To see the result of the AD query, activate the DEBUG logging level for the org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm logger. This will output the result of the 'memberOf' query.
Once you've confirmed, that the realm is succssfully fetching groups, you need to make sure your group-to-role map is setup correctly. The AD Realm uses a Map<String, String> from group name to role name. If this map is empty or does not contain correct keys, then the set of roles will be empty. I recently submitted an improvement for LDAP support (SHIRO-127) where this kind of mapping does not occur. The roles returned *are* the groups the user belongs to. Probably the AD Realm should do something similar? Hope it helps, Philippe rchristy wrote: > > I have a question about the implementation of this method in this realm. > It seems to be searching ActiveDirectory for groups that the a user > belongs to and map that to roles. I seem to be authenticating to active > directory ok, but each time this method gets called the LdapSearch returns > nothing even though I know the user is in many groups (or at least > memberOf attributes which I assume the query is looking for or maybe that > is my problem). Anyway I was hoping someone could explain what in > ActiveDirectory this search is looking for so I can understand why nothing > every comes back. > > Thanks > > Rich > -- View this message in context: http://n2.nabble.com/ActiveDirectoryRealm-getRoleNamesForUser-tp4402069p4415135.html Sent from the Shiro User mailing list archive at Nabble.com.
