Introduction
This article describes the configuration of the JOC Cockpit to use an LDAP Directory Service for authentication and authorization that is performed with Apache Shiro. Note that the authoritative documentation of Shiro is provided by the Shiro project and may differ from the below explanations depending on the Shiro version in use.
Release 1.12.0
FEATURE AVAILABILITY ENDING WITH RELEASE 1.12
LDAP configuration information is stored out in the JOC Cockpit's shiro.ini
file whose overall configuration is described in the Authentication and Authorization - Configuration article. A general introduction to authentication and authorization with JOC Cockpit is provided with the JOC Cockpit - Authentication and Authorization article.
A rrestart of JOC Cockpit is not required after changing the shiro.ini configuration file either by using the JOC Cockpit Account Manager or a text editor.
Release 1.12.1 and Newer
From Release 1.12.1 onwards LDAP configuration and other authentication and authorization information is stored in the reporting database. In addition, a form based editor which users can use to configure LDAP authentication is available in the JOC Cockpit. This editor is only available for users with the necessary permissions such as the default root user with the all role and is accessed via the "Manage Accounts" menu.
A shiro.ini
file is still available but is overwritten with the current configuration from the reporting database each time a user with permissions to modify the authentication and authorization configuration logs out. This file is intended as a backup if system administrators are faced with all users being locked out of the system.
A restart of JOC Cockpit is not required after changing the shiro.ini configuration file either by using the JOC Cockpit Account Manager or a text editor.
Relevant Tools
- An LDAP Browser:
- The screenshots used in this article were made with the "Softerra LDAP Browser", which was configured to use the relevant LDAP Directory Service.
- A command line utility:
- The example commands used were executed with ldapSearch.
How to set up an LDAP Configuration
Carry out the following steps:
- Set up the basic LDAP configuration
- Set up the authentication
- Set up the authorization
- Defining the groupRolesMapping (optional)
- Defining the Roles per account in the
[users]
section (optional) - Defining the search for groups
- Add Shiro settings
The Setup Procedure
The following diagram provides an overview of the setup procedure:
1. Basic LDAP Configuration
After setting up a Basic LDAP Configuration your [main]
section will look like this:
[main] ldapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm ldapRealm.contextFactory.url = ldap://myHost:389 rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm ldapRealm.rolePermissionResolver = $rolePermissionResolver securityManager.realms = $ldapRealm cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager
The following table lists the basic items used to configure an LDAP realm. These items are configured in the [main]
section of the shiro.ini
file and cannot be changed with the Account Management in JOC Cockpit.
(See the Authentication and Authorization - Configuration article for more information about the shiro.ini
file)
Key | Value | Description |
---|---|---|
ldapReam | com.sos.auth.shiro.SOSLdapAuthorizingRealm | The key is the name of the realm. You can define any name. The name is taken as a reference to set the properties of the realm. The value is the name of the class that implements the realm. The implementation from SOS extends Please note that you can have more than one LDAP configuration. |
ldapRealm.contextFactory.url | ldap://host:port | The host and the port of your LDAP server. You can check whether the server is reachable with Make sure that the firewall is open for the given port. |
ldapRealm.useStartTls | true|false | To enable Starttls set the value to Please note that the server must be prepared to serve with Starttls. To check this, you can use an LDAP browser such as the "Softerra LDAP Browser". Configure your LDAP Server there and click the "Enable Starttls Button" On client side you will need the certificate and you have to add the certificate to your truststore. The path to your truststore is defined in the
Example values:
Note: we faced difficulties when using Starttls with the JRE 1.8.0_151 and have overcome these by installing the respective JDK. |
ldapRealm.hostNameVerification | on|off true|false | Enables the host name verification of the certificate. The default value is off. |
rolePermissionResolver | com.sos.auth.shiro.SOSPermissionResolverAdapter | The implementation of the permission resolver. The SOS implementation uses the org.apache.shiro.realm.text.IniRealm class to resolve the permissions. This means that the permissions a role is assigned are specified with the configuration file shiro.ini in the same way as it is done when using the iniRealm . |
ldapRealm.rolePermissionResolver | $rolePermissionResolver | Sets the role permission resolver for the LDAP realm. |
securityManager.realms | $ldapRealm [, $ldapRealm [, $iniRealm]] | Sets the list of realms that should be used for authentication. This is a comma separated list of items. Example values:
|
In a simple configuration these items could appear as visible with the code block below (see also the example configuration for the public LDAP server listed in the below section):
2. Authentication
Settings:
ldapRealm.userDnTemplate
After setting up the Basic LDAP Configuration (described in 1. above) and adding the userDnTemplate
your [main]
section will looks like this:
The userDnTemplate
Setting
With authentication you will check for a valid account/password combination. To achieve this you have to specify the userDnTemplate
. The parameters for the userDnTemplate
can be taken from an account's properties page as displayed in the below screenshot from an LDAP browser.
