...
A public LDAP server which can be accessed using a relatively simple configuration is available from Forum Systems. This server can be used to set up a test environment with LDAP authentication. In this article we will refer to the authentication of two user accounts on this server - gauss and newton - that are each members of a different LDAP group as shown in the following table:
...
To configure a realm for accessing this public LDAP server, add the following lines to the the [main]
section of the shiro.ini
file, either before or after the line:
...
Save the modified shiro.ini
file and you . (It is not necessary to restart the Jetty web server.)
You will now be able to use the JOC Cockpit to authenticate the two User Account names name:password combinations listed in the table above with the LDAP server. (It is not necessary to restart the Jetty web server.)
The Shiro authentication (using, for example, the default root:root User Account) will still be active alongside the LDAP users listed above.
The LDAP group memberships will be mapped onto the default roles configured in the shiro.ini
[roles]
section as can be seen in lines 15-17 of the code listing above. This can be checked in the JOC Cockpit by looking at the Permissions section of the relevant User Profiles - the User Account gauss, for example, will have all permissions.
...
- Set up the basic LDAP configuration
- Set up the authentication
- Set up the authorization
- Defining the groupRolesMapping (optional)
- Defining the roles Roles per user in the [users] section (optional)
- Defining the search for groups
1. Basic LDAP Configuration
There are some configuration items that configure the The following table lists the basic items used to configure an LDAP realm. These items are configured in the [main]
section of the shiro.ini
file and cannot be changed with the Account Management in JOC.
(See the Authentication and Authorization - Configuration article for more information about the shiro.ini
file)
Key | Value | Description |
---|---|---|
ldapReam | com.sos.auth.shiro.SOSLdapAuthorizingRealm | The key is the name of the realm. You can define any name. The name is taken as a reference to set the properties of the realm. The value is the name of the class that implements the realm. The implementation from SOS extends Please note that you can have more than one LDAP configuration. |
ldapRealm.contextFactory.url | ldap://host:port | The host and the port of your LDAP server. You can check whether the server is reachable with Make sure that the firewall is open for the given port. |
ldapRealm.useStartTls | true|false | To enable starttls set the value to true (Default is Please note the the server must be prepared to serve with Starttls. To check this, you can use a LDAP browser like such as the "Softerra LDAP Browser". Configure your LDAP Server there and click the "Enable Starttls Button" On client site you will need the certificate and you have to add the certificate to your truststore. The path of for your truststore is defined in the
Example values:
|
ldapRealm.hostNameVerification | on|off true|false | To enable the host name verification of the certificate. The default is off. |
rolePermissionResolver | com.sos.auth.shiro.SOSPermissionResolverAdapter | The implementation of the permission resolver. The SOS implementation sets an org.apache.shiro.realm.text.IniRealm to resolve the permissions. That means that the permissions a role have are specified in the configuration file shiro.ini in the same way it is done when using the iniRealm . |
ldapRealm.rolePermissionResolver | $rolePermissionResolver | Sets the role permission resolver for the LDAP realm. |
securityManager.realms | $ldapRealm | Sets the list of realm realms that should be used for authentication. This is a comma separated list of realmsitems.e.g. Example values:
|
In a simple configuration these items could appear as shown in the code block below (see also the example configuration for the public LDAP server listed in the previous section):
Code Block | ||||
---|---|---|---|---|
| ||||
[main]
...
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.contextFactory.url = ldap://myHost:389
ldapRealm.useStartTls = true
ldapRealm.hostNameVerification = off
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm
...
|
Anchor | ||||
---|---|---|---|---|
|
...