Page History
...
- Step 1: LDAP Configuration
- Step 2: Authentication
- Step 3: Authorization
- Define roles
- Define groupRolesMapping
- Define the LDAP attribute search for groups
Relevant Tools
- An LDAP Browser:
- The screenshots used in this article were made with the Softerra LDAP Browser that was configured to use the relevant LDAP Directory Service.
- A command line utility:
- The examples used in this article are executed with ldapSearch.
Proceeding
The following diagram provides an overview of the setup proceeding:
Flowchart |
---|
1 [label="1. Set up basic LDAP configuration\n(URL, etc.)"] 1 -> 2 [weight=5, len=0.5] 2 [label="2. Set up Authentication\n(userDnTemplate)"] 2 -> 3 3 [label="3. Set up Authorization\n/Roles, Assignments/Mappings"] 3 -> 4 4 [shape="diamond", label="Should roles be assigned from LDAP\nby security group memberships?",fillcolor="lightblue"] 4 -> 5 [label="Yes"] 5 [label="Define Group/Roles Mapping"] 4 -> 10 [label="No"] 10 [label="Create accounts and assign roles"] 10 -> E2 E2 [shape="circle", style="filled", label="End", color="pink"] 5 -> 6 6 [shape="diamond", label="Does the user account object include a\nmemberOf attribute?",fillcolor="lightblue"] 6 -> 20 [label="Yes"] 20 [label="Specify User Search\l - searchBase\l - userSearchFilter"] 20 -> E3 E3 [shape="circle", style="filled", label="End", color="pink"] 6 -> 7 [label="No"] 7 [label="Specify Group Search\l - groupSearchBase\l - groupSearchFilter\l - groupNameAttribute"] 7 -> 8 8 [shape="diamond", label="Does the member attribute contain\nthe account name from the login?",fillcolor="lightblue"] 8 -> E4 [label="Yes"] E4 [shape="circle", style="filled", label="End", color="pink"] 8 -> 9 [label="No"] 9 [label="Specify User Search\l - searchBase\l - userSearchFilter"] 9 -> E5 E5 [shape="circle", style="filled", label="End", color="pink"] |
Anchor | ||||
---|---|---|---|---|
|
The LDAP configuration can be managed from the Administration->Manage Identity Services view like this:
...
The following table lists possible values for authentication with an LDAP Server:
Name | Value | Description |
---|---|---|
LDAP User DN Template |
| Should work from scratch for Microsoft Active Directory®. For login use |
uid={0},ou=People,dc=sos | Use with Microsoft Active Directory® and other LDAP Servers. Look up the For login use | |
cn={0},ou=Users,dc=sos,dc=berlin,dc=com | Use with Microsoft Active Directory® and other LDAP Servers. The Common Name For login use | |
uid={0},dc=example,dc=com | Use with Public LDAP Server. For login use |
- Add the User Search
Verify Authentication Settings
...
The LDAP group memberships will be mapped to the default Roles configured in the shiro.ini
[roles]
section as can be seen in lines 15-17 of the code listing above. This can be checked in the JOC Cockpit by looking at the Permissions section of the relevant User Profiles - the User Account gauss, for example, will have all permissions.
Logging
References
Use Cases
...
For debugging of LDAP Server connections