For the account in the screenshot the template would be (replacing the uid value with {0}
):
ldapRealm.userDnTemplate = uid={0},ou=People,dc=sos
Only one template can be specified per realm, separate realms have to be configured for different userDnTemplate
settings.
Login with the sAMAccountName
or CN
This works with a Microsoft Active Directory® that supports domain login.
- Change the
userDnTemplate
toldapRealm.userDnTemplate = {0}
- Add the User Search
- Use
domain\account
oraccount@domain
for the login whereaccount
is the value of thesAMAcountName
attribute.
Account Names
The account name for a Microsoft Active Directory® can have one of the following login patterns:
sAMAccountName@domain
- The
sAMAccountName
attribute is a unique identifier for an Account.
- The
domain\sAMAccountName
cn
- The Common Name attribute value of the Account is used.
- This format requires the Common Name of an Account to be unique.
Note that LDAP Account names may contain blank spaces. See the Authorization section below for a description of how blank spaces are handled when LDAP authentication is used with Shiro authorization.
Configuration in the shiro.ini file
The [main]
section of the shiro.ini
file with authentication for the example "ur" account from the screenshot above is shown in the next code block:
Examples for the userDnTemplate
:
- Example Configuration for an arbitrary hierarchy:
ldapRealm.userDnTemplate = uid={0},ou=People,dc=sos
- Example Configuration for the public LDAP Server mentioned in this article:
ldapRealm.userDnTemplate = uid={0},dc=example,dc=com
- Example Configurations with a Microsoft Active Directory®:
ldapRealm.userDnTemplate = {0}
ldapRealm.userDnTemplate = cn={0},ou=Users,dc=sos,dc=berlin,dc=com
Verification with ldapSearch
You can check the value of the userDnTemplate
by using it with a command for the ldapSearch utility such as:
ldapsearch -h localhost -p 389 -b "uid=ur,ou=People,dc=sos" -x
This should return a result such as:
Example for a public LDAP Server
For this server the command to check the userDnTemplate
in the ldapSearch utility would be:
ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -x
The server will return the following:
Note: ldapSearch Parameters
The option -x is used in all the ldapSearch examples in this article. It is possible that your LDAP Directory Service does not allow this option and you have to specify an Account and a Password. If this is the case then the command would be:
ldapsearch -h ldap.forumsys.com -p 389 -b "uid=gauss,dc=example,dc=com" -W -D "uid=gauss,dc=example,dc=com"
Verification with an LDAP Browser
Search with the value from the userDnTemplate
in the Search DN input field. The query should return only one entry.
Verification with the JOC Cockpit
Try to login with an LDAP Account/Password combination. Use an Account that you have verified to be correct by executing the ldapSearch command described above. If there are no Role(s) configured for the Account but the authentication works then you will see the following screen that complains about missing authorization after successful authentication:
3. Authorization
Authorization is the assignment of Roles to User Accounts. Roles, in turn, have permissions that are listed in the shiro.ini
configuration file. An Account has all Permissions specified by the Roles that the Account is assigned.
There are two options for assigning Roles to Accounts:
- First Option: with an LDAP Group to Shiro Role mapping
- Second Option: with a Shiro User Account.
Both options can be combined. The result is the union of all assigned Roles.
Please decide:
- If Roles are to be assigned in the
shiro.ini
file using the JOC Cockpit Account Management: The LDAP Groups the Account is a member of have no effect. Proceed with Assigning roles in the shiro.ini File - If Roles are to be assigned with the group roles mapping: The LDAP Groups the account is a member of are assigned to JOC Cockpit roles. Proceed with Assigning Roles from LDAP Groups
- If a mix of 1. and 2. is to be used: Proceed with Assigning roles in the shiro.ini File and then with Assigning Roles from LDAP Groups
Assigning Roles in the shiro.ini
File
After assigning Roles in the shiro.ini
file the [users]
section of the file will look like this:
Role assignment in the shiro.ini
file is configured in the Manage Accounts view of the JOC Cockpit. Do not enter the Password for a User Account that is to be authenticated by an LDAP Directory Service.
The Roles assigned to an entry are saved in the [users]
section of the shiro.ini
configuration file according to the following syntax:
account = ,list_of_roles
The list_of_roles
is a comma separated list such as:
it_operator,administrator
The JOC Cockpit Account Management will add entries to the [users]
section for Role assignment.
- Account names may include blank spaces if they are stored in an LDAP Directory Service. Account names stored in the
shiro.ini
configuration file may not contain blank spaces.- When a User Account with blank spaces in its name is configured using the JOC Cockpit's Manage Accounts view then every blank space in the name will be automatically replaced with
%20
before the name is written to theshiro.ini
file. - When a User Account with blank spaces in its name is added directly to the
shiro.ini
file then every blank space in the name should replaced with %20 before the name is written to theshiro.ini
file. - Every occurrence of
%20
in an User Account name saved in theshiro.ini
file will be automatically converted to a blank space before this name is submitted to the LDAP server.
- When a User Account with blank spaces in its name is configured using the JOC Cockpit's Manage Accounts view then every blank space in the name will be automatically replaced with
- Passwords may not be specified for Accounts with LDAP authentication when configuring such Accounts using the JOC Cockpit's Manage Accounts view .
- When a domain login is used then the reference has to contain the domain/account pattern e.g.
domain\account
oraccount@domain
.
Assigning Roles from LDAP Groups
If the Roles are assigned with the JOC Cockpit Account Management, i.e. there is a [users]
section available in the shiro.ini
configuration file, then you can skip this chapter.
How substitutions will be done
In the groupSearchFilter
and the userSearchFilter
you can specify e.g.
(uid=%s)
The %s will be substituted with the account from the login. If you login with domain\account
oder account@domain
the value for the user
is account
.
You can specify e.g.
(uid=^s)
The placeholder ^s
will be substituted with the original value from the login e.g. account@domain.
The Group/Roles mapping
Settings:
ldapRealm.groupRolesMap
If the Roles are assigned with the JOC Cockpit Account Management, i.e. there is a [users]
section available in the shiro.ini
configuration file, then you can skip this chapter.
shiro.ini
configuration file. This is done with the groupRolesMap
setting.shiro ini
file will look like this:The groupRolesMap
looks like this.
# Mapping of a LDAP group to roles. You can assign more than one role with separator character |
ldapRealm.groupRolesMap = \
group1 : list_of_roles, \
group2 : list_of_roles
where list_of_roles
is a list of Roles that are configured in the [roles]
section of the shiro.ini
configuration file. Multiple Roles are separated with a bar |.
Note that the value of the group depends on the result of the group search. It is the value of the attribute that you have specified with the groupNameAttribute
. Default for the groupNameAttribute
is memberOf. This indicates that if you are retrieving group memberships by use of the memberOf attribute of an account then you have to specify the complete value of the memberOf attribute value, i.e. the distinguished names of group hits.
Example for Group Mapping with Microsoft Active Directory by memberOf Attribute
A typical mapping when using Microsoft Active Directory with the memberOf attribute for group memberships includes to specify group hts by their distinguished name like this:
ldapRealm.groupRolesMap = \
"CN=Group1,OU=SpecialGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com" : all, \
"CN=AnotherGroup,OU=SpecialGroups,OU=Groups,OU=CompanyDC=sos-berlin,DC=com" : all, \
"CN=Beginners,OU=SecurityGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com" : business_user
Example for Group Mapping by cn Attribute
A mapping that is based on group search would identify group hits by the value of their common name like this:
ldapRealm.groupRolesMap = \
sos : it_operator, \
apl : administrator|application_manage
Retrieving the Groups an Account is a member of
If the Roles are assigned with the JOC Cockpit Account Management, i.e. there is a [users]
section availab le in the shiro.ini
configuration file, then you can skip this chapter.
