OK I did some digging and this is what I found. First of all, the current query for AuthenticationInfo looks at the attribute distinguishedName. The problem I had with this is this gets created with First Name/Last Name when creating a user in Active Directory. So if I have a user John Smith, we would put First Name John, Last Name Smith. This will create an entry CN=John Smith, OU=Users, dc=<domain name>, dc=com for this attribute in Active Directory. But the account name the user would really have is something like jsmith (i.e. what Active Directory calls the sAMAccountName). Now when it goes and reads the "memberOf", the query is actually looking for userPrincipalName which follows an email format (e.g. jsmith@<domain name>. So for this to work, I would have had to enter "First Name" as jsmith and leave Last Name empty and add the principalSuffix property of <domain name>.
So for now in order to make progress, I have just copied the implementation and changed it the query to look for distinguishedName (since the username is passed in) and now it is retrieving the memberOf attributes correctly. Now I see groupRolesMap is null but I am not sure how/why to set this up. How does this map normally get set? Thanks Rich -- View this message in context: http://n2.nabble.com/ActiveDirectoryRealm-getRoleNamesForUser-tp4402069p4422623.html Sent from the Shiro User mailing list archive at Nabble.com.
