All,
On Tue, 2019-07-30 at 22:49 +0700, Andreas Reichel wrote:
> In my limited understanding, would it not be possible/sufficient to
> modify that SEARCHFILTER and use one of the many like
> "(&(objectClass=*)(email -eq [email protected]))" or
> "(&(objectClass=*)(email -like [email protected]))"?
> Can we set SEARCHFILTER in shiro.ini?
I actually believe, that could work. I defined it in the shiro.ini:
realm1 =
org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
realm1.ldapContextFactory = $contextFactory
realm1.searchBase = ...
realm1.groupRolesMap = ...
realm1.searchFilter = (&(objectClass=*)(userPrincipalName={0}))
And I was able to authenticate and to authorize same as before.
Although I got an InvalidSearchFilterException when I changed it to
realm1.searchFilter = (&(objectClass=*)(userPrincipalName -eq
{0}))
Oracle states[1]:
"RFC 2254 defines certain operators for the filter, including substring
matches, equality, approximate match, greater than, less than. These
operators are mapped to operators with corresponding semantics in the
underlying directory. For example, for the equals operator, suppose the
directory has a matching rule defining "equality" of the attributes in
the filter. This rule would be used for checking equality of the
attributes specified in the filter with the attributes of objects in
the directory. Similarly, if the directory has a matching rule for
ordering, this rule would be used for making "greater than" and "less
than" comparisons.
Not all of the operators defined in RFC 2254 are applicable to all
attributes. When an operator is not applicable, the exception
InvalidSearchFilterException is thrown."
Does anyone have an idea, WHICH operators are supported? My search-
filter above was given as an example for PowerShell and should work?
Cheers,
Andreas
[1]
https://docs.oracle.com/javase/7/docs/api/javax/naming/directory/InitialDirContext.html
