JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 4

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 5

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Step 1: LDAP Configuration
  2. Step 2: Authentication
  3. Step 3: Authorization

Relevant Tools

  • An LDAP Browser:
    • The screenshots used in this article were made with the Softerra LDAP Browser that was configured to use the relevant LDAP Directory Service.
  • A command line utility:
    • The examples used in this article are executed with ldapSearch.

Proceeding

The following diagram provides an overview of the setup proceeding:

Flowchart
1 [label="1. Set up basic LDAP configuration\n(URL, etc.)"]
1 -> 2 [weight=5, len=0.5]
2 [label="2. Set up Authentication\n(userDnTemplate)"]
2 -> 3
3 [label="3. Set up Authorization\n/Roles, Assignments/Mappings"]
3 -> 4
4 [shape="diamond", label="Should roles be assigned from LDAP\nby security group memberships?",fillcolor="lightblue"]
4 -> 5 [label="Yes"]
5 [label="Define Group/Roles Mapping"]
4 -> 10 [label="No"]
10 [label="Create accounts and assign roles"]
10 -> E2
E2 [shape="circle", style="filled", label="End", color="pink"]
5 -> 6
6 [shape="diamond", label="Does the user account object include a\nmemberOf attribute?",fillcolor="lightblue"]
6 -> 20 [label="Yes"]
20 [label="Specify User Search\l - searchBase\l - userSearchFilter"]
20 -> E3
E3 [shape="circle", style="filled", label="End", color="pink"]
6 -> 7 [label="No"]
7 [label="Specify Group Search\l - groupSearchBase\l - groupSearchFilter\l - groupNameAttribute"]
7 -> 8
8 [shape="diamond", label="Does the member attribute contain\nthe account name from the login?",fillcolor="lightblue"]
8 -> E4 [label="Yes"]
E4 [shape="circle", style="filled", label="End", color="pink"]
8 -> 9 [label="No"]
9 [label="Specify User Search\l - searchBase\l - userSearchFilter"] 
9 -> E5
E5 [shape="circle", style="filled", label="End", color="pink"]


Anchor
basicldapconfiguration
basicldapconfiguration
Step 1: Basic LDAP Configuration

The LDAP configuration can be managed from the Administration->Manage Identity Services view like this:

...

The following table lists possible values for authentication with an LDAP Server:

NameValueDescription

LDAP User DN Template

{0}

Should work from scratch for Microsoft Active Directory®

For login use domain\account or account@domain where account is the value of the sAMAccountName attribute.


uid={0},ou=People,dc=sos

Use with Microsoft Active Directory® and other LDAP Servers.

Look up the sAMAccountName starting from the indicated hierarchy. This limits access to hierarchy levels.

For login use domain\account or account@domain where account is the value of the sAMAccountName attribute.


cn={0},ou=Users,dc=sos,dc=berlin,dc=com

Use with Microsoft Active Directory® and other LDAP Servers.

The Common Name cn attribute value of the account is used. This format requires the Common Name to be unique.

For login use domain\account or account@domain where account is the value of the sAMAccountName attribute.


uid={0},dc=example,dc=com

Use with Public LDAP Server.

For login use

  1. Add the User Search

Verify Authentication Settings

...

The LDAP group memberships will be mapped to the default Roles configured in the shiro.ini [roles] section as can be seen in lines 15-17 of the code listing above. This can be checked in the JOC Cockpit by looking at the Permissions section of the relevant User Profiles - the User Account gauss, for example, will have all permissions.

Logging

References

Use Cases

...

For debugging of LDAP Server connections