UnknownAccountException with LDAPRealm

[braus <s....@gaston-schul.com>]

Hi everyone,

I've noticed that there is a specific exception for unknown accounts. This
seems useful to me in a specific login flow that i've been working on.
Unfortunately I haven't been able to trigger said exception with the
DefaultLDAPRealm. 

Does anyone have insight on how to get this exception with the
DefaultLDAPRealm?


On a different note; I can't seem to check if a user exists through the
DefaultLDAPRealm. Is there a way to check this? I could build a seperate
LDAP module to check this but I would say that checking if a username exists
would be Realm behaviour. But I could be wrong here.

Kind regards,

Sjoerd Brauer



--
Sent from: http://shiro-user.582556.n2.nabble.com/

Re: UnknownAccountException with LDAPRealm

[braus <s....@gaston-schul.com>]

Hi Brian,

Thanks for thinking along.
I solved it by using the ldap api as you described.

Kind regards



--
Sent from: http://shiro-user.582556.n2.nabble.com/

Re: UnknownAccountException with LDAPRealm

[Brian Demers <br...@gmail.com>]

Okay, I see.

Shiro doesn't provide an API for this.  You would need to handle this
additional query separately.  You shouldn't need additional dependencies
though, you can use javax.naming.ldap API directly.

Does that help?
-Brian


On Wed, Jun 10, 2020 at 8:23 AM braus <s....@gaston-schul.com> wrote:

> Hi Brian,
>
> I just want to check if a username exists or not for registration purposes
> (not login). I only allow accounts registered from the LDAP realm to be
> used
> in my different realms.
> So my basic problem would be to see if there is a simple method of checking
> if a username exists within a LDAPRealm.
>
> I could query the LDAP with seperate frameworks and such, but I prefer to
> have minimal dependencies.
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

Re: UnknownAccountException with LDAPRealm

[braus <s....@gaston-schul.com>]

Hi Brian,

I just want to check if a username exists or not for registration purposes
(not login). I only allow accounts registered from the LDAP realm to be used
in my different realms. 
So my basic problem would be to see if there is a simple method of checking
if a username exists within a LDAPRealm. 

I could query the LDAP with seperate frameworks and such, but I prefer to
have minimal dependencies.



--
Sent from: http://shiro-user.582556.n2.nabble.com/

Re: UnknownAccountException with LDAPRealm

[Brian Demers <br...@gmail.com>]

Not all realm implementations are able to determine if an account exists or
not.  For example, most remote user stores would return the same result if
a user does not exist or the password was incorrect.
And you may not want to propagate that type of exception to your end-users
(to avoid leaking usernames). This is up to use, some folks make the
argument of increased usability is worth it.

LDAP is a bit complicated as well, depending on how your server is
configured.  Setups that query for a user before authenticating require a
"system" user to make the initial connection. Otherwise, you use the
username/password of the user login to make the connection.

Is there something specific you are trying to do?

On Tue, Jun 9, 2020 at 5:06 AM braus <s....@gaston-schul.com> wrote:

> Hi everyone,
>
> I've noticed that there is a specific exception for unknown accounts. This
> seems useful to me in a specific login flow that i've been working on.
> Unfortunately I haven't been able to trigger said exception with the
> DefaultLDAPRealm.
>
> Does anyone have insight on how to get this exception with the
> DefaultLDAPRealm?
>
>
> On a different note; I can't seem to check if a user exists through the
> DefaultLDAPRealm. Is there a way to check this? I could build a seperate
> LDAP module to check this but I would say that checking if a username
> exists
> would be Realm behaviour. But I could be wrong here.
>
> Kind regards,
>
> Sjoerd Brauer
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>