...

[main]
ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos

ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.contextFactory.url = ldap://myHost:389 
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm

Login with the sAMAccountName but cn is part of the DN

This works with a Microsoft AD that supports domain login.

1. Change the userDnTemplate to ldapRealm.userDnTemplate = uid={0}
2. Add the userSearch 
3. Use domain\user or user@domain for the login where user is the sAMAcountName.

The user template

With authentication you will check for a valid username/password combination. To achieve this, you have to specify the userDnTemplate. The parameters for the userDnTemplate can be read from a user's properties page as shown in the screenshot from an LDAP browser below.

...

Hint: The complete content of this attribute must be used in the groupRolesMap attribute. Typical content of the attribute could be ou=Groups, dc=sos, cn=groupname .

Anchor
substitution_of_the_username substitution_of_the_username

Substitution of the username

If the roles are assigned with the JOC Account Manager (i.e. there is a [users] section in the shiro.ini configuration file) you can skip this chapter.

...

[main]
....
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.sessionManager.globalSessionTimeout = 900000

Examples

...

and specials configurations

Example LDAP Configuration with a LDAP Server and mixed LDAP and Shiro Authentication

Add the iniRealm to 

[users]
...
 
[main]
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos
ldapRealm.groupSearchBase = ou=Groups,dc=sos
ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 
ldapRealm.groupNameAttribute = cn
ldapRealm.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)
ldapRealm.groupRolesMap = \
group1: it_operator, \
group2: administrator|application_manager
 
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager


securityManager.realms = $ldapRealm, $iniRealm
 
# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 900000

 

A full shiro.ini example with group search where member attribute does not contain the username but the cn

Example LDAP Configuration with Several LDAP Servers

LDAP configuration with several LDAP servers is achieved by defining more than one LDAP realm as shown in the next code block.

Define two realms and list them in 

securityManager.realms = $ldapRealm1, $ldapRealm2

[main]
ldapRealmldapRealm1 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealmldapRealm1.userDnTemplate = uid={0},ou=People, dc=sos
ldapRealmldapRealm1.groupSearchBase = ou=Groups,dc=sos
ldapRealmldapRealm1.contextFactory.url = ldap://centos6_9_ldap.sos:389 
ldapRealmldapRealm1.groupNameAttribute = cn
ldapRealmldapRealm1.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)
ldapRealmldapRealm1.searchBasegroupRolesMap = ou=People,dc=sos
ldapRealm.userNameAttribute = cn
ldapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com)
ldapRealm.groupRolesMap = \
group1: it_operator, \
group2\
group1: it_operator, \
group2: administrator|application_manager

rolePermissionResolver
ldapRealm2 = com.sos.auth.shiro.SOSPermissionResolverAdapterSOSLdapAuthorizingRealm
rolePermissionResolverldapRealm2.iniuserDnTemplate = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 900000
uid={0},ou=People, dc=sos
ldapRealm2.groupSearchBase = ou=Groups,dc=sos
ldapRealm2.contextFactory.url = ldap://anotherHost:389
ldapRealm2.groupNameAttribute = cn
ldapRealm2.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)
ldapRealm2.groupRolesMap = \
group1: it_operator, \
group2: administrator|application_manager

 
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm1, $ldapRealm2

cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager





# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 900000

A full shiro.ini example with

...

group search 

[main]
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos
ldapRealm.groupSearchBase = ou=Groups,dc=sos
ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 
ldapRealm.

...

groupNameAttribute = 

...

cn
ldapRealm.

...

groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos

...

