You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Les Hazlewood <lh...@apache.org> on 2011/03/31 19:53:20 UTC
Call for suggestions: how can Shiro's LDAP support be improved?
Hi folks,
The latest LDAP support currently is in the form of the JndiLdapRealm.
Unfortunately, this name has confused enough people - often they think
they need to be using JNDI in order to use it (this is not the case -
the JNDI API itself is used as an implementation strategy, and it does
not require that anything be actually stored in JNDI, but that's
beside the point).
Because of this, there is a Jira issue to rename it to something else
for the next release (i.e. deprecate JndiLdapRealm and create a
'DefaultJndiRealm' or something like that). When we do that, we have
the opportunity to make it better and/or add features.
What is missing from Shiro's LDAP support that you would need in order
to use it 'out-of-the-box' with your apps? Ideally I'd like to get as
much in there such that subclassing is rarely necessary.
All suggestions are welcome!
Thanks,
Les
Re: Call for suggestions: how can Shiro's LDAP support be improved?
Posted by Jared Bunting <ja...@digitalreasoning.com>.
Some authz stuff would be great too, but I'd