You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by da...@apache.org on 2013/01/14 19:58:09 UTC
svn commit: r1433037 - in /isis/site/trunk/content: ./
components/security/shiro/ components/security/shiro/resources/
Author: danhaywood
Date: Mon Jan 14 18:58:08 2013
New Revision: 1433037
URL: http://svn.apache.org/viewvc?rev=1433037&view=rev
Log:
isis site - using ldap with shiro
Added:
isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-groups.png (with props)
isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-mojo-partition.png (with props)
isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-mojo-root-dse.png (with props)
isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-sasl-authentication.png (with props)
isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-users.png (with props)
isis/site/trunk/content/components/security/shiro/using-ldap.md
Modified:
isis/site/trunk/content/components/security/shiro/about.md
isis/site/trunk/content/documentation.md
Modified: isis/site/trunk/content/components/security/shiro/about.md
URL: http://svn.apache.org/viewvc/isis/site/trunk/content/components/security/shiro/about.md?rev=1433037&r1=1433036&r2=1433037&view=diff
==============================================================================
--- isis/site/trunk/content/components/security/shiro/about.md (original)
+++ isis/site/trunk/content/components/security/shiro/about.md Mon Jan 14 18:58:08 2013
@@ -65,8 +65,6 @@ com.mycompany.myapp
</pre>
-<!--
-### Configuring
+### Configuring LDAP
-- [Using Apache DS for authentication](using-apache-ds-for-authentication.html)
--->
+Details of configuring the Shiro integration to work against an LDAP server can be found [here](using-ldap.html).
Added: isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-groups.png
URL: http://svn.apache.org/viewvc/isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-groups.png?rev=1433037&view=auto
==============================================================================
Binary file - no diff available.
Propchange: isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-groups.png
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-mojo-partition.png
URL: http://svn.apache.org/viewvc/isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-mojo-partition.png?rev=1433037&view=auto
==============================================================================
Binary file - no diff available.
Propchange: isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-mojo-partition.png
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-mojo-root-dse.png
URL: http://svn.apache.org/viewvc/isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-mojo-root-dse.png?rev=1433037&view=auto
==============================================================================
Binary file - no diff available.
Propchange: isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-mojo-root-dse.png
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-sasl-authentication.png
URL: http://svn.apache.org/viewvc/isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-sasl-authentication.png?rev=1433037&view=auto
==============================================================================
Binary file - no diff available.
Propchange: isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-sasl-authentication.png
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-users.png
URL: http://svn.apache.org/viewvc/isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-users.png?rev=1433037&view=auto
==============================================================================
Binary file - no diff available.
Propchange: isis/site/trunk/content/components/security/shiro/resources/activeds-ldap-users.png
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: isis/site/trunk/content/components/security/shiro/using-ldap.md
URL: http://svn.apache.org/viewvc/isis/site/trunk/content/components/security/shiro/using-ldap.md?rev=1433037&view=auto
==============================================================================
--- isis/site/trunk/content/components/security/shiro/using-ldap.md (added)
+++ isis/site/trunk/content/components/security/shiro/using-ldap.md Mon Jan 14 18:58:08 2013
@@ -0,0 +1,71 @@
+Title: Using Shiro with an LDAP Server
+
+Isis ships with an implementation of [Apache Shiro](http://shiro.apache.org)'s `Realm` class that allows user authentication and authorization to be performed against an LDAP server.
+
+The configuration required in the `WEB-INF/shiro.ini` file is:
+
+<pre>
+contextFactory = org.apache.isis.security.shiro.IsisLdapContextFactory
+contextFactory.url = ldap://localhost:10389
+contextFactory.authenticationMechanism = CRAM-MD5
+contextFactory.systemAuthenticationMechanism = simple
+contextFactory.systemUsername = uid=admin,ou=system
+contextFactory.systemPassword = secret
+
+ldapRealm = org.apache.isis.security.shiro.IsisLdapRealm
+ldapRealm.contextFactory = $contextFactory
+
+ldapRealm.searchBase = ou=groups,o=mojo
+ldapRealm.groupObjectClass = groupOfUniqueNames
+ldapRealm.uniqueMemberAttribute = uniqueMember
+ldapRealm.uniqueMemberAttributeValueTemplate = uid={0}
+
+ldapRealm.permissionsByRole=\
+ user_role = *:ToDoItemsJdo:*:*,\
+ *:ToDoItem:*:*; \
+ self-install_role = *:ToDoItemsFixturesService:install:* ; \
+ admin_role = *
+
+securityManager.realms = $ldapRealm
+</pre>
+
+where:
+
+* user accounts are searched under `ou=system`
+ * users have, at minimum, a `uid` attribute and a password
+ * SASL (CRAM-MD5) authentication is used for this authentication
+ * the users credentials are used to verify their user/password
+* groups are searched under `ou=groups,o=mojo` (where `mojo` is the company name)
+ * each group has an LDAP objectClass of `groupOfUniqueNames`
+ * each group has a vector attribute of `uniqueMember`
+ * each value of `uniqueMember` is in the form `uid=xxx`, with `xxx` being the uid of the user
+ * the group membership is looked up using the specified system user
+
+The above configuration has been tested against [ApacheDS](http://directory.apache.org/apacheds/), v1.5.7. This can be administered using [Apache Directory Studio](http://directory.apache.org/studio/), v1.5.3.
+
+### Active DS LDAP Configuration
+
+The screenshot below shows the ApacheDS using Apache Directory Studio. The setup here was initially base on [this tutorial](http://krams915.blogspot.co.uk/2011/01/ldap-apache-directory-studio-basic.html). However, user accounts have been moved to a separate node.
+
+#### Configure Mojo partition and nodes under Root
+
+Create a partition in order to hold the mojo node (holding the groups)
+
+
+
+Create the `ou=groups,o=mojo` hierarchy
+
+
+
+Configure SASL authentication. This means that the checking of user/password is done implicitly by virtue of Isis connecting to LDAP using these credentials.
+
+
+
+In order for SASL to work, it seems to be necessary to put users under `o=system`. (This is why the setup is slightly different than the tutorial mentioned above).
+
+
+
+Configure the users into the groups.
+
+
+
Modified: isis/site/trunk/content/documentation.md
URL: http://svn.apache.org/viewvc/isis/site/trunk/content/documentation.md?rev=1433037&r1=1433036&r2=1433037&view=diff
==============================================================================
--- isis/site/trunk/content/documentation.md (original)
+++ isis/site/trunk/content/documentation.md Mon Jan 14 18:58:08 2013
@@ -252,7 +252,7 @@ Title: Documentation
### Shiro [1.0.0](components/security/shiro/release-notes/about.html)
- [About](components/security/shiro/about.html)
-- [Using Apache DS for authentication](components/security/shiro/using-apache-ds-for-authentication.html)
+- [Using LDAP](components/security/shiro/using-ldap.html)
}