BigMemory 4.3.9 | Product Documentation | BigMemory Max Security Guide | Using LDAP or Active Directory for Authentication | Active Directory Configuration
 
Active Directory Configuration
Specify the realm and URL in the <security> section of the Terracotta configuration as follows:
<auth>
<realm>com.tc.net.core.security.ShiroActiveDirectoryRealm</realm>
<url>ldap://admin_user@server_address:server_port/searchBase=search_domain%26
groupBindings=groups_to_roles</url>
<user></user>
</auth>
Note the value of the <realm> element, which must specify the correct class (or Shiro security realm) for Active Directory. The components of the URL are defined in the following table.
Component
Description
ldap://
For the scheme, use either ldap:// or ldaps://
admin_user
The name of a user with sufficient rights in Active Directory to perform a search in the domain specified by searchBase. The password for this user must be stored in the Terracotta keychain used by the Terracotta server, using as key the root of the LDAP URI, ldap://admin_user@server_name:server_port , with no trailing slash ("/").
The format of admin_user depends upon how Active Directory is configured. The following forms are supported.
Note:
References to shiro.ini that follow apply to the form fields in the TMC Active Directory Setup page used to generate the file ${ADMIN_HOME}/.tc/mgmt./shiro.ini.
Distinguished Name Template
<token>
Example: admin
shiro.ini:
ldapRealm.systemUsername = admin
ldapRealm.userDnTemplate = CN={0},CN=Users,DC=example,DC=com
ldapRealm.searchFilter = (&(objectClass=*)(CN={0}))
keychain entry examples:
bin/keychain.sh -O <keychain-file> ldap://admin@ad-server.lan::389
bin/keychain.sh -O <keychain-file> ldap://Admin+User@ad-server.lan::389
The attribute used for uniquely identifying a user (CN above) is installation-specific and should also be used as the searchFilter attribute.
userPrincipalName
<userPrincipalName> or <sAMAccountName>@<DNS_domain_name>
Example: admin@example.com
shiro.ini:
ldapRealm.systemUsername = admin@example.com
ldapRealm.searchFilter = (&(objectClass=*)(userPrincipalName={0}))
keychain entry example:
bin/keychain.sh -O <keychain-file> ldap://admin%40example.com@ad-server.lan:389
Domain
<domain_controller_name>\<sAMAccountName>
Example: example_domain\admin
shiro.ini:
ldapRealm.systemUsername = example_domain\admin
ldapRealm.searchFilter = (&(objectClass=*)(sAMAccountName={0}))
keychain entry examples:
bin/keychain.sh -O <keychain-file> ldap://mydomain%5Cadmin@ad-server.lan:389
displayName
<displayName>
Example: Admin User
shiro.ini:
ldapRealm.systemUsername = Admin User
ldapRealm.searchFilter = (&(objectClass=*)(displayName={0}))
keychain entry examples:
bin/keychain.sh -O <keychain-file> ldap://Admin+User@ad-server.lan:389
server_address:server_port
The IP address or resolvable fully qualified domain name of the server, and the port for Active Directory.
searchBase
Specifies the Active Directory domain to be searched. For example, if the Active Directory domain is reggae.jamaica.org, then the format is searchBase=dc=reggae,dc=jamaica,dc=org
groupBindings
Specifies the mappings between Active Directory groups and Terracotta roles. For example, groupBindings=Domain%20Admins=admin,Users=terracotta maps the Active Directory groups "Domain Admins" and "Users" to the "admin" and "terracotta" Terracotta roles, respectively. To be mapped, the named Active Directory groups must be part of the domain specified in searchBase; all other groups (including those with the specified names) in other domains are ignored.
searchFilter
Specifies the user search query filter used to check for roles. This needs to match how your Active Directory installation uniquely identifies users.
Distinguished Name Template
The attribute your userDnTemplate specifies for the value replacement token (CN in the above example) should also be used in the searchFilter:
(&(objectClass=*)( sAMAccountName={0}))
userPrincipalName
(&(objectClass=*)( userPrincipalName={0}))
distinguishedName
(&(objectClass=*)( distinguishedName={0}))
displayName
(&(objectClass=*)( displayName={0}))
Domain
For the domain binding (e.g. <domain_controller_name>\sAMAccountName), the searchFilter must be:
(&(objectClass=*)(sAMAccountName={0}))
The default searchFilter is (&(objectClass=*)(CN={0})).
For example:

<auth>
<realm>com.tc.net.core.security.ShiroActiveDirectoryRealm</realm>
<url>ldap://bmarley@172.16.254.1:389?searchBase=dc=reggae,dc=jamaica,dc=org%26
groupBindings=Domain%20Admins=admin,Users=terracotta
searchFilter=(&(objectClass=*)(sAMAccountName=%7B0%7D))
</url>
<user></user>
</auth>
Using CDATA:
<auth>
<realm>com.tc.net.core.security.ShiroActiveDirectoryRealm</realm>
<url> <![CDATA[
ldap://bmarley@172.16.254.1:389?searchBase=dc=reggae,dc=jamaica,dc=org&
groupBindings=Domain%20Admins=admin,Users=terracotta&
searchFilter=(&(objectClass=*)(sAMAccountName=%7B0%7D))
]]>
</url>
<user></user>
</auth>