...
- Set up the basic LDAP configuration
- Set up the authentication
- Set up the authorization
- Defining the groupRolesMapping (optional)
- Defining the Roles per user in the [users] section (optional)
- Defining the search for groups groups
Relevant Tools
- An LDAP Browser:
- The screenshots shown in this article were made with the "Softerra LDAP Browser" that had been configured to use the relevant LDAP server.
- A command line utility:
- The example commands shown were implemented in ldapSearch
1. Basic LDAP Configuration
...
The [main]
section of the shiro.ini file with authentication for the example "ur" User from the screenshot above is shown in the next code block:
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
# ur, People, sos dn: uid=ur,ou=People,dc=sos mail: uwe.risse@sos-berlin.com uid: ur givenName: Uwe objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: Risse cn: Uwe Risse preferredLanguage: de # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 |
Example for the public LDAP server
ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -x
...
The option -x is used in all the ldapSearch examples in this artriclearticle. It is possible that your LDAP Server does not allow this option and you have to specify a user and a password in which case . If you have to specify a User and a Password the command would be:
ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -W -D "uid=gauss,dc=example,dc=com"
Verification with the Softerra LDAP Browser
Search with Search-Dn=userDnTemplate. You should find exactly one entry.
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
[users] gauss = ,all newton = ,it_operator,administrator [main] ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm ldapRealm.rolePermissionResolver = $rolePermissionResolver securityManager.realms = $ldapRealm cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager securityManager.sessionManager.globalSessionTimeout = 900000 |
Note that LDAP Usernames may contain blank spaces, while Shiro User names may not. The following the following applies if an LDAP User is to use Shiro authorization to allocate Roles:
- The username Usernames may have blank spaces if they are stored in a LDAP directory. Usernames stored in the
shiro.ini
configuration file may not contain blank spaces.- When
[users]
section of- a User account with blank spaces in its name is configured using the JOC Cockpit's Manage Accounts view then every blank space in the name will be automatically replaced with %20 before the name is written to the
shiro.ini
file. - When a User account with blank spaces in its name is added directly to the
shiro.ini
file then every blank space in the name should replaced with %20 before the name is written to theshiro.ini
file. - Every occurance of %20 in an Account User Name saved in the
shiro.ini
file will be automatically converted to a blank space before this name is submitted to the LDAP server.
- Passwords should not be specified for Accounts with LDAP authentication when configuring such accounts using the JOC Cockpit's Manage Accounts view .
- to assign Roles to the user, you have to change blanks to %20. The password must be empty. When you login with a domain the reference must contain the whole domain/username pattern e.g.
user@domain
The JOC Account Manager considers the handling of blanks. Please note that you have to specify the user with the domain in the JOC Account Manager and without password.
Assigning Roles from LDAP Groups
...
Code Block | ||
---|---|---|
| ||
# extended LDIF # # LDAPv3 # base <ou=Groups,dc=sos> with scope subtree # filter: uniqueMember=uid=ur,ou=People,dc=sos # requesting: ALL # # sos, Groups, sos dn: cn=sos,ou=Groups,dc=sos description: Employees of SOS GmbH objectClass: top objectClass: groupofuniquenames cn: sos uniqueMember: uid=ur,ou=People,dc=sos uniqueMember: uid=fTester,ou=People,dc=sos # apl, Groups, sos dn: cn=apl,ou=Groups,dc=sos objectClass: top objectClass: groupofuniquenames cn: apl uniqueMember: uid=ur,ou=People,dc=sos uniqueMember: uid=fTester,ou=People,dc=sos # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 |
Verifing the groupSearchBase and groupSearchFilter with an LDAP Browser
...