Return-Path: 
 <user-return-4463-apmail-shiro-user-archive=shiro.apache.org@shiro.apache.org>
X-Original-To: apmail-shiro-user-archive@www.apache.org
Delivered-To: apmail-shiro-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 3D43BE26F
	for <apmail-shiro-user-archive@www.apache.org>;
 Tue,  8 Jan 2013 17:57:54 +0000 (UTC)
Received: (qmail 58377 invoked by uid 500); 8 Jan 2013 17:57:54 -0000
Delivered-To: apmail-shiro-user-archive@shiro.apache.org
Received: (qmail 58332 invoked by uid 500); 8 Jan 2013 17:57:54 -0000
Mailing-List: contact user-help@shiro.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@shiro.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@shiro.apache.org>
List-Post: <mailto:user@shiro.apache.org>
List-Id: <user.shiro.apache.org>
Reply-To: user@shiro.apache.org
Delivered-To: mailing list user@shiro.apache.org
Received: (qmail 58321 invoked by uid 99); 8 Jan 2013 17:57:53 -0000
Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Jan 2013 17:57:53 +0000
Received: from localhost (HELO mail-ia0-f174.google.com) (127.0.0.1)
  (smtp-auth username lhazlewood, mechanism plain)
  by minotaur.apache.org (qpsmtpd/0.29) with ESMTP;
 Tue, 08 Jan 2013 17:57:53 +0000
Received: by mail-ia0-f174.google.com with SMTP id y25so600784iay.5
        for <user@shiro.apache.org>; Tue, 08 Jan 2013 09:57:52 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:x-gm-message-state;
        bh=a1rT8g7Nf9xio6GrgURk8pEnw6pYaN+5PyMTQY6kMN0=;
        b=N92ZPex+NLYI+RVWCLXZdfyWEn61FyOFKx2B8U9uuYcgHdh7fq2SKeEh4G9PFDYzlS
         mBnN6zNwIPq+RsbTUca4SFSbMmnOy1Y5499Ro3ST81uBR3HAuVf9H6O+dCF2EzbpLQXa
         tHT9tWrUa/gzMU/Msn2VJqOC/bdT6qjpl+sEzRMgXOaWLzYTxlPXAbGwSpCBjRp8S4LZ
         4lxIFx6wy8yaEgyIoHua+k5ghgxiGRiuGyzpWYJX8mj3KeB0ziicrdXqnSipuXsEA9Re
         oI5qJTmtWiLT4ENRdV8J8/6u6NmVc/qoHTPBWsSauFvAYLkz/mKchVVNlre4eQTu9nzh
         6m2g==
MIME-Version: 1.0
Received: by 10.50.108.235 with SMTP id hn11mr9660665igb.100.1357667872823;
 Tue, 08 Jan 2013 09:57:52 -0800 (PST)
Received: by 10.50.77.136 with HTTP; Tue, 8 Jan 2013 09:57:52 -0800 (PST)
In-Reply-To: 
 <CADczPYSLC2ddqL2Amu7c9On3ETf+hJPnpqgNTYOwuL9U=05gfg@mail.gmail.com>
References: 
 <CADczPYR6ojQwRiwiskEs79eO=CbtpGxtxFeWcJR6Ww1daaKN0Q@mail.gmail.com>
	<CAAtvD4VoxOC2NDtodgf25=eAH3fSEg8iFOUNRQ2=eW5Ei6b7RQ@mail.gmail.com>
	<CADczPYRdJUyWCGNc6pGaGQLH0J799vVH0OB69j39JJydOrhvfw@mail.gmail.com>
	<CADczPYSLC2ddqL2Amu7c9On3ETf+hJPnpqgNTYOwuL9U=05gfg@mail.gmail.com>
Date: Tue, 8 Jan 2013 09:57:52 -0800
Message-ID: 
 <CAAtvD4WB-Y=8q_X0yeWuf=4BQHd8-MxAzbqWtU3DXbiGgF+zKw@mail.gmail.com>
Subject: Re: ActiveDirectoryRealm hasRole?
From: Les Hazlewood <lhazlewood@apache.org>
To: user@shiro.apache.org
Content-Type: multipart/alternative; boundary=f46d0402aeef48590c04d2caaf2b
X-Gm-Message-State: 
 ALoCoQn42bj3dnORHx8TyQIINPavdEvsSjXT6udKmHo0OT3scpdPj34FH4jQxtWULJSxq/mmHZYc

--f46d0402aeef48590c04d2caaf2b
Content-Type: text/plain; charset=ISO-8859-1

Hi John,

I'm surprised to hear of this since I'm unaware of it failing for others
(but maybe others subclass it often and this isn't a problem - who knows).
 Can you please provide a patch to fix it?  We can incorporate a patch asap.

Best,

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk


On Mon, Jan 7, 2013 at 9:33 PM, John Vines <vines@apache.org> wrote:

