Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-538

AD and JndiLdapContextFactory don't work well together

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 1.2.3
    • None
    • Realms
    • None

    Description

      All of the documentation I have read says to do something similar to this when setting up AD:

      [main]
      contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
      contextFactory.url = ldaps://ad.domain.com:636
      contextFactory.systemUsername = shiro@domain.com
      contextFactory.systemPassword = password
      contextFactory.environment[java.naming.security.protocol] = ssl

      realm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
      realm.ldapContextFactory = $contextFactory
      realm.searchBase = "CN=Users,DC=DOMAIN,DC=com"
      realm.groupRolesMap = "CN=ShiroUsers,CN=Users,DC=DOMAIN,DC=com":"ShiroUsersRole"

      It doesn't work. The reason is that searchBase is not exposed in the JndiLdapContextFactory, but it still overrides searchBase. Thus when injecting a JndiLdapContextFactory into an ActiveDirectoryRealm, it is not possible to set a searchBase without overriding JndiLdapContextFactory.

      And the worst thing is, this isn't even needed. If you set the url in the AD realm to ldaps://blah:636, it automatically uses SSL and a context factory isn't even needed.

      Suggest updating the docs where appropriate, and suggest fixing JndiLdapContextFactory so that it can handle SearchBase.

      Thanks.

      Attachments

        Activity

          People

            Unassigned Unassigned
            rmiller Russell Miller
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: