...
The following example uses two Groups, each with two realmsRealms. An account with a common User Name and Password is configured for all Realms:
A#Ldap1 A#ldap1
roles = a1
A#Ldap2A#ldap2
roles = a2
B#Ldap1 B#ldap1
roles = b1
B#Ldap2B#ldap2
roles = b2
Here is an Find the following example main section for this szenarioscenario:
Code Block | ||||
---|---|---|---|---|
| ||||
[main] A#Ldap1 = com.sos.auth.shiro.SOSLdapAuthorizingRealm A#Ldap1.userDnTemplate = uid={0},dc=example,dc=com A#Ldap1.searchBase = dc=example,dc=com A#Ldap1.contextFactory.url = ldap://ldap.forumsys.com:389 A#Ldap1.groupNameAttribute = ou A#Ldap1.userNameAttribute = uid A#Ldap1.rolePermissionResolver = $rolePermissionResolver A#Ldap1.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com) A#Ldap1.groupRolesMap = \ scientists : it_operator, \ mathematicians: all A#Ldap1.roleAssignmentFromIni = false A#Ldap2 = com.sos.auth.shiro.SOSLdapAuthorizingRealm ... B#Ldap1 = com.sos.auth.shiro.SOSLdapAuthorizingRealm ... B#Ldap2 = com.sos.auth.shiro.SOSLdapAuthorizingRealm ... rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm authcStrategy = org.apache.shiro.authc.pam.SOSFirstSuccessfulGroupStrategy securityManager.authenticator.authenticationStrategy = $authcStrategy securityManager.realms = $A#Ldap1,$A#Ldap2,$B#Ldap1,$B#Ldap2 cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager |
...
Code Block |
---|
authcStrategy = org.apache.shiro.authc.pam.SOSFirstSuccessfulGroupStrategy securityManager.authenticator.authenticationStrategy = $authcStrategy |
- All
...
- Realms with the same group will be checked group-wise.
- In every group there must be one
...
- Realm that can be authenticated.
- If none of the
...
- Realms in at least one group authenticate then authentication will fail for all groups.
- The roles from the first
...
- Realm per group will be merged to the roles the user
...
- is assigned.
Example:
- If A#ldap1A#Ldap1, A#ldap2 A#Ldap2 and B#ldap2 B#Ldap2 can authenticate than then the user will have be assigned the roles a1 and b2.
- If A#ldap2 A#Ldap2 and B#ldap1 B#Ldap1 can authenticate than then authentication will fail.
...
Code Block |
---|
authcStrategy = org.apache.shiro.authc.pam.SOSAllSuccessfulGroupStrategy securityManager.authenticator.authenticationStrategy = $authcStrategy |
- All realms with the same group will be checked group-wise.
- In at least one group all
...
- Realms must be authenticated.
- The roles from
...
- Realms in groups where all
...
- Realms can be authenticated will be merged to the roles the user
...
- is assigned.
Examples:
- If A#ldap1A#Ldap1, A#ldap2 A#Ldap2 and B#ldap1B#Ldap1, B#ldap2 B#Ldap2 can authenticate than then the user will have be assigned the roles a1, a2, b1, b2.
- If A#ldap1A#Ldap1, A#ldap2 A#Ldap2 and B#ldap1 B#Ldap1 can authenticate than the user will have the roles a1, a2.
- If A#ldap2 A#Ldap2 and B#ldap1 B#Ldap1 can authenticate than then authentication will fail.
...
Code Block |
---|
authcStrategy = org.apache.shiro.authc.pam.SOSAllSuccessfulFirstGroupStrategy securityManager.authenticator.authenticationStrategy = $authcStrategy |
- All
...
- Realms with the same group will be checked group-wise.
- In at least one group all
...
- Realms must be authenticated.
- The roles from
...
- Realms in the first group where all
...
- Realms can be authenticated will be merged with other roles the user may
...
- be assigned.
Example:
- If A#ldap1A#Ldap1, and B#ldap1B#Ldap1, B#ldap2 B#Ldap2 can authenticate than then the user will have be assigned the roles b1, b2
- If A#ldap1A#Ldap1, A#ldap2 A#Ldap2 and B#ldap2 B#Ldap2 can authenticate than then the user will have be assigned the roles a1, a2
- If A#ldap1 A#Ldap1 and B#ldap2 B#Ldap2 can authenticate than then authentication will fail.
...
Code Block |
---|
authcStrategy = org.apache.shiro.authc.pam.SOSAtLeastOneSuccessfulGroupStrategy securityManager.authenticator.authenticationStrategy = $authcStrategy |
- All
...
- Realms with the same group will be checked group-wise.
- At least one
...
- Realm must be
...
- authenticated in every group.
- The roles from
...
- Realms that have been authenticated will be merged with other roles the user may
...
- be assigned.
Example:
- If A#ldap1A#Ldap1, B#ldap1B#Ldap1, B#ldap2 B#Ldap2 can authenticate than then the user will have be assigned the roles a1, b1, b2
- If B#ldap1 B#Ldap1 and B#ldap2 B#Ldap2 can authenticate than then authentication will fail.
...