BigMemory 4.3.9 | Product Documentation | BigMemory Max Security Guide | Using LDAP or Active Directory for Authentication | Configuration Overview
 
Configuration Overview
Active Directory and standard LDAP are configured in the <auth> section of each server's configuration block:
<servers secure="true">
<server host="172.16.254.1" name="server1">
...
<security>
...
<auth>
<realm>...</realm>
<url>...</url>
<user>...</user>
</auth>
</security>
...
</server>
Active Directory and standard LDAP are configured using the <realm> and <url> elements; the <user> element is used for connections between Terracotta servers and is not required for LDAP-related configuration.
For presentation, the URLs used in this document use line breaks. Do not use line breaks when creating URLs in your configuration.
Realms and Roles
The setup for LDAP-based authentication and authorization uses Shiro realms to map user groups to one of the following two roles:
*admin - The user with the admin role is the initial user who sets up security. Thereafter, the user with the admin role performs system functions such as shutting down servers, clearing or deleting caches and cache managers, and reloading configuration.
*terracotta - The operator role is required to log in to the TMC, so even a user with the admin role must have the operator role. Thereafter, the person with the operator role can connect to the TMC and add connections.
URL Encoding
Certain characters used in the LDAP URL must be encoded, unless wrapped in a CDATA construct. Characters that may be required in an LDAP URL are described below. Refer to RFC3986, Appendix A, for the full grammar.
*& (ampersand) - Encode as %26.
*{ (left brace) - Encode as %7B.
*} (right brace) - Encode as %7D.
*\ (backslash) - Encode as %5C.
*@ (at sign) - Encode as %40.
*Space - Encode as %20. Spaces must always be encoded, even if wrapped in CDATA.