Standard LDAP Configuration
Specify the realm and URL in the <security> section of the Terracotta configuration as follows:
<auth>
<realm>com.tc.net.core.security.ShiroLdapRealm</realm>
<url>ldap://directory_manager@myLdapServer:636?
userDnTemplate=cn=%7B0%7D,ou=users,dc=mycompany,dc=com%26
groupDnTemplate=cn=%7B0%7D,ou=groups,dc=mycompany,dc=com%26
groupAttribute=uniqueMember%26
groupBindings=bandleaders=admin,bandmembers=terracotta</url>
<user></user>
</auth>
Note the value of the <realm> element, which must specify the correct class (or Shiro security realm) for Active Directory. The components of the URL are defined in the following table.
Component | Description |
ldap:// | For the scheme, use either ldap:// or ldaps:// |
directory_manager | The name of a user with sufficient rights on the LDAP server to perform searches. No user is required if anonymous lookups are allowed. If a user is required, the user's password must be stored in the Terracotta keychain, using as key the root of the LDAP URL, ldap://admin_user@server_name:server_port , with no trailing slash ("/"). |
server_address:server_port | The IP address or resolvable fully qualified domain name of the server, and the LDAP server port. |
userDnTemplate | Specifies user-template values. See the example below. |
groupDnTemplate | Specifies group-template values. See the example below. |
groupAttribute | Specifies the LDAP group attribute whose value uniquely identifies a user. By default, this is "uniqueMember". See the example below. |
groupBindings | Specifies the mappings between LDAP groups and Terracotta roles. For example, groupBindings=bandleaders=admin, bandmembers=terracotta maps the LDAP groups "bandleaders" and "bandmembers" to the "admin" and "terracotta" Terracotta roles, respectively. |
For example:
<auth>
<realm>com.tc.net.core.security.ShiroLdapRealm</realm>
<url>ldap://dizzy@172.16.254.1:636?
userDnTemplate=cn=%7B0%7D,ou=users,dc=mycompany,dc=com%26
groupDnTemplate=cn=%7B0%7D,ou=groups,dc=mycompany,dc=com%26
groupAttribute=uniqueMember%26
groupBindings=bandleaders=admin,bandmembers=terracotta</url>
<user></user>
</auth>
This implies the LDAP directory structure is set up similar to the following:
+ dc=com
+ dc=mycompany
+ ou=groups
+ cn=bandleaders
| uniqueMember=dizzy
| uniqueMember=duke
+ cn=bandleaders
| uniqueMember=art
| uniqueMember=bird
If, however, the the LDAP directory structure is set up similar to the following:
+ dc=com
+ dc=mycompany
+ ou=groups
+ cn=bandleaders
| musician=dizzy
| musician=duke
+ cn=bandleaders
| musician=art
| musician=bird
then the value of groupAttribute should be "musician".