You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by John Vines <vi...@apache.org> on 2012/12/21 01:57:55 UTC

ActiveDirectoryRealm hasRole?

I will preface this with I am fairly green when it comes to LDAP and AD.
The ActiveDirectoryRealm.hasRole() call, does that work against a Role or a
Group? If the former, is there a way to do checks against Group membership
from SecurityManager? I'm having issues having hasRole work against an AD
instance and I find myself to be a bit stuck due to lack of knowledge of
both AD/LDAP and Shiro's role/permission support.

Thanks
John

Re: ActiveDirectoryRealm hasRole?

Posted by Les Hazlewood <lh...@apache.org>.

Please create a ticket - that'd be quite helpful, thanks!

On Tue, Jan 8, 2013 at 12:23 PM, John Vines <vi...@apache.org> wrote:

> PEBCAK, missed the groupRolesMap. Set that and got it working. On a side
> note, adding
>     searchCtls.setReturningAttributes(new String[] {"memberOf"});
> to getRoleNamesForUser in ActiveDirectoryRealm (line 164 specfically)
> would be a bit more efficient, as it does the filtering remotely so not
> bringing back excess information and no self filtering necessary (though
> it's a nice sanity check) in the client side. Do you want me to create a
> ticket for this, or do you have it?
>
>
> On Tue, Jan 8, 2013 at 12:57 PM, Les Hazlewood <lh...@apache.org>wrote:
>
>> Hi John,
>>
>> I'm surprised to hear of this since I'm unaware of it failing for others
>> (but maybe others subclass it often and this isn't a problem - who knows).
>>  Can you please provide a patch to fix it?  We can incorporate a patch asap.
>>
>> Best,
>>
>> --
>> Les Hazlewood | @lhazlewood
>> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>> Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
>>
>>
>> On Mon, Jan 7, 2013 at 9:33 PM, John Vines <vi...@apache.org> wrote:
>>
>>> Anyone have any idea on this one? This not working sorta defeats the
>>> purpose of using LDAP as an authorization realm.
>>>
>>>
>>> On Fri, Dec 21, 2012 at 2:46 PM, John Vines <vi...@apache.org> wrote:
>>>
>>>> So I was able to determine that subjectPrincipalName was not being set,
>>>> so adding that actually got the ldap query on line 174 to return something.
>>>> However, memberOf is not part of the result set. So it returns nothing.
>>>> However, I was able to query is successfully using ldp and see the memberOf
>>>> attribute ( http://i.imgur.com/yhN1t.png ). Any thoughts?
>>>>
>>>>
>>>> On Thu, Dec 20, 2012 at 9:59 PM, Les Hazlewood <lh...@apache.org>wrote:
>>>>
>>>>> Hi John,
>>>>>
>>>>> Here's the part of code that does the ActiveDirectory role lookup:
>>>>>
>>>>>
>>>>> http://shiro.apache.org/static/current/xref/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html#136
>>>>>
>>>>> It uses the 'memberOf' attribute to determine Roles.
>>>>>
>>>>> HTH!
>>>>>
>>>>> --
>>>>> Les Hazlewood | @lhazlewood
>>>>> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>>>>> Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
>>>>>
>>>>> On Thu, Dec 20, 2012 at 4:57 PM, John Vines <vi...@apache.org> wrote:
>>>>> > I will preface this with I am fairly green when it comes to LDAP and
>>>>> AD. The
>>>>> > ActiveDirectoryRealm.hasRole() call, does that work against a Role
>>>>> or a
>>>>> > Group? If the former, is there a way to do checks against Group
>>>>> membership
>>>>> > from SecurityManager? I'm having issues having hasRole work against
>>>>> an AD
>>>>> > instance and I find myself to be a bit stuck due to lack of
>>>>> knowledge of
>>>>> > both AD/LDAP and Shiro's role/permission support.
>>>>> >
>>>>> > Thanks
>>>>> > John
>>>>>
>>>>
>>>>
>>>
>>
>

Re: ActiveDirectoryRealm hasRole?

Posted by John Vines <vi...@apache.org>.

PEBCAK, missed the groupRolesMap. Set that and got it working. On a side
note, adding
    searchCtls.setReturningAttributes(new String[] {"memberOf"});
to getRoleNamesForUser in ActiveDirectoryRealm (line 164 specfically) would
be a bit more efficient, as it does the filtering remotely so not bringing
back excess information and no self filtering necessary (though it's a nice
sanity check) in the client side. Do you want me to create a ticket for
this, or do you have it?


