shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] Commented: (SHIRO-127) Improvements to Shiro's LDAP support
Date Thu, 22 Jul 2010 22:53:50 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12891380#action_12891380
] 

Emmanuel Lecharny commented on SHIRO-127:
-----------------------------------------

Checking the code at ActiveDirectoryRealm.java, it's *very* likely that you'll have a lot
of troubles if you don't take care of some few points :

- code like (line 190) :
    ...
    if (attr.getID().equals("memberOf")) {
    ...
won't work if the attr stores the ID in uper case, or all in lower case. attr.getID() may
return one of those values :
* memberof
* MEMBEROF
* MemberOf
* MeMbErOf
* the OID (I don't know what is the memberOf's OID, but be ready to deal with things like
2.5.4.11...)

- when creating a NamingEnumeration, *always* close it, otherwise you'll get some nasty errors
(like very long delay if you are using a Ldap connection pool). Good luck to find the origin
of those delays if you don't know that NE must be closed ...

so 
try {
  <use a NamingEnumeration>
} finally {
  <close the NamingEnumeration>
}
 
- filters like (line 171) :
String searchFilter = "(&(objectClass=*)(userPrincipalName={0}))";
is strictly equivalent to 
String searchFilter = "(userPrincipalName={0})";

Of course, check that the userPrincipalName is indexed, otherwise a search using this filter
will do a full scan...

- be *very* careful when manipulation a DN. For the same reason than in point #1, a DN may
have multiple forms. Using the DN as a String is likely to carry some strange errors too (like
you don't find a match with a given DN). Comparing 2 DNs is *not* something simple, you won't
be able to whip it in less than one week, trust me on that.

If you want a way to identify an entry by an invariant value, don't use the DN, use the entryUUID
attribute. It's unique, it's invariant, it's case non sensitive.



> Improvements to Shiro's LDAP support
> ------------------------------------
>
>                 Key: SHIRO-127
>                 URL: https://issues.apache.org/jira/browse/SHIRO-127
>             Project: Shiro
>          Issue Type: Improvement
>          Components: Realms 
>            Reporter: Philippe Laflamme
>         Attachments: shiro-127.patch
>
>
> Following this mailing list discussion: http://n2.nabble.com/Confusion-with-the-LDAP-Realm-tp4268254p4268254.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message