...
- Change the
userDnTemplate
toldapRealm.userDnTemplate = uid={0}
- Add the userSearch User Search
- Use
domain\account
oraccount@domain
for the login whereaccount
is the value of thesAMAcountName
attribute.
...
- The account has a memberOf attribute. Then you can retrieve the list of groups with the userSearchUser Search. Then proceed with Using memberOf with User Search.
- The account does not have a memberOf attribute. The group contains the accounts that are members of the group, Then proceed with Using group search.
...
ldapRealm.searchBase
ldapRealm.userSearchFilter
After specifying the user search
User Search the shiro.ini
configuration file will look like this:
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
[main] ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos ldapRealm.searchBase = ou=People,dc=sos ldapRealm.userSearchFilter = (uid=%s) # Mapping of a LDAP group to roles. You can assign more than one role with separator sign | ldapRealm.groupRolesMap = \ sos : it_operator, \ apl : administrator|application_manager rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm ldapRealm.rolePermissionResolver = $rolePermissionResolver securityManager.realms = $ldapRealm |
This approach looks for the account Account entry and then reads the memberOf attribute. This attribute is often used when, for example, configuring Microsoft Active Directory® LDAP servers.
Define a userSearchFilter
and a searchBase
that will find the account (%s will be replaced by the account Account name from the login without the domain part).
Example for
...
User Search
ldapRealm.searchBase = ou=People,dc=sos
ldapRealm.userSearchFilter = (uid=%s)
Example
...
for User Search in Active Directory®
ldapRealm.searchBase = dc=example,dc=com
ldapRealm.userSearchFilter = (sAMAcountName=%s)
An LDAP Browser can be used to get the correct values for the searchBase
and the userSearchFilter
. Perform a directory search with the values. You should find only find one entry.
The searchBase
is the value of the base DN (or ParentDN in the screenshot above).
...
b) Using group search
If the user account entries do have the memberOf attribute then you can skip this section and proceed with with Using memberOf with User Search. Settings:
...
After defining the group search the shiro.ini
configuration file will look like this:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
[main] ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 ldapRealm.userDnTemplate = uid={0},ou=People,dc=sos ldapRealm.groupSearchBase = ou=Groups,dc=sos ldapRealm.groupNameAttribute = cn ldapRealm.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos) # Mapping of a LDAP group to roles. You can assign more than one role with separator sign | ldapRealm.groupRolesMap = \ sos : it_operator, \ apl : administrator|application_manager rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm ldapRealm.rolePermissionResolver = $rolePermissionResolver securityManager.realms = $ldapRealm |
When the memberOf attribute is not available for the account Account then you can use the group search.
...
Getting the value for the groupSearchBase
Identify the place location where the groups are stored. This is your groupSearchBase
.
Getting the value for the groupSearchFilter
...
Perform a directory search with your LDAP client to check the User search Search configuration. You should find only the one Account entry with the given account Account name.
Then identify the name of the attribute that contains the value for the substitution. For example:
ldapRealm.userNameAttribute = cn
The whole configuration will look like this:
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
[users] ... [main] ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm.userDnTemplate = uid={0},ou=People,dc=sos ldapRealm.groupSearchBase = ou=Groups,dc=sos ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 ldapRealm.groupNameAttribute = cn ldapRealm.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos) ldapRealm.groupRolesMap = \ group1: it_operator, \ group2: administrator|application_manager rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm ldapRealm.rolePermissionResolver = $rolePermissionResolver securityManager.realms = $ldapRealm cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager securityManager.realms = $ldapRealm, $iniRealm # Session timeout in milliseconds securityManager.sessionManager.globalSessionTimeout = 900000 |
Example LDAP Configuration with
...
several LDAP Servers
LDAP configuration with several LDAP servers is achieved by defining more than one LDAP realm as shown in the next code block.
