I think there are basically two camps when it comes to LDAP connector
configuration.
1.) The user configures a query (&(objectClass=posixAccount) (uid=jcoder))
2.) The user configures the fields, which are then use to generate the
query, UserObjectClass = posixAccount UserIdAttribute = uid
With the first you have the ability to tune a query, the second gets
you closer to user management (if your looking to add users, you need
a little more then a query )
I'm in camp 2, but i'll admit the first option might fit better for a
stock ldap realm that just needs authc and authz.
Either of which could be mostly templated to common schemas
(posixAccount/Group, AD, etc)
Passwords are fun too, some servers, only allow you to authenticate
via a bind (logging in the server) (e.g. Active directory) other do
not support this. In order to do a bind, you need to look up the
user's DN in one query, then _login_.
Then there are passwords stored as an attribute, usually prefixed with
the type of hash "{SHA}HA5EDP455W0RD" (and a dozen variations on that)
Then lastly there are groups, which may be considered dynamic or
static. Static groups are where the user mapping is stored as
attributes in a group object. Dynamic groups are stored by as
attributes in the user object.
So some authc/authz logins may take 3 different queries, 1.) find
user's DN 2.) authenticate 3.) look up the roles. And on the flip
side, a single query 1.) query for user object. [read password
attribute, read memeberOf attributes)
And almost everybody does something different, some variations on the
above, with nested organizations [subtree], locked down permissions,
etc
Sorry for the delay,
-Brian
On Fri, Apr 1, 2011 at 2:37 AM, remast <[email protected]> wrote:
> Hi All,
>
> I would be very interested in the extension of LDAP support! If that would
> be supported out of the box I could use shiro in some of our products! So
> let me know when that's implemented!
>
> Thanks,
> remast
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Call-for-suggestions-how-can-Shiro-s-LDAP-support-be-improved-tp6228100p6229849.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
