shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <>
Subject Re: Improved JndiLdapRealm Class
Date Wed, 07 Mar 2012 21:00:06 GMT
Hi Chuck,

First, welcome to the Shiro community - we're happy to have you
participate!  There is nothing wrong with requesting feature
enhancements/updates and contributing fixes and fostering related
discussion.  In fact, we hope that the community does this on a
regular basis for any of the Shiro components.  This is a
community-driven project, so we rely on folks like you to help things
become better.  So thanks!

As for this particular issue, could you please open a Jira issue to
capture the code and configuration documentation?

All project features/work are managed via Jira, so unless it is
reported there, it will be lost.

We look forward to your submission!


Les Hazlewood
CTO, Katasoft | | 888.391.5282
twitter: @lhazlewood |
katasoft blog:
personal blog:

On Wed, Mar 7, 2012 at 11:05 AM, Charles Syperski
<> wrote:
> Hello,
> I am new to this list and Shiro, I have only been testing it for two days,
> so please be gentle.
> I have found the JndiLdapRealm to be VERY limiting, especially since it only
> allows a single OU due to the use of 'userDnTemplate'.  I have extended the
> JndiLdapRealm class to allow for sub-tree searches with a base OU as well as
> customized search filters.  I wanted to post it two this list for two
> reasons, the first is to make sure I am not doing something stupid with the
> framework since I am pretty new to it.  I also wanted to share it with
> anyone else that might be having issues with the current LDAP
> implementation.
> Here is the source:
> Your shiro.ini would change as follows:
> ldapRealm = [yourpackagename].CWSJndiLdapRealm
> #ldapRealm.userDnTemplate = cn={0},ou=test,o=test  # No longer needed!
> ldapRealm.searchBase = o=dist88 # NEW - The search root
> ldapRealm.searchFilter = (cn={0}) # NEW - any valid searchFilter like
> (&(objectCategory=person)(objectClass=user)(uid={0}))
> ldapRealm.contextFactory.url = ldap://X.X.X.X:389
> ldapRealm.contextFactory.authenticationMechanism = DIGEST-MD5
> ldapRealm.contextFactory.systemUsername = cn=someuser,o=test
> ldapRealm.contextFactory.systemPassword = somepassword
> If multiple objects match the searchFilter, then it will cycle through all
> of them and attempt to authenticate.
> Since I am new, if I am doing this all wrong, or if there is a better way,
> please let me know.
> Thanks,
> Chuck

View raw message