Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
1.2.3
-
None
-
None
Description
All of the documentation I have read says to do something similar to this when setting up AD:
[main]
contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
contextFactory.url = ldaps://ad.domain.com:636
contextFactory.systemUsername = shiro@domain.com
contextFactory.systemPassword = password
contextFactory.environment[java.naming.security.protocol] = ssl
realm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
realm.ldapContextFactory = $contextFactory
realm.searchBase = "CN=Users,DC=DOMAIN,DC=com"
realm.groupRolesMap = "CN=ShiroUsers,CN=Users,DC=DOMAIN,DC=com":"ShiroUsersRole"
It doesn't work. The reason is that searchBase is not exposed in the JndiLdapContextFactory, but it still overrides searchBase. Thus when injecting a JndiLdapContextFactory into an ActiveDirectoryRealm, it is not possible to set a searchBase without overriding JndiLdapContextFactory.
And the worst thing is, this isn't even needed. If you set the url in the AD realm to ldaps://blah:636, it automatically uses SSL and a context factory isn't even needed.
Suggest updating the docs where appropriate, and suggest fixing JndiLdapContextFactory so that it can handle SearchBase.
Thanks.