)
ldapRealm.groupRolesMap = \
group1: it_operator, \
group2: administrator|application_manager

rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 900000

A

...

full shiro.ini example with group search where member attribute does not contain the username but the cn

[main]
ldapRealm

An online public LDAP server which can be accessed using a relatively simple configuration is available from Forum Systems. This server can be used to set up a test environment with LDAP authentication. In this article we will refer to the authentication of two user accounts on this server - gauss and newton - that are each members of a different LDAP group as shown in the following table:

To implement the authentication configuration - or realm - for accessing this public LDAP server, add the following lines to the [main] section of the shiro.ini file, either before or after the default line:

• securityManager.sessionManager.globalSessionTimeout = 900000

publicLdapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm

publicLdapRealmldapRealm.userDnTemplate = uid={0},dcou=examplePeople, dc=comsos
publicLdapRealmldapRealm.searchBasegroupSearchBase = dcou=exampleGroups,dc=comsos
publicLdapRealmldapRealm.contextFactory.url = ldap://centos6_9_ldap.forumsys.comsos:389 

publicLdapRealmldapRealm.groupNameAttribute = oucn
publicLdapRealmldapRealm.userNameAttributegroupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)

publicLdapRealm.rolePermissionResolverldapRealm.searchBase = ou=People,dc=sos
ldapRealm.userNameAttribute = $rolePermissionResolvercn
publicLdapRealmldapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com)
publicLdapRealmldapRealm.groupRolesMap = \
  scientists group1: it_operator, \
  mathematiciansgroup2: all
administrator|application_manager

rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $publicLdapRealm, $iniRealm$ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

Save the modified shiro.ini file. (It is not necessary to restart the Jetty web server.)

You will now be able to use the JOC Cockpit to authenticate the two User Account name:password combinations listed in the table above with the LDAP server.

The Shiro authentication (using, for example, the default root:root User Account) will still be active alongside the LDAP users listed above.

# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 900000

A full shiro.ini example with memberOf in the user record.

[main]
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 
ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos
ldapRealm.searchBase = ou=People,dc=sos
ldapRealm.userSearchFilter = (uid=%s)
ldapRealm.groupRolesMap = \
group1: it_operator, \
group2: administrator|application_manager

rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 900000

A public LDAP Server for testing the connection

An online public LDAP server which can be accessed using a relatively simple configuration is available from Forum Systems. This server can be used to set up a test environment with LDAP authentication. In this article we will refer to the authentication of two user accounts on this server - gauss and newton - that are each members of a different LDAP group as shown in the following table:

To implement the authentication configuration - or realm - for accessing this public LDAP server, add the following lines to the [main] section of the shiro.ini file, either before or after the default line:

• securityManager.sessionManager.globalSessionTimeout = 900000

publicLdapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm

publicLdapRealm.userDnTemplate = uid={0},dc=example,dc=com
publicLdapRealm.searchBase = dc=example,dc=com
publicLdapRealm.contextFactory.url = ldap://ldap.forumsys.com:389

publicLdapRealm.groupNameAttribute = ou
publicLdapRealm.userNameAttribute = uid

publicLdapRealm.rolePermissionResolver = $rolePermissionResolver
publicLdapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com)
publicLdapRealm.groupRolesMap = \
  scientists : it_operator, \
  mathematicians: all

rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm

securityManager.realms = $publicLdapRealm, $iniRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

Save the modified shiro.ini file. (It is not necessary to restart the Jetty web server.)

You will now be able to use the JOC Cockpit to authenticate the two User Account name:password combinations listed in the table above with the LDAP server.

The Shiro authentication (using, for example, the default root:root User Account) will still be active alongside the LDAP users listed above.

The LDAP group memberships will be mapped onto the default roles configured in the shiro.ini [roles] section as can be seen in lines 15-17 of the code listing above. This can be checked in the JOC Cockpit by looking at the Permissions section of the relevant User Profiles - the User Account gauss, for example, will have all permissions.

Troubleshooting

Enable the log:

Open the file /sos-berlin.com/joc/jetty_base/resources/joc/log4j.properties

Change

#for debugging JOC set the following logger to 'debug'
log4j.logger.com.sos = info

to 

#for debugging JOC set the following logger to 'debug'
log4j.logger.com.sos = debug

The log is located  in 

/sos-berlin.com/joc/logs/yyyy_mm_dd.stderrout.logThe LDAP group memberships will be mapped onto the default roles configured in the shiro.ini [roles] section as can be seen in lines 15-17 of the code listing above. This can be checked in the JOC Cockpit by looking at the Permissions section of the relevant User Profiles - the User Account gauss, for example, will have all permissions.