Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 33

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 34

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minor changes to text

...

  1. Set up the basic LDAP configuration
  2. Set up the authentication
  3. Set up the authorization

Relevant Tools

  • An LDAP Browser:
    • The screenshots shown in this article were made with the "Softerra LDAP Browser" that had been configured to use the relevant LDAP server.
  • A command line utility:
    • The example commands shown were implemented in ldapSearch

1. Basic LDAP Configuration

...

The [main] section of the shiro.ini file with authentication for the example "ur" User from the screenshot above is shown in the next code block:

...

Code Block
languagetext
titleResult: ldapsearch -h localhost -p 389 -b "uid=ur,ou=People, dc=sos" -x
linenumberstrue
collapsetrue
# ur, People, sos
dn: uid=ur,ou=People,dc=sos
mail: uwe.risse@sos-berlin.com
uid: ur
givenName: Uwe
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Risse
cn: Uwe Risse
preferredLanguage: de
# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Example for the public LDAP server

ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -x

...

The option -x is used in all the ldapSearch examples in this artriclearticle. It is possible that your LDAP Server does not allow this option and you have to specify a user and a password in which case . If you have to specify a User and a Password the command would be:

  • ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -W -D "uid=gauss,dc=example,dc=com"

 

Verification with the Softerra LDAP Browser

Search with Search-Dn=userDnTemplate. You should find exactly one entry.

...

Code Block
languagetext
titleLDAP Authentication and shiri.ini Authoriziation
linenumberstrue
collapsetrue
[users]
gauss = ,all
newton = ,it_operator,administrator

[main]
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos
ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.sessionManager.globalSessionTimeout = 900000

Note that LDAP Usernames may contain blank spaces, while Shiro User names may not. The following the following applies if an LDAP User is to use Shiro authorization to allocate Roles:

  • The username Usernames may have blank spaces if they are stored in a LDAP directory. Usernames stored in the shiro.ini configuration file may not contain blank spaces.
    • When
    referring to usernames from the LDAP directory to keys in the [users] section of
    • a User account with blank spaces in its name is configured using the JOC Cockpit's Manage Accounts view then every blank space in the name will be automatically replaced with %20 before the name is written to the shiro.ini file.
    • When a User account with blank spaces in its name is added directly to the shiro.ini file then every blank space in the name should replaced with %20 before the name is written to the shiro.ini file.
    • Every occurance of %20 in an Account User Name saved in the shiro.ini file will be automatically converted to a blank space before this name is submitted to the LDAP server.
  • Passwords should not be specified for Accounts with LDAP authentication when configuring such accounts using the JOC Cockpit's Manage Accounts view .
  • to assign Roles to the user, you have to change blanks to %20. The password must be empty. When you login with a domain the reference must contain the whole domain/username pattern e.g. user@domainThe JOC Account Manager considers the handling of blanks. Please note that you have to specify the user with the domain in the JOC Account Manager and without password.

Assigning Roles from LDAP Groups

...

 

Code Block
collapsetrue
# extended LDIF
#
# LDAPv3
# base <ou=Groups,dc=sos> with scope subtree
# filter: uniqueMember=uid=ur,ou=People,dc=sos
# requesting: ALL
#
 
# sos, Groups, sos
dn: cn=sos,ou=Groups,dc=sos
description: Employees of SOS GmbH
objectClass: top
objectClass: groupofuniquenames
cn: sos
uniqueMember: uid=ur,ou=People,dc=sos
uniqueMember: uid=fTester,ou=People,dc=sos

# apl, Groups, sos
dn: cn=apl,ou=Groups,dc=sos
objectClass: top
objectClass: groupofuniquenames
cn: apl
uniqueMember: uid=ur,ou=People,dc=sos
uniqueMember: uid=fTester,ou=People,dc=sos
 
# search result
search: 2
result: 0 Success
 
# numResponses: 3
# numEntries: 2

 

Verifing the groupSearchBase and groupSearchFilter with an LDAP Browser

...