> Anyone have any idea on this one? This not working sorta defeats the
> purpose of using LDAP as an authorization realm.
>
>
> On Fri, Dec 21, 2012 at 2:46 PM, John Vines <vines@apache.org> wrote:
>
>> So I was able to determine that subjectPrincipalName was not being set,
>> so adding that actually got the ldap query on line 174 to return something.
>> However, memberOf is not part of the result set. So it returns nothing.
>> However, I was able to query is successfully using ldp and see the memberOf
>> attribute ( http://i.imgur.com/yhN1t.png ). Any thoughts?
>>
>>
>> On Thu, Dec 20, 2012 at 9:59 PM, Les Hazlewood <lhazlewood@apache.org>wrote:
>>
>>> Hi John,
>>>
>>> Here's the part of code that does the ActiveDirectory role lookup:
>>>
>>>
>>> http://shiro.apache.org/static/current/xref/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html#136
>>>
>>> It uses the 'memberOf' attribute to determine Roles.
>>>
>>> HTH!
>>>
>>> --
>>> Les Hazlewood | @lhazlewood
>>> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>>> Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
>>>
>>> On Thu, Dec 20, 2012 at 4:57 PM, John Vines <vines@apache.org> wrote:
>>> > I will preface this with I am fairly green when it comes to LDAP and
>>> AD. The
>>> > ActiveDirectoryRealm.hasRole() call, does that work against a Role or a
>>> > Group? If the former, is there a way to do checks against Group
>>> membership
>>> > from SecurityManager? I'm having issues having hasRole work against an
>>> AD
>>> > instance and I find myself to be a bit stuck due to lack of knowledge
>>> of
>>> > both AD/LDAP and Shiro's role/permission support.
>>> >
>>> > Thanks
>>> > John
>>>
>>
>>
>

--f46d0402aeef48590c04d2caaf2b
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi John,<div><br></div><div>I&#39;m surprised to hear of this since I&#39;m=
 unaware of it failing for others (but maybe others subclass it often and t=
his isn&#39;t a problem - who knows). =A0Can you please provide a patch to =
fix it? =A0We can incorporate a patch asap.<div>
<br></div><div>Best,</div><div><br clear=3D"all"><div>--<br>Les Hazlewood |=
 @lhazlewood<br>CTO, Stormpath | <a href=3D"http://stormpath.com" target=3D=
"_blank">http://stormpath.com</a> | @goStormpath | 888.391.5282<br>Stormpat=
h wins GigaOM Structure Launchpad Award! <a href=3D"http://bit.ly/MvZkMk" t=
arget=3D"_blank">http://bit.ly/MvZkMk</a></div>

<br><br><div class=3D"gmail_quote">On Mon, Jan 7, 2013 at 9:33 PM, John Vin=
es <span dir=3D"ltr">&lt;<a href=3D"mailto:vines@apache.org" target=3D"_bla=
nk">vines@apache.org</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_qu=
ote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex=
">
<div dir=3D"ltr">Anyone have any idea on this one? This not working sorta d=
efeats the purpose of using LDAP as an authorization realm.<br></div><div c=
lass=3D"HOEnZb"><div class=3D"h5"><div class=3D"gmail_extra"><br><br><div c=
lass=3D"gmail_quote">
On Fri, Dec 21, 2012 at 2:46 PM, John Vines <span dir=3D"ltr">&lt;<a href=
=3D"mailto:vines@apache.org" target=3D"_blank">vines@apache.org</a>&gt;</sp=
an> wrote:<br>

<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div dir=3D"ltr">So I was able to determine =
that subjectPrincipalName was not being set, so adding that actually got th=
e ldap query on line 174 to return something. However, memberOf is not part=
 of the result set. So it returns nothing. However, I was able to query is =
successfully using ldp and see the memberOf attribute ( <a href=3D"http://i=
.imgur.com/yhN1t.png" target=3D"_blank">http://i.imgur.com/yhN1t.png</a> ).=
 Any thoughts?<div>


<div><br>
<div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Thu, Dec =
20, 2012 at 9:59 PM, Les Hazlewood <span dir=3D"ltr">&lt;<a href=3D"mailto:=
lhazlewood@apache.org" target=3D"_blank">lhazlewood@apache.org</a>&gt;</spa=
n> wrote:<br>



<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex">Hi John,<br>
<br>
Here&#39;s the part of code that does the ActiveDirectory role lookup:<br>
<br>
<a href=3D"http://shiro.apache.org/static/current/xref/org/apache/shiro/rea=
lm/activedirectory/ActiveDirectoryRealm.html#136" target=3D"_blank">http://=
shiro.apache.org/static/current/xref/org/apache/shiro/realm/activedirectory=
/ActiveDirectoryRealm.html#136</a><br>




<br>
It uses the &#39;memberOf&#39; attribute to determine Roles.<br>
<br>
HTH!<br>
<br>
--<br>
Les Hazlewood | @lhazlewood<br>
CTO, Stormpath | <a href=3D"http://stormpath.com" target=3D"_blank">http://=
stormpath.com</a> | @goStormpath | <a href=3D"tel:888.391.5282" value=3D"+1=
8883915282" target=3D"_blank">888.391.5282</a><br>
Stormpath wins GigaOM Structure Launchpad Award! <a href=3D"http://bit.ly/M=
vZkMk" target=3D"_blank">http://bit.ly/MvZkMk</a><br>
<div><div><br>
On Thu, Dec 20, 2012 at 4:57 PM, John Vines &lt;<a href=3D"mailto:vines@apa=
che.org" target=3D"_blank">vines@apache.org</a>&gt; wrote:<br>
&gt; I will preface this with I am fairly green when it comes to LDAP and A=
D. The<br>
&gt; ActiveDirectoryRealm.hasRole() call, does that work against a Role or =
a<br>
&gt; Group? If the former, is there a way to do checks against Group member=
ship<br>
&gt; from SecurityManager? I&#39;m having issues having hasRole work agains=
t an AD<br>
&gt; instance and I find myself to be a bit stuck due to lack of knowledge =
of<br>
&gt; both AD/LDAP and Shiro&#39;s role/permission support.<br>
&gt;<br>
&gt; Thanks<br>
&gt; John<br>
</div></div></blockquote></div><br></div></div></div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>

--f46d0402aeef48590c04d2caaf2b--