See here for a working example of changing where the searching for roles is done https://github.com/opticyclic/shiro-spring-examples/tree/master/ms-active-directory-custom
Specifically: During login we bind using the user credentials and get the roles (we have to copy the code from the parent class until this pull request is accepted https://github.com/apache/shiro/pull/38): https://github.com/opticyclic/shiro-spring-examples/blob/master/ms-active-directory-custom/src/main/java/com/github/opticyclic/shiro/realm/CustomActiveDirectoryRealm.java#L37-L45 Here we save the roles on a custom principal: https://github.com/opticyclic/shiro-spring-examples/blob/master/ms-active-directory-custom/src/main/java/com/github/opticyclic/shiro/realm/CustomActiveDirectoryRealm.java#L47-L55 Then when we check for a role we just get it off the custom principal: https://github.com/opticyclic/shiro-spring-examples/blob/master/ms-active-directory-custom/src/main/java/com/github/opticyclic/shiro/realm/CustomActiveDirectoryRealm.java#L68-L78 -- View this message in context: http://shiro-user.582556.n2.nabble.com/Anonymous-binding-issue-while-searching-LDAP-roles-tp7581241p7581292.html Sent from the Shiro User mailing list archive at Nabble.com.