The number of different LDAP user schema (and variations on implementations is just about unlimited) https://xkcd.com/927/
Your proposal is just related to the group/role lookup search? Can you put together a PR with this? On Fri, Oct 19, 2018 at 12:47 AM glen.chick <[email protected]> wrote: > Hi, > > I am new to using Shiro - so, I may be wrong in the analysis below. > If so, any feedback to sort errors in the assessment below would be MUCH > appreciated. > Alternatively - if the analysis below is roughly correct, then I am > proposing the changes specified in the "Proposal" section below be > considered. > > *Background* > Currently, we are using Apache Shiro to Authenticate and Authorize users > for > a Zeppelin installation. > Apache Shiro is configured to talk to Windows Active Directory (i.e. LDAP) > using > org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm class to > configure an Active Directory Realm in the shiro.realms file. > > For a User called "John.Smith" we can delete a notebook in Zeppelin. > > However, if we try to delete the SAME notebook for a user called > "john.smith" > we receive the following alert/message: > > "Insifficient priviledges to rename note. But the user john.smith belongs > to: [john.smith]". > > It **appears** that the shiro (i.e. Shiro is used by Zeppelin for > authentication and authorization) handling of usernames is case-sensitive. > > This is an issue for our user base. > > When I looked at the username case-sensitivity handling in the LdapRealm > file, > org.apache.zeppelin.realm.LdapRealm, > there is a boolean field userLowerCase which is used by the rolesFor method > to set the username to lower case if the userLowerCase flag is true. i.e. > > > /protected Set<String> rolesFor(PrincipalCollection principals, String > userNameIn, > final LdapContext ldapCtx, final LdapContextFactory > ldapContextFactory, Session session) > throws NamingException { > final Set<String> roleNames = new HashSet<>(); > final Set<String> groupNames = new HashSet<>(); > final String userName; > if (getUserLowerCase()) { > log.debug("userLowerCase true"); > userName = userNameIn.toLowerCase(); > } else { > userName = userNameIn; > } > / > > > i.e. Username case sensitivity handling IS facilitated in > org.apache.zeppelin.realm.LdapRealm class, > BUT doesn't seem to be facilitated in the > org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm > class. > > This **appears** to be inconsistent, and BOTH > org.apache.zeppelin.realm.LdapRealm and > org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm are, in the end > - dealing with LDAP installations. > > > *Proposal:* > Add a field userCase to the > org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm class. > The "userCase" field could support the following values: > - default. (i.e. No case changes will be made to the username) > - lowerCase (i.e. The username will be converted to lower case.) > - upperCase (i.e. The username will be converted to upper case.) > - properCase (i.e. The username will be converted to proper case.) > > Suggestions on alternate ways to handle this issue would also be much > appreciated! > > > Thanks > > > CHEERS - Glen Chick > > > > > -- > Sent from: http://shiro-developer.582600.n2.nabble.com/ >
