Hi Carlo, You can use an ini configuration, something like (this might not work cut and paste but hopefully you get the idea):
# ----------------------------------------------------------------------------- # LDAP AD Realm # ----------------------------------------------------------------------------- [main] ldapRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm ldapRealm.url = ldap://172.16.124.158:389 ldapRealm.groupRolesMap = "CN=Administrators,CN=Roles,CN=Employees,DC=MyCompany,DC=local":"admin","CN=Driver,CN=Roles,CN=Employees,DC=MyCompany,DC=local":"pleb" ldapRealm.searchBase = CN=Employees,DC=MyCompany,DC=local ldapRealm.systemUsername= stuart ldapRealm.systemPassword= qwerty ldapRealm.principalSuffix= @mycompany.com #ldapRealm.rolePermissionResolver= $myRolePermissionResolver (you can also use your own to get permission from e.g. db) rolePermissionResolver = com.moogsoft.shiro.IniRolePermissionResolver rolePermissionResolver.ini = $iniRealm ldapRealm.rolePermissionResolver = $rolePermissionResolver # ----------------------------------------------------------------------------- # Roles with assigned permissions # roleName = perm1, perm2, ..., permN # ----------------------------------------------------------------------------- # [roles] # 'admin' role has all permissions, indicated by the wildcard '*' admin = * # The 'pleb' role can do the following: pleb = x:*,y:close,other:* I think the key part in understanding is the groupRolesMap which turns the ldap groups into shiro roles. Also within ldap I have to give each user an email address e.g. [email protected] (this was for the searching). Cheers, Stuart On Fri, Sep 6, 2013 at 2:15 PM, Giancarlo Dessena < [email protected]> wrote: > Hello Everybody, > > I have to anticipate that I just started with shire, so forgive me if I > have misunderstood some of the concepts or missing the right wording. > I have successfully setup my first shiro Project and managed to > authenticate against our internal LDAP. > Now I'm trying to figure out how I can LDAP groups to shire roles and I'm > pretty much stuck. > > What do I have to change in my configuration to make it work. > > My shiro.ini > # ======================= > # Shiro INI configuration > # ======================= > > [main] > > sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher > > ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm > ldapRealm.userDnTemplate = > uid={0},cn=users,dc=miniserver,dc=xyrality,dc=net > ldapRealm.contextFactory.url = ldap://miniserver.xyrality.net:389 > > securityManager.sessionManager.globalSessionTimeout = 1800000 > > [users] > > [roles] > > [urls] > > If I have to implement my own role resolver, could you give me a sample > source code to give me a kick start? > > Greetings Carlo
