...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
[main] ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm.contextFactory.url = ldap://myHost:389 rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm ldapRealm.rolePermissionResolver = $rolePermissionResolver securityManager.realms = $ldapRealm |
Login with the sAMAccountName but cn is part of the DN
This works with a Microsoft AD that supports domain login.
- Change the userDnTemplate to
ldapRealm.userDnTemplate = uid={0}
- Add the userSearch
- Use
domain\user
oruser@domain
for the login where user is the sAMAcountName.
The user template
With authentication you will check for a valid username/password combination. To achieve this, you have to specify the userDnTemplate
. The parameters for the userDnTemplate
can be read from a user's properties page as shown in the screenshot from an LDAP browser below.
...
Hint: The complete content of this attribute must be used in the groupRolesMap
attribute. Typical content of the attribute could be ou=Groups, dc=sos, cn=groupname
.
Anchor | ||||
---|---|---|---|---|
|
If the roles are assigned with the JOC Account Manager (i.e. there is a [users]
section in the shiro.ini configuration file) you can skip this chapter.
...
Code Block | ||
---|---|---|
| ||
[main] .... cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager securityManager.sessionManager.globalSessionTimeout = 900000 |
Examples
...
and specials configurations
Example LDAP Configuration with a LDAP Server and mixed LDAP and Shiro Authentication
Add the iniRealm to
securityManager.realms = $ldapRealm, $iniRealm
Code Block | ||
---|---|---|
| ||
[users] ... [main] ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos ldapRealm.groupSearchBase = ou=Groups,dc=sos ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 ldapRealm.groupNameAttribute = cn ldapRealm.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos) ldapRealm.groupRolesMap = \ group1: it_operator, \ group2: administrator|application_manager rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm ldapRealm.rolePermissionResolver = $rolePermissionResolver securityManager.realms = $ldapRealm cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager securityManager.realms = $ldapRealm, $iniRealm # Session timeout in milliseconds securityManager.sessionManager.globalSessionTimeout = 900000 |
A full shiro.ini example with group search where member attribute does not contain the username but the cn
Example LDAP Configuration with Several LDAP Servers
LDAP configuration with several LDAP servers is achieved by defining more than one LDAP realm as shown in the next code block.
Define two realms and list them in
securityManager.realms = $ldapRealm1, $ldapRealm2
Code Block | ||
---|---|---|
| ||
Code Block | ||
| ||
[main] ldapRealmldapRealm1 = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealmldapRealm1.userDnTemplate = uid={0},ou=People, dc=sos ldapRealmldapRealm1.groupSearchBase = ou=Groups,dc=sos ldapRealmldapRealm1.contextFactory.url = ldap://centos6_9_ldap.sos:389 ldapRealmldapRealm1.groupNameAttribute = cn ldapRealmldapRealm1.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos) ldapRealmldapRealm1.searchBasegroupRolesMap = ou=People,dc=sos ldapRealm.userNameAttribute = cn ldapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com) ldapRealm.groupRolesMap = \ group1: it_operator, \ group2\ group1: it_operator, \ group2: administrator|application_manager rolePermissionResolver ldapRealm2 = com.sos.auth.shiro.SOSPermissionResolverAdapterSOSLdapAuthorizingRealm rolePermissionResolverldapRealm2.iniuserDnTemplate = $iniRealm ldapRealm.rolePermissionResolver = $rolePermissionResolver securityManager.realms = $ldapRealm cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager # Session timeout in milliseconds securityManager.sessionManager.globalSessionTimeout = 900000 uid={0},ou=People, dc=sos ldapRealm2.groupSearchBase = ou=Groups,dc=sos ldapRealm2.contextFactory.url = ldap://anotherHost:389 ldapRealm2.groupNameAttribute = cn ldapRealm2.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos) ldapRealm2.groupRolesMap = \ group1: it_operator, \ group2: administrator|application_manager rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm ldapRealm.rolePermissionResolver = $rolePermissionResolver securityManager.realms = $ldapRealm1, $ldapRealm2 cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager # Session timeout in milliseconds securityManager.sessionManager.globalSessionTimeout = 900000 |
A full shiro.ini example with
...
group search
Code Block | ||
---|---|---|
| ||
[main] ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos ldapRealm.groupSearchBase = ou=Groups,dc=sos ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 ldapRealm. |
...
groupNameAttribute = |
...
cn ldapRealm. |
...
groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos |
...