There are two options to find the Group membership(s) for a User Account:
- The Account has a memberOf attribute. Then you can retrieve the list of groups with the User Search. Then proceed with Using memberOf with User Search.
- The Account does not have a memberOf attribute. The group contains the Accounts that are members of the group, Then proceed with Using Group Search.
These options cannot be mixed.
a) Using memberOf with User Search
If the Account entries do not have the memberOf attribute then you can skip this section and proceed with Using Group Search.
Settings:
ldapRealm.searchBase
ldapRealm.userSearchFilter
After specifying the User Search the shiro.ini
configuration file will look like this:
This approach looks for the Account entry and reads the memberOf attribute. This attribute is often used when, for example, configuring Microsoft Active Directory® LDAP servers.
Define a userSearchFilter
and a searchBase
that will find the account (%s will be replaced by the Account name from the login without the domain part).
Example for User Search
ldapRealm.searchBase = ou=People,dc=sos
ldapRealm.userSearchFilter = (uid=%s)
Example for User Search in Active Directory®
ldapRealm.searchBase = dc=example,dc=com
ldapRealm.userSearchFilter = (sAMAcountName=%s)
An LDAP Browser can be used to get the correct values for the searchBase
and the userSearchFilter
. Perform a directory search with the values. You should find only one entry.
The searchBase
is the value of the base DN (or ParentDN in the screenshot above).
Hint: If the attribute name in your environment is not the default memberOf then you can specify the name of the attribute with the groupNameAttribute
key as described in the next section.
b) Using Group Search
If the Account entries have the memberOf attribute then you can skip this section and proceed with Using memberOf with User Search. Settings:
ldapRealm.groupSearchBase
ldapRealm.groupNameAttribute
ldapRealm.groupSearchFilter
After defining the Group Search the shiro.ini
configuration file will look like this:
When the memberOf attribute is not available for the Account then you can use the Group Search.
Define the groupSearchBase
and the groupSearchFilter
. For example:
ldapRealm.groupSearchBase = ou=Groups,dc=sos
ldapRealm.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)
Getting the value for the groupSearchBase
Identify the location where the groups are stored. This is your groupSearchBase
.
Getting the value for the groupSearchFilter
Click one group Entry (in the screenshot, cn=apl
) and see how the members are stored there.
The groupSearchFilter is configured with attr=val
where attr
is name of the attribute and val
is the content. In this example, the attr
is uniqueMember
and the val
uid=%s,ou=People,dc=sos
, where the userid
is replaced with %s
. This results in:
ldapRealm.groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)
Verifing the groupSearchFilter with the ldapSearch command
ldapsearch -h localhost -p 389 -b "ou=Groups,dc=sos" -s sub "uniqueMember=uid=ur,ou=People,dc=sos" -x
This search should return the group entries the Account is a member of. Identify the attribute containing the group name that is to be used in the user roles mapping. This can be seen in the next listing
Verifing the groupSearchBase and groupSearchFilter with an LDAP Browser
groupSearchBase
and groupSearchFilter
values by using them to perform a directory search. The result should show all groups the account is a member of.Now set the groupNameAttribute
to the name of the attribute that contains the group name.
ldapRealm.groupNameAttribute = cn
Hint: The complete content of this attribute must be used in the groupRolesMap
attribute. Typical content of the attribute could be ou=Groups,dc=sos,cn=groupname
.
Substitution of the account name
If the roles are assigned with the JOC Account Manager (i.e. there is a [users]
section in the shiro.ini configuration file) you can skip this chapter.
If the value of the member of the groups contain the Account name from the login then you can skip this chapter
Sometimes the values of the member do not contain the Account Name from the login but, for example, the cn
of the Account. In this case you have to search for the Account first and then specify the name of the attribute that should be used instead of the Acount name from the login .
To achieve this, specify a searchBase
, a userSearchFilter
and a userNameAttribute
.
ldapRealm.searchBase = ou=People,dc=sos
ldapRealm.userSearchFilter = (uid=%s)
Verification with the ldapSearch command
ldapsearch -h localhost -p 389 -b "ou=People,dc=sos" -s sub "uid=fTester" -x
This search should return the Account with the given Account name. Identify the attribute that should be used for substitution in the Group Search base if it is not the Account name from the login.
Verification with an LDAP Browser
Perform a directory search with your LDAP client to check the User Search configuration. You should find only one Account entry with the given Account name.
Then identify the name of the attribute that contains the value for substitution. For example:
ldapRealm.userNameAttribute = cn
The configuration will look like this:
4. Add Shiro settings
Settings
cacheManager
securityManager.cacheManager
securityManager.sessionManager.globalSessionTimeout
After adding Shiro settings for the cache manager and the global session timeout the shiro.ini
configuration file will look like this:
Examples and special configurations
Example LDAP Configuration with mixed LDAP and Shiro Authentication
Add the iniRealm to
securityManager.realms = $ldapRealm, $iniRealm
Example LDAP Configuration for Active Directory with mixed LDAP and Shiro Authentication
Login with sAMAccountName
specified for domain\account
or account@domain
:
ldapRealm.userDnTemplate = {0}
Consider use of uppercase/lowercase spelling for domain and account
Add the ldapRealm and iniRealm like this:
securityManager.realms = $ldapRealm, $iniRealm
Add domain\account
to the [users]
section. Assign roles but omit passwords for LDAP authenticated users like this:
COMPANY\account = ,role [,role]
Example LDAP Configuration with several LDAP Servers
LDAP configuration with several LDAP servers is achieved by defining more than one LDAP realm as shown in the next code block.
Define two realms and assign them like this:
securityManager.realms = $ldapRealm1, $ldapRealm2
A full shiro.ini example with Group Search
A full shiro.ini example with Group Search where the member attribute does not contain the account name but the common name
A full shiro.ini example with memberOf in the account record
A public LDAP Server for testing the connection
An online public LDAP server which can be accessed using a relatively simple configuration is available from Forum Systems. This server can be used to set up a test environment with LDAP authentication. In this article we will refer to the authentication of two user accounts on this server - gauss and newton - that are each members of a different LDAP group as shown in the following table:
Account Name | Password | LDAP Group | Shiro Role |
---|---|---|---|
gauss | password | mathematicians | all |
newton | password | scientists | it_operator |
To implement the authentication configuration - or realm - for accessing this public LDAP server, add the following lines to the [main]
section of the shiro.ini
file:
publicLdapRealm = com.sos.auth.shiro.SOSLdapAuthorizingRealm publicLdapRealm.userDnTemplate = uid={0},dc=example,dc=com publicLdapRealm.searchBase = dc=example,dc=com publicLdapRealm.contextFactory.url = ldap://ldap.forumsys.com:389 publicLdapRealm.groupNameAttribute = ou publicLdapRealm.userNameAttribute = uid publicLdapRealm.rolePermissionResolver = $rolePermissionResolver publicLdapRealm.userSearchFilter = (uniqueMember=uid=%s,dc=example,dc=com) publicLdapRealm.groupRolesMap = \ scientists : it_operator, \ mathematicians: all rolePermissionResolver = com.sos.auth.shiro.SOSPermissionResolverAdapter rolePermissionResolver.ini = $iniRealm securityManager.realms = $publicLdapRealm, $iniRealm cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager
Save the modified shiro.ini
file. (It is not required to restart the Jetty web server.)
You will now be able to use JOC Cockpit to authenticate the two User Account name:password combinations listed in the table above with the LDAP server.
The Shiro authentication (using, for example, the default root:root User Account) will still be active alongside the LDAP accounts listed above.
The LDAP group memberships will be mapped to the default Roles configured in the shiro.ini
[roles]
section as can be seen in lines 15-17 of the code listing above. This can be checked in the JOC Cockpit by looking at the Permissions section of the relevant User Profiles - the User Account gauss, for example, will have all permissions.
Troubleshooting
Enable logging
To enable logging:
- Open the file .
/sos-berlin.com/joc/jetty_base/resources/joc/log4j.properties
- Change:
#for debugging JOC set the following logger to 'debug'
log4j.logger.com.sos = info
- to
#for debugging JOC set the following logger to 'debug'
log4j.logger.com.sos = debug
Log File location
The log file is located in:
./sos-berlin.com/joc/logs/yyyy_mm_dd.stderrout.log