Mapping LDAP groups to shiro roles

[Giancarlo Dessena <gi...@xyrality.com>]

Hello Everybody,

I have to anticipate that I just started with shire, so forgive me if I have misunderstood some of the concepts or missing the right wording.
I have successfully setup my first shiro Project and managed to authenticate against our internal LDAP.
Now I'm trying to figure out how I can LDAP groups to shire roles and I'm pretty much stuck.

What do I have to change in my configuration to make it work.

My shiro.ini
# =======================
# Shiro INI configuration
# =======================

[main]

sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher

ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm 
ldapRealm.userDnTemplate = uid={0},cn=users,dc=miniserver,dc=xyrality,dc=net
ldapRealm.contextFactory.url = ldap://miniserver.xyrality.net:389

securityManager.sessionManager.globalSessionTimeout = 1800000

[users]

[roles]

[urls]

If I have to implement my own role resolver, could you give me a sample source code to give me a kick start?

Greetings Carlo

Re: Mapping LDAP groups to shiro roles

[Stuart Broad <st...@moogsoft.com>]

Hi Carlo,

You can use an ini configuration, something like (this might not work cut
and paste but hopefully you get the idea):

#
-----------------------------------------------------------------------------
# LDAP AD Realm
#
-----------------------------------------------------------------------------
[main]
ldapRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
ldapRealm.url = ldap://172.16.124.158:389
ldapRealm.groupRolesMap =
"CN=Administrators,CN=Roles,CN=Employees,DC=MyCompany,DC=local":"admin","CN=Driver,CN=Roles,CN=Employees,DC=MyCompany,DC=local":"pleb"
ldapRealm.searchBase = CN=Employees,DC=MyCompany,DC=local
ldapRealm.systemUsername= stuart
ldapRealm.systemPassword= qwerty
ldapRealm.principalSuffix= @mycompany.com
#ldapRealm.rolePermissionResolver= $myRolePermissionResolver (you can also
use your own to get permission from e.g. db)

rolePermissionResolver = com.moogsoft.shiro.IniRolePermissionResolver
rolePermissionResolver.ini = $iniRealm
ldapRealm.rolePermissionResolver = $rolePermissionResolver

#
-----------------------------------------------------------------------------
# Roles with assigned permissions
# roleName = perm1, perm2, ..., permN
#
-----------------------------------------------------------------------------
# [roles]

# 'admin' role has all permissions, indicated by the wildcard '*'
admin = *

# The 'pleb' role can do the following:
pleb = x:*,y:close,other:*

I think the key part in understanding is the groupRolesMap which turns the
ldap groups into shiro roles.  Also within ldap I have to give each user an
email address e.g. username@mycompany.com (this was for the searching).

Cheers,

Stuart



On Fri, Sep 6, 2013 at 2:15 PM, Giancarlo Dessena <
giancarlo.dessena@xyrality.com> wrote:

> Hello Everybody,
>
> I have to anticipate that I just started with shire, so forgive me if I
> have misunderstood some of the concepts or missing the right wording.
> I have successfully setup my first shiro Project and managed to
> authenticate against our internal LDAP.
> Now I'm trying to figure out how I can LDAP groups to shire roles and I'm
> pretty much stuck.
>
> What do I have to change in my configuration to make it work.
>
> My shiro.ini
> # =======================
> # Shiro INI configuration
> # =======================
>
> [main]
>
> sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
>
> ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
> ldapRealm.userDnTemplate =
> uid={0},cn=users,dc=miniserver,dc=xyrality,dc=net
> ldapRealm.contextFactory.url = ldap://miniserver.xyrality.net:389
>
> securityManager.sessionManager.globalSessionTimeout = 1800000
>
> [users]
>
> [roles]
>
> [urls]
>
> If I have to implement my own role resolver, could you give me a sample
> source code to give me a kick start?
>
> Greetings Carlo