Define two realms and list assign them as shownlike this:
securityManager.realms = $ldapRealm1, $ldapRealm2
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
[main] ldapRealm1 = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm1.userDnTemplate = uid={0},ou=People,dc=sos ldapRealm1.groupSearchBase = ou=Groups,dc=sos ldapRealm1.contextFactory.url = ldap://centos6_9_ldap.sos:389 ldapRealm1.groupNameAttribute = cn ldapRealm1.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos) ldapRealm1.groupRolesMap = \ group1: it_operator, \ group2: administrator|application_manager ldapRealm2 = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm2.userDnTemplate = uid={0},ou=People,dc=sos ldapRealm2.groupSearchBase = ou=Groups,dc=sos ldapRealm2.contextFactory.url = ldap://anotherHost:389 ldapRealm2.groupNameAttribute = cn ldapRealm2.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos) ldapRealm2.groupRolesMap = \ group1: it_operator, \ group2: administrator|application_manager rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm ldapRealm.rolePermissionResolver = $rolePermissionResolver securityManager.realms = $ldapRealm1, $ldapRealm2 cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager # Session timeout in milliseconds securityManager.sessionManager.globalSessionTimeout = 900000 |
A full shiro.ini example with
...
Group Search
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
[main] ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm.userDnTemplate = uid={0},ou=People,dc=sos ldapRealm.groupSearchBase = ou=Groups,dc=sos ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 ldapRealm.groupNameAttribute = cn ldapRealm.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos) ldapRealm.groupRolesMap = \ group1: it_operator, \ group2: administrator|application_manager rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm ldapRealm.rolePermissionResolver = $rolePermissionResolver securityManager.realms = $ldapRealm cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager # Session timeout in milliseconds securityManager.sessionManager.globalSessionTimeout = 900000 |
A full shiro.ini example with
...
Group Search where the member attribute does not contain the
...
account name but the
...
common name
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
[main] ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm.userDnTemplate = uid={0},ou=People,dc=sos ldapRealm.groupSearchBase = ou=Groups,dc=sos ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 ldapRealm.groupNameAttribute = cn ldapRealm.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos) ldapRealm.searchBase = ou=People,dc=sos ldapRealm.userNameAttribute = cn ldapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com) ldapRealm.groupRolesMap = \ group1: it_operator, \ group2: administrator|application_manager rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm ldapRealm.rolePermissionResolver = $rolePermissionResolver securityManager.realms = $ldapRealm cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager # Session timeout in milliseconds securityManager.sessionManager.globalSessionTimeout = 900000 |
...
To implement the authentication configuration - or realm - for accessing this public LDAP server, add the following lines to the [main]
section of the shiro.ini
file, either before or after the default line:
securityManager.sessionManager.globalSessionTimeout = 900000
Code Block | ||||
---|---|---|---|---|
| ||||
publicLdapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm publicLdapRealm.userDnTemplate = uid={0},dc=example,dc=com publicLdapRealm.searchBase = dc=example,dc=com publicLdapRealm.contextFactory.url = ldap://ldap.forumsys.com:389 publicLdapRealm.groupNameAttribute = ou publicLdapRealm.userNameAttribute = uid publicLdapRealm.rolePermissionResolver = $rolePermissionResolver publicLdapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com) publicLdapRealm.groupRolesMap = \ scientists : it_operator, \ mathematicians: all rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm securityManager.realms = $publicLdapRealm, $iniRealm cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager |
Save the modified shiro.ini
file. (It is not necessary required to restart the Jetty web server.)
You will now be able to use the JOC Cockpit to authenticate the two User Account name:password combinations listed in the table above with the LDAP server.
The Shiro authentication (using, for example, the default root:root User Account) will still be active alongside the LDAP users accounts listed above.
The LDAP group memberships will be mapped onto to the default roles Roles configured in the shiro.ini
[roles]
section as can be seen in lines 15-17 of the code listing above. This can be checked in the JOC Cockpit by looking at the Permissions section of the relevant User Profiles - the User Account gauss, for example, will have all permissions.
...