Configuration Overview
Active Directory and standard LDAP are configured in the <auth> section of each server's configuration block:
Active Directory and standard LDAP are configured using the <realm> and <url> elements; the <user> element is used for
connections between Terracotta servers and is not required for LDAP-related configuration.
For presentation, the URLs used in this document use line breaks. Do not use line breaks when creating URLs in your configuration.
Realms and Roles
The setup for LDAP-based authentication and authorization uses Shiro realms to map user groups to one of the following two roles:
admin - The user with the admin role is the initial user who sets up security. Thereafter, the user with the admin role performs system functions such as shutting down servers, clearing or deleting caches and cache managers, and reloading configuration.
terracotta - The operator role is required to log in to the TMC, so even a user with the admin role must have the operator role. Thereafter, the person with the operator role can connect to the TMC and add connections.
URL Encoding
Certain characters used in the LDAP URL must be encoded, unless
wrapped in a CDATA construct. Characters that may be required in an LDAP URL are described below:
& (ampersand) - Encode as %26.
{ (left brace) - Encode as %7B.
} (right brace) - Encode as %7D.
Space - Encode as %20.
Spaces must always be encoded, even if wrapped in CDATA.
= (equals sign) - Does not require encoding.