Russell Miller created SHIRO-538:
------------------------------------
Summary: AD and JndiLdapContextFactory don't work well together
Key: SHIRO-538
URL: https://issues.apache.org/jira/browse/SHIRO-538
Project: Shiro
Issue Type: Bug
Components: Realms
Affects Versions: 1.2.3
Reporter: Russell Miller
Priority: Minor
All of the documentation I have read says to do something similar to this when
setting up AD:
[main]
contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
contextFactory.url = ldaps://ad.domain.com:636
contextFactory.systemUsername = [email protected]
contextFactory.systemPassword = password
contextFactory.environment[java.naming.security.protocol] = ssl
realm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
realm.ldapContextFactory = $contextFactory
realm.searchBase = "CN=Users,DC=DOMAIN,DC=com"
realm.groupRolesMap = "CN=ShiroUsers,CN=Users,DC=DOMAIN,DC=com":"ShiroUsersRole"
It doesn't work. The reason is that searchBase is not exposed in the
JndiLdapContextFactory, but it still overrides searchBase. Thus when injecting
a JndiLdapContextFactory into an ActiveDirectoryRealm, it is not possible to
set a searchBase without overriding JndiLdapContextFactory.
And the worst thing is, this isn't even needed. If you set the url in the AD
realm to ldaps://blah:636, it automatically uses SSL and a context factory
isn't even needed.
Suggest updating the docs where appropriate, and suggest fixing
JndiLdapContextFactory so that it can handle SearchBase.
Thanks.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
