

    section

    in

    the

    configuration

    file

    shiro.ini

  • $ldapRealm1,$ldapRealm2

    -->

    You

    can

    login

    with

    a

    user

    coming

    from

    the

    LDAP

    server

    specified

    in

    the

    ldap1

    realm

    or

    coming

    from

    the

    LDAP

    server

    coming from LDAP server

    specified

    in

    the

    ldap2

    realm.

     

 

In a simple configuration these items could appear as shown in the code block below (see also the example configuration for the public LDAP server listed in the previous section):

code
Code Block
languagetext
titleA basic LDAP configuration
[main]
...
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.contextFactory.url = ldap://myHost:389 
ldapRealm.useStartTls = true
ldapRealm.hostNameVerification = off 
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm
...
 

 

Anchor
authentication
authentication

...