shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Russell Miller (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SHIRO-538) AD and JndiLdapContextFactory don't work well together
Date Thu, 06 Aug 2015 21:45:04 GMT
Russell Miller created SHIRO-538:
------------------------------------

             Summary: AD and JndiLdapContextFactory don't work well together
                 Key: SHIRO-538
                 URL: https://issues.apache.org/jira/browse/SHIRO-538
             Project: Shiro
          Issue Type: Bug
          Components: Realms 
    Affects Versions: 1.2.3
            Reporter: Russell Miller
            Priority: Minor


All of the documentation I have read says to do something similar to this when setting up
AD:

[main]
contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
contextFactory.url = ldaps://ad.domain.com:636
contextFactory.systemUsername = shiro@domain.com
contextFactory.systemPassword = password
contextFactory.environment[java.naming.security.protocol] = ssl

realm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
realm.ldapContextFactory = $contextFactory
realm.searchBase = "CN=Users,DC=DOMAIN,DC=com"
realm.groupRolesMap = "CN=ShiroUsers,CN=Users,DC=DOMAIN,DC=com":"ShiroUsersRole"

It doesn't work.  The reason is that searchBase is not exposed in the JndiLdapContextFactory,
but it still overrides searchBase.  Thus when injecting a JndiLdapContextFactory into an ActiveDirectoryRealm,
it is not possible to set a searchBase without overriding JndiLdapContextFactory.

And the worst thing is, this isn't even needed.   If you set the url in the AD realm to ldaps://blah:636,
it automatically uses SSL and a context factory isn't even needed.

Suggest updating the docs where appropriate, and suggest fixing JndiLdapContextFactory so
that it can handle SearchBase.

Thanks.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message