)
ldapRealm.groupRolesMap = \
group1: it_operator, \
group2: administrator|application_manager
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 900000
|
A
...
full shiro.ini example with group search where member attribute does not contain the username but the cn
Code Block | ||
---|---|---|
| ||
[main]
ldapRealm |
An online public LDAP server which can be accessed using a relatively simple configuration is available from Forum Systems. This server can be used to set up a test environment with LDAP authentication. In this article we will refer to the authentication of two user accounts on this server - gauss and newton - that are each members of a different LDAP group as shown in the following table:
Account Name | Password | LDAP Group | Shiro Role |
---|---|---|---|
gauss | password | mathematicians | all |
newton | password | scientists | it_operator |
To implement the authentication configuration - or realm - for accessing this public LDAP server, add the following lines to the [main]
section of the shiro.ini
file, either before or after the default line:
securityManager.sessionManager.globalSessionTimeout = 900000
Code Block | ||||
---|---|---|---|---|
| ||||
publicLdapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm publicLdapRealmldapRealm.userDnTemplate = uid={0},dcou=examplePeople, dc=comsos publicLdapRealmldapRealm.searchBasegroupSearchBase = dcou=exampleGroups,dc=comsos publicLdapRealmldapRealm.contextFactory.url = ldap://centos6_9_ldap.forumsys.comsos:389 publicLdapRealmldapRealm.groupNameAttribute = oucn publicLdapRealmldapRealm.userNameAttributegroupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos) publicLdapRealm.rolePermissionResolverldapRealm.searchBase = ou=People,dc=sos ldapRealm.userNameAttribute = $rolePermissionResolvercn publicLdapRealmldapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com) publicLdapRealmldapRealm.groupRolesMap = \ scientists group1: it_operator, \ mathematiciansgroup2: all administrator|application_manager rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm ldapRealm.rolePermissionResolver = $rolePermissionResolver securityManager.realms = $publicLdapRealm, $iniRealm$ldapRealm cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager |
Save the modified shiro.ini
file. (It is not necessary to restart the Jetty web server.)
You will now be able to use the JOC Cockpit to authenticate the two User Account name:password combinations listed in the table above with the LDAP server.
The Shiro authentication (using, for example, the default root:root User Account) will still be active alongside the LDAP users listed above.
# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 900000
|
A full shiro.ini example with memberOf in the user record.
Code Block | ||
---|---|---|
| ||
[main]
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389
ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos
ldapRealm.searchBase = ou=People,dc=sos
ldapRealm.userSearchFilter = (uid=%s)
ldapRealm.groupRolesMap = \
group1: it_operator, \
group2: administrator|application_manager
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
# Session timeout in milliseconds
securityManager.sessionManager.globalSessionTimeout = 900000
|
A public LDAP Server for testing the connection
An online public LDAP server which can be accessed using a relatively simple configuration is available from Forum Systems. This server can be used to set up a test environment with LDAP authentication. In this article we will refer to the authentication of two user accounts on this server - gauss and newton - that are each members of a different LDAP group as shown in the following table:
Account Name | Password | LDAP Group | Shiro Role |
---|---|---|---|
gauss | password | mathematicians | all |
newton | password | scientists | it_operator |
To implement the authentication configuration - or realm - for accessing this public LDAP server, add the following lines to the [main]
section of the shiro.ini
file, either before or after the default line:
securityManager.sessionManager.globalSessionTimeout = 900000
Code Block | ||||
---|---|---|---|---|
| ||||
publicLdapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
publicLdapRealm.userDnTemplate = uid={0},dc=example,dc=com
publicLdapRealm.searchBase = dc=example,dc=com
publicLdapRealm.contextFactory.url = ldap://ldap.forumsys.com:389
publicLdapRealm.groupNameAttribute = ou
publicLdapRealm.userNameAttribute = uid
publicLdapRealm.rolePermissionResolver = $rolePermissionResolver
publicLdapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com)
publicLdapRealm.groupRolesMap = \
scientists : it_operator, \
mathematicians: all
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
securityManager.realms = $publicLdapRealm, $iniRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager |
Save the modified shiro.ini
file. (It is not necessary to restart the Jetty web server.)
You will now be able to use the JOC Cockpit to authenticate the two User Account name:password combinations listed in the table above with the LDAP server.
The Shiro authentication (using, for example, the default root:root User Account) will still be active alongside the LDAP users listed above.
The LDAP group memberships will be mapped onto the default roles configured in the shiro.ini
[roles]
section as can be seen in lines 15-17 of the code listing above. This can be checked in the JOC Cockpit by looking at the Permissions section of the relevant User Profiles - the User Account gauss, for example, will have all permissions.
Troubleshooting
Enable the log:
Open the file /sos-berlin.com/joc/jetty_base/resources/joc/log4j.properties
Change
#for debugging JOC set the following logger to 'debug'
log4j.logger.com.sos = info
to
#for debugging JOC set the following logger to 'debug'
log4j.logger.com.sos = debug
The log is located in
/sos-berlin.com/joc/logs/yyyy_mm_dd.stderrout.log
The LDAP group memberships will be mapped onto the default roles configured in the shiro.ini
[roles]
section as can be seen in lines 15-17 of the code listing above. This can be checked in the JOC Cockpit by looking at the Permissions section of the relevant User Profiles - the User Account gauss, for example, will have all permissions.