LDAP Configuration items

We refere in this document to a public LDAP server. To configure a realm for accessing the public LDAP server please add the following lines to the [main] section.

Public LDAP Server

publicLdapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
publicLdapRealm.userDnTemplate = uid={0},dc=example,dc=com
publicLdapRealm.searchBase = dc=example,dc=com
publicLdapRealm.contextFactory.url = ldap://ldap.forumsys.com:389
publicLdapRealm.groupNameAttribute = ou
publicLdapRealm.userNameAttribute = uid
publicLdapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com)
publicLdapRealm.groupRolesMap = \
  scientists : it_operator, \
  mathematicians: all

Verification with ldapSearch

In all ldapSearch examples the option -x is used. It is possible that your LDAP Server does not allow this and you have to specify a user and a password like:

ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -W -D "uid=gauss,dc=example,dc=com"

Setting up the configuration

Please make these steps

Setting up the basic LDAP configuration
Setting up the authentication
Setting up the authorization
Defining the groupRolesMapping (optional)
Defining the roles per user in the [users] section (optional)
Defining the search for groups

Basic LDAP Configuration

There are some configuration items that configure the ldap realm that should be used. These items can not be changed with the Account Management in JOC.

Key	Value	Description
ldapReam	com.sos.auth.shiro.SOSLdapAuthorizingRealm	The key is the name of the realm. You can define any name. The name is taken as a reference to set the properties of the realm. The value is the name of the class that implements the realm. The implementation from SOS extends `org.apache.shiro.realm.ldap.JndiLdapRealm`
ldapRealm.contextFactory.url	ldap://host:port	The host and the port of your LDAP server. You can check whether the server is reachable with `telnet host port` Make sure that the firewall is open for the given port.
ldapRealm.useStartTls	`true\|false`	To enable starttls set the value to true (Default is `false`) Please note the the server must be prepared to serve with Starttls. To check this, you can use a LDAP browser like "Softerra LDAP Browser". Configure your LDAP Server there and click the "Enable Starttls Button" On Client Site you will need the certificate and you have to add the certificate to your truststore. The path of your truststore is definied in the JOC configuration file joc.properties. `truststore_path = path to your truststore.` e.g. `C:/Program Files/Java/jdk1.8.0_131/jre/lib/security/cacerts or` `../../etc/joc.jks`
ldapRealm.hostNameVerification	`on\|off true\|false`	To enable the host name verification of the certificate. The default is `off.`
rolePermissionResolver	com.sos.auth.shiro.SOSPermissionResolverAdapter	The implementation of the permission resolver. The SOS implementation sets an `org.apache.shiro.realm.text.IniRealm` to resolve the permissions. That means that the permissions a role have are specified in the configuration file `shiro.ini` in the same way it is done when using the `iniRealm`.
ldapRealm.rolePermissionResolver	$rolePermissionResolver	Sets the role permission resolver for the ldap realm.
securityManager.realms	$ldapRealm	Sets the list of realm that should be used for authentication. This is a comma seperated list of realms. e.g. $ldapRealm --> Only one realm specified $ldapRealm, $iniRealm --> You can login with a user from LDAP or with a user specified in the [users] section in the configuration file shiro.ini $ldapRealm1,$ldapRealm2 --> You can login with a user coming from the LDAP server specified in the ldap1 realm or coming from the LDAP server coming from LDAP server specified in the ldap2 realm.

[main]
...
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.contextFactory.url = ldap://myHost:389 
ldapRealm.useStartTls = true
ldapRealm.hostNameVerification = off 
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm
...

Authentication

With the authentication you will check for a valid username/password combination. To achive this, you have to specify the userDnTemplate.

Username

The username is part of the login patterns

username@domain
domain\username
username

The username may have blanks if they are stored in a LDAP directory. Usernames stored in the configuration file shiro.ini may not have blanks.

When refering to usernames from the LDAP directory to keys in the [users] section to assign roles to the user, you have to change blanks to %20. The password must be empty. When you login with a domain the reference must contain the whole domain/username pattern e.g. user@domain

Configuration in the configuration file shiro.ini

Main section with user authentication. The roles are assigned in the [users] section.

[main]
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos
ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.sessionManager.globalSessionTimeout = 900000

Examples for the userDnTemplate:

Example
- ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos
Configuration with public LDAP Server

- publicLdapRealm.userDnTemplate = uid={0},dc=example,dc=com

Configuration with a Microsoft AD

- adLdapRealm.userDnTemplate = sAMAccountName={0},dc=company,dc=com

Verification with ldapSearch

You can check you userDnTemplate with this ldapSearchCommand.

Example for a ldapSearch

ldapsearch -h localhost -p 389 -b "uid=ur,ou=People, dc=sos" -x

Should give a result like:

Result: ldapsearch -h localhost -p 389 -b "uid=ur,ou=People, dc=sos" -x

# ur, People, sos
dn: uid=ur,ou=People,dc=sos
mail: uwe.risse@sos-berlin.com
uid: ur
givenName: Uwe
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Risse
cn: Uwe Risse
preferredLanguage: de
# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Example with the public server

ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -x

ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -x

# extended LDIF
#
# LDAPv3
# base <uid=gauss,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
 
# gauss, example.com
dn: uid=gauss,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Carl Friedrich Gauss
sn: Gauss
uid: gauss
mail: gauss@ldap.forumsys.com
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1

Verification with Softerra LDAP Browser

Search from root with the userDnTemplate as the user search filter. You should find exactly one entry.

Verification with JOC

Try to login with a username from LDAP and a password. Use a username with which you have verified the correctnis by executing the ldapSearch from above. When you see this screen, the authentication works.

Authorization

Authorization means the assignment of roles to users. A role have permissions that are listed in the configuration file shiro.ini. A user have all permissions coming from the assigned roles.

There are two options how to assigns roles to users. Both options can be mixed. The result of the mix is the union of all assigned roles.

Assigning roles from shiro.ini

The roles assignment coming from the file shiro.ini is managed with the JOC Account Manager.

The JOC Account Manager writes the assigned roles to an entry in the [users] section.

In the [users] section you list the users that are available in the LDAP.

username = ,list_of_roles

Please refere to the chapter "Username" to see how to specify the username

The list_of_roles is a comma separated list of roles e.g. it_operator,administrator

Here is a typical coniguration with LDAP Authentication and shiri.ini authorization.

LDAP Authentication and shiri.ini Authoriziation

[users]
gauss = ,all
newton = ,it_operator,administrator

[main]
ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm
ldapRealm.userDnTemplate = uid={0},ou=People, dc=sos
ldapRealm.contextFactory.url = ldap://centos6_9_ldap.sos:389 
rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver
securityManager.realms = $ldapRealm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.sessionManager.globalSessionTimeout = 900000

Assiging roles from LDAP Groups

The group roles mapping

When assigning the roles from the LDAP Groups the user is a member of the groups the groups will be mapped to the roles that are defined in the configuration file shiro.ini. This will be done with the groupRolesMap

ldapRealm.groupRolesMap = \
group1 : list_of_roles, \
group2 : list_of_roles

where list_of_roles is a list of roles that are defined in configuration file shiro.ini separated with a bar |

Please not that the value of the group depends on the result of the search.

Example

ldapRealm.groupRolesMap = \
sos : it_operator, \
apl : administrator|application_manager

Example with the Public Ldap Server

ldapRealm.groupRolesMap = \
scientists : it_operator, \
mathematicians : all

Space shortcuts

Page tree