Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 28

changes.mady.by.user Uwe Risse

Saved on

compared with

New Version 29

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The following example uses two Groups, each with two realmsRealms. An account with a common User Name and Password is configured for all Realms:

A#Ldap1 A#ldap1
roles = a1

A#Ldap2A#ldap2
roles = a2

B#Ldap1 B#ldap1
roles = b1

B#Ldap2B#ldap2
roles = b2

 

Here is an Find the following example main section for this szenarioscenario:

Code Block
titleMulti Group Realms
collapsetrue
[main]
A#Ldap1 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
 
A#Ldap1.userDnTemplate = uid={0},dc=example,dc=com
A#Ldap1.searchBase = dc=example,dc=com
A#Ldap1.contextFactory.url = ldap://ldap.forumsys.com:389
 
A#Ldap1.groupNameAttribute = ou
A#Ldap1.userNameAttribute = uid
 
A#Ldap1.rolePermissionResolver = $rolePermissionResolver
A#Ldap1.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com)
A#Ldap1.groupRolesMap = \
  scientists : it_operator, \
  mathematicians: all
A#Ldap1.roleAssignmentFromIni = false
 
A#Ldap2 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
...


B#Ldap1 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
...


B#Ldap2 = com.sos.auth.shiro.SOSLdapAuthorizingRealm
...

rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
 
authcStrategy = org.apache.shiro.authc.pam.SOSFirstSuccessfulGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy
 
securityManager.realms = $A#Ldap1,$A#Ldap2,$B#Ldap1,$B#Ldap2
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

...

Code Block
authcStrategy = org.apache.shiro.authc.pam.SOSFirstSuccessfulGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy

 

  • All

...

  • Realms with the same group will be checked group-wise.
  • In every group there must be one

...

  • Realm that can be authenticated.
  • If none of the

...

  • Realms in at least one group authenticate then authentication will fail for all groups.
  • The roles from the first

...

  • Realm per group will be merged to the roles the user

...

  • is assigned.
Example:
  • If A#ldap1A#Ldap1, A#ldap2 A#Ldap2 and B#ldap2 B#Ldap2 can authenticate than then the user will have be assigned the roles a1 and b2.
  • If A#ldap2 A#Ldap2 and B#ldap1 B#Ldap1 can authenticate than then authentication will fail.

...

Code Block
authcStrategy = org.apache.shiro.authc.pam.SOSAllSuccessfulGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy
  • All realms with the same group will be checked group-wise.
  • In at least one group all

...

  • Realms must be authenticated.
  • The roles from

...

  • Realms in groups where all

...

  • Realms can be authenticated will be merged to the roles the user

...

  • is assigned.
Examples:
  • If A#ldap1A#Ldap1, A#ldap2 A#Ldap2 and B#ldap1B#Ldap1, B#ldap2 B#Ldap2 can authenticate than then the user will have be assigned the roles a1, a2, b1, b2.
  • If A#ldap1A#Ldap1, A#ldap2 A#Ldap2 and B#ldap1 B#Ldap1 can authenticate than the user will have the roles a1, a2.
  • If A#ldap2 A#Ldap2 and B#ldap1 B#Ldap1 can authenticate than then authentication will fail.

...

Code Block
authcStrategy = org.apache.shiro.authc.pam.SOSAllSuccessfulFirstGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy
  • All

...

  • Realms with the same group will be checked group-wise.
  • In at least one group all

...

  • Realms must be authenticated.
  • The roles from

...

  • Realms in the first group where all

...

  • Realms can be authenticated will be merged with other roles the user may

...

  • be assigned.
Example:
  • If A#ldap1A#Ldap1, and B#ldap1B#Ldap1, B#ldap2 B#Ldap2 can authenticate than then the user will have be assigned the roles b1, b2
  • If A#ldap1A#Ldap1, A#ldap2  A#Ldap2 and B#ldap2 B#Ldap2 can authenticate than then the user will have be assigned the roles a1, a2
  • If A#ldap1 A#Ldap1 and B#ldap2 B#Ldap2 can authenticate than then authentication will fail.

...

Code Block
authcStrategy = org.apache.shiro.authc.pam.SOSAtLeastOneSuccessfulGroupStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy
  • All

...

  • Realms with the same group will be checked group-wise.
  • At least one

...

  • Realm must be

...

  • authenticated in every group.
  • The roles from

...

  • Realms that have been authenticated will be merged with other roles the user may

...

  • be assigned.
Example:
  • If A#ldap1A#Ldap1, B#ldap1B#Ldap1, B#ldap2 B#Ldap2 can authenticate than then the user will have be assigned the roles a1, b1, b2
  • If B#ldap1 B#Ldap1 and B#ldap2 B#Ldap2 can authenticate than then authentication will fail.

...