On Tue, Jan 8, 2013 at 12:57 PM, Les Hazlewood <lh...@apache.org>wrote:

> Hi John,
>
> I'm surprised to hear of this since I'm unaware of it failing for others
> (but maybe others subclass it often and this isn't a problem - who knows).
>  Can you please provide a patch to fix it?  We can incorporate a patch asap.
>
> Best,
>
> --
> Les Hazlewood | @lhazlewood
> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
> Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
>
>
> On Mon, Jan 7, 2013 at 9:33 PM, John Vines <vi...@apache.org> wrote:
>
>> Anyone have any idea on this one? This not working sorta defeats the
>> purpose of using LDAP as an authorization realm.
>>
>>
>> On Fri, Dec 21, 2012 at 2:46 PM, John Vines <vi...@apache.org> wrote:
>>
>>> So I was able to determine that subjectPrincipalName was not being set,
>>> so adding that actually got the ldap query on line 174 to return something.
>>> However, memberOf is not part of the result set. So it returns nothing.
>>> However, I was able to query is successfully using ldp and see the memberOf
>>> attribute ( http://i.imgur.com/yhN1t.png ). Any thoughts?
>>>
>>>
>>> On Thu, Dec 20, 2012 at 9:59 PM, Les Hazlewood <lh...@apache.org>wrote:
>>>
>>>> Hi John,
>>>>
>>>> Here's the part of code that does the ActiveDirectory role lookup:
>>>>
>>>>
>>>> http://shiro.apache.org/static/current/xref/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html#136
>>>>
>>>> It uses the 'memberOf' attribute to determine Roles.
>>>>
>>>> HTH!
>>>>
>>>> --
>>>> Les Hazlewood | @lhazlewood
>>>> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>>>> Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
>>>>
>>>> On Thu, Dec 20, 2012 at 4:57 PM, John Vines <vi...@apache.org> wrote:
>>>> > I will preface this with I am fairly green when it comes to LDAP and
>>>> AD. The
>>>> > ActiveDirectoryRealm.hasRole() call, does that work against a Role or
>>>> a
>>>> > Group? If the former, is there a way to do checks against Group
>>>> membership
>>>> > from SecurityManager? I'm having issues having hasRole work against
>>>> an AD
>>>> > instance and I find myself to be a bit stuck due to lack of knowledge
>>>> of
>>>> > both AD/LDAP and Shiro's role/permission support.
>>>> >
>>>> > Thanks
>>>> > John
>>>>
>>>
>>>
>>
>

Re: ActiveDirectoryRealm hasRole?

Posted by Les Hazlewood <lh...@apache.org>.

Hi John,

I'm surprised to hear of this since I'm unaware of it failing for others
(but maybe others subclass it often and this isn't a problem - who knows).
 Can you please provide a patch to fix it?  We can incorporate a patch asap.

Best,

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk


On Mon, Jan 7, 2013 at 9:33 PM, John Vines <vi...@apache.org> wrote:

> Anyone have any idea on this one? This not working sorta defeats the
> purpose of using LDAP as an authorization realm.
>
>
> On Fri, Dec 21, 2012 at 2:46 PM, John Vines <vi...@apache.org> wrote:
>
>> So I was able to determine that subjectPrincipalName was not being set,
>> so adding that actually got the ldap query on line 174 to return something.
>> However, memberOf is not part of the result set. So it returns nothing.
>> However, I was able to query is successfully using ldp and see the memberOf
>> attribute ( http://i.imgur.com/yhN1t.png ). Any thoughts?
>>
>>
>> On Thu, Dec 20, 2012 at 9:59 PM, Les Hazlewood <lh...@apache.org>wrote:
>>
>>> Hi John,
>>>
>>> Here's the part of code that does the ActiveDirectory role lookup:
>>>
>>>
>>> http://shiro.apache.org/static/current/xref/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html#136
>>>
>>> It uses the 'memberOf' attribute to determine Roles.
>>>
>>> HTH!
>>>
>>> --
>>> Les Hazlewood | @lhazlewood
>>> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>>> Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
>>>
>>> On Thu, Dec 20, 2012 at 4:57 PM, John Vines <vi...@apache.org> wrote:
>>> > I will preface this with I am fairly green when it comes to LDAP and
>>> AD. The
>>> > ActiveDirectoryRealm.hasRole() call, does that work against a Role or a
>>> > Group? If the former, is there a way to do checks against Group
>>> membership
>>> > from SecurityManager? I'm having issues having hasRole work against an
>>> AD
>>> > instance and I find myself to be a bit stuck due to lack of knowledge
>>> of
>>> > both AD/LDAP and Shiro's role/permission support.
>>> >
>>> > Thanks
>>> > John
>>>
>>
>>
>

Re: ActiveDirectoryRealm hasRole?

Posted by John Vines <vi...@apache.org>.

Anyone have any idea on this one? This not working sorta defeats the
purpose of using LDAP as an authorization realm.


On Fri, Dec 21, 2012 at 2:46 PM, John Vines <vi...@apache.org> wrote:

> So I was able to determine that subjectPrincipalName was not being set, so
> adding that actually got the ldap query on line 174 to return something.
> However, memberOf is not part of the result set. So it returns nothing.
> However, I was able to query is successfully using ldp and see the memberOf
> attribute ( http://i.imgur.com/yhN1t.png ). Any thoughts?
>
>
> On Thu, Dec 20, 2012 at 9:59 PM, Les Hazlewood <lh...@apache.org>wrote:
>
>> Hi John,
>>
>> Here's the part of code that does the ActiveDirectory role lookup:
>>
>>
>> http://shiro.apache.org/static/current/xref/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html#136
>>
>> It uses the 'memberOf' attribute to determine Roles.
>>
>> HTH!
>>
>> --
>> Les Hazlewood | @lhazlewood
>> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>> Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
>>
>> On Thu, Dec 20, 2012 at 4:57 PM, John Vines <vi...@apache.org> wrote:
>> > I will preface this with I am fairly green when it comes to LDAP and
>> AD. The
>> > ActiveDirectoryRealm.hasRole() call, does that work against a Role or a
>> > Group? If the former, is there a way to do checks against Group
>> membership
>> > from SecurityManager? I'm having issues having hasRole work against an
>> AD
>> > instance and I find myself to be a bit stuck due to lack of knowledge of
>> > both AD/LDAP and Shiro's role/permission support.
>> >
>> > Thanks
>> > John
>>
>
>

Re: ActiveDirectoryRealm hasRole?

Posted by John Vines <vi...@apache.org>.

So I was able to determine that subjectPrincipalName was not being set, so
adding that actually got the ldap query on line 174 to return something.
However, memberOf is not part of the result set. So it returns nothing.
However, I was able to query is successfully using ldp and see the memberOf
attribute ( http://i.imgur.com/yhN1t.png ). Any thoughts?

On Thu, Dec 20, 2012 at 9:59 PM, Les Hazlewood <lh...@apache.org>wrote:

> Hi John,
>
> Here's the part of code that does the ActiveDirectory role lookup:
>
>
> http://shiro.apache.org/static/current/xref/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html#136
>
> It uses the 'memberOf' attribute to determine Roles.
>
> HTH!
>
> --
> Les Hazlewood | @lhazlewood
> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
> Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
>
> On Thu, Dec 20, 2012 at 4:57 PM, John Vines <vi...@apache.org> wrote:
> > I will preface this with I am fairly green when it comes to LDAP and AD.
> The
> > ActiveDirectoryRealm.hasRole() call, does that work against a Role or a
> > Group? If the former, is there a way to do checks against Group
> membership
> > from SecurityManager? I'm having issues having hasRole work against an AD
> > instance and I find myself to be a bit stuck due to lack of knowledge of
> > both AD/LDAP and Shiro's role/permission support.
> >
> > Thanks
> > John
>

Re: ActiveDirectoryRealm hasRole?

Posted by Les Hazlewood <lh...@apache.org>.

Hi John,

Here's the part of code that does the ActiveDirectory role lookup:

http://shiro.apache.org/static/current/xref/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html#136

It uses the 'memberOf' attribute to determine Roles.

HTH!

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk

On Thu, Dec 20, 2012 at 4:57 PM, John Vines <vi...@apache.org> wrote:
> I will preface this with I am fairly green when it comes to LDAP and AD. The
> ActiveDirectoryRealm.hasRole() call, does that work against a Role or a
> Group? If the former, is there a way to do checks against Group membership
> from SecurityManager? I'm having issues having hasRole work against an AD
> instance and I find myself to be a bit stuck due to lack of knowledge of
> both AD/LDAP and Shiro's role/permission support.
>
> Thanks
> John