Introduction

This article describes the configuration of the JOC Cockpit to use an LDAP Directory Service for authentication and authorization that is performed with Apache Shiro. Note that the authoritative documentation of Shiro is provided by the Shiro project and may differ from the descriptions below depending on the Shiro version in use.

Release 1.12.0

LDAP configuration information is stored in the [main] section of the JOC Cockpit's shiro.ini file, whose overall configuration is described in the Authentication and Authorization - Configuration article. A general introduction to authentication and authorization with JOC Cockpit is provided with the JOC Cockpit - Authentication and Authorization article.

LDAP configuration can only be edited by system administrators using a text editor to update the shiro.ini file. There is no web-based editing feature available.

A restart of JOC Cockpit is not required after changes are made to the shiro.ini configuration file.

Release 1.12.1 and Newer

Three changes relevant to the configuration of LDAP authentication and authorization are introduced with Release 1.12.1:

• All authentication and authorization information is stored in the Reporting database.
• A form based editor which users can use to configure LDAP authentication is available in the JOC Cockpit. This editor is only available for users with the necessary permissions such as the default root user with the all role. The editor is accessed via the "Manage Accounts" menu.
• Automatic import and backup functions for the authentication and authorization information are available. Both the import and backup functions use Shiro files and their execution is triggered by a user logging into JOC Cockpit interface.
  
  • The import function automatically imports a file named shiro.ini to the Reporting database and the contents of this file will overwrite all the authentication and authorization information stored in the Reporting database at that point.
  • The backup function automatically stores the authentication and authorization information in a file named shiro.ini.active. At the same time an existing shiro.ini.active file will be renamed shiro.ini.backup and any already existing file with that name will be overwritten.

...

LDAP authentication for the JOC Cockpit is offered from the JS7 - LDAP Identity Service and relies on a connection between the JS7 - REST Web Service API and the LDAP Server.

• Early JS7 releases make use of JS7 - Shiro Identity Service, for migration see JS7 - Shiro Identity Service Migration.
• The connection to the LDAP Server be secured, see JS7 - LDAP over TLS (STARTTLS) and LDAP over SSL (LDAPS).

This article describes the steps for configuration with an LDAP Directory Service:

1. Step 1: LDAP Configuration
2. Step 2: Authentication
3. Step 3: Authorization
   • Define roles
   • Define groupRolesMapping
   • Define the LDAP attribute search for groups

Relevant Tools

• An LDAP Browser:
  • The screenshots used in this article were made with the "Softerra LDAP Browser", which was configured to use the relevant LDAP Directory Service.
• A command line utility:
  
  • The example commands used were executed with ldapSearch.

How to set up an LDAP Configuration

Carry out the following steps:

1. Set up the Basic LDAP configuration
2. Set up the authentication
3. Set up the authorization
   • Defining the groupRolesMapping (optional)
   • Defining the Roles per account in the [users] section (optional)
   • Defining the search for groups
4. Add Shiro settings

...

• • Softerra LDAP Browser that was configured to use the relevant LDAP Directory Service.
• A command line utility:
  
  • The examples used in this article are executed with ldapSearch.

Proceeding

The following diagram provides an overview of the setup procedureproceeding:

1 [label="1. Set up the Basicbasic LDAP configconfiguration\n(URL, etc.)"]
1 -> 2 [weight=5, len=0.5]
2 [label="2. Set up Authentication\n(userDnTemplate)"]
2 -> 3
3 [label="3. Set up Authorization\n/Roles, Assignments/Mappings"]
3 -> 4
4 [shape="diamond", label="AreShould roles to be assigned from LDAP\nwithnby groupssecurity fromgroup LDAPmemberships?",fillcolor="lightblue"]
4 -> 5 [label="Yes"]
5 [label="Define GroupRolesGroup/Roles mappingMapping"]
4 -> 10 [label="No"]
10 [label="UseCreate Shiroaccounts toand assign roles to accounts"]
10 -> E2
E2 [shape="circle", style="filled", label="End", color="pink"]
5 -> 6
6 [shape="diamond", label="HasDoes the user account object recordinclude a\nmemberOf attribute?",fillcolor="lightblue"]
6 -> 20 [label="Yes"]
20 [label="Specify User Search\l - searchBase\l - userSearchFilter"]
20 -> E3
E3 [shape="circle", style="filled", label="End", color="pink"]
6 -> 7 [label="No"]
7 [label="Specify Group Search\l - groupSearchBase\l - groupSearchFilter\l - groupNameAttribute"]
7 -> 8
8 [shape="diamond", label="Does the member attribute contain\nthe account name from the login?",fillcolor="lightblue"]
8 -> E4 [label="Yes"]
E4 [shape="circle", style="filled", label="End", color="pink"]
8 -> 9 [label="No"]
9 [label="Specify User Search\l - searchBase\l - userSearchFilter"] 
9 -> E5
E5 [shape="circle", style="filled", label="End", color="pink"]

Anchor
basicldapconfiguration basicldapconfiguration

Step 1

...

: Basic LDAP Configuration

LDAP is configured as part of the [main] section of a Shiro configuration file. As already mentioned above this information can be added to the JOC Cockpit either by adding it to a shiro.ini file or - in Version 1.12.1 and newer - by using the editor in the Main Section of the JOC Cockpit Manage Accounts view.

...