You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Jeff Muller (Commented) (JIRA)" <ji...@apache.org> on 2011/12/06 09:37:40 UTC
[jira] [Commented] (SHIRO-305) Connect to a SSL secured LDAP
[ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13163440#comment-13163440 ]
Jeff Muller commented on SHIRO-305:
-----------------------------------
I'm new to shiro so I might have missed something, but it looks like the problem is larger than just the key/value tokenization.
My use case is Vaadin + Shiro + LDAP + SSL.
The following configuration will work:
-----------------------------------------------------
#Config A
[main]
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = <user-dn-string>
#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"
ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
ldapRealm.contextFactory.authenticationMechanism = none
The following will not work:
---------------------------------------
#Config B
[main]
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = <user-dn-string>
#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl"
ldapRealm.contextFactory.environment = "java.naming.referral":"follow"
ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
ldapRealm.contextFactory.authenticationMechanism = none
Neither will this:
-----------------------
#Config C
[main]
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = <user-dn-string>
ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
ldapRealm.contextFactory.authenticationMechanism = none
#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"
There are two problems:
1. The string tokenizer for maps doesn't deal with the documented beanProperty[key]=value syntax properly. It does work properly with the beanProperty = key:value I use above.
2. ldapRealm.contextFactory.environment call JndiLdapContextFactory.setEnvironment(...) which wipes out any environment variables stored there currently. This is why Config A and Config C doesn't.
Issue 1 seems best fixed with a change in the documentation.
Issue 2 should either be much better documented (removing erroneous documentation) or there should be a mergeEnvironment that gets used in place of setEnvironment.
I'd be happy to provide a documentation patch for both. I don't have time to do the mergeEnvironment patch of sufficient quality.
Cheers,
Jeff
> Connect to a SSL secured LDAP
> -----------------------------
>
> Key: SHIRO-305
> URL: https://issues.apache.org/jira/browse/SHIRO-305
> Project: Shiro
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0
> Environment: Windows 7, Tomcat 6.x
> Reporter: Peter Diefenthäler
> Fix For: 1.1.1
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair. This must be the case for all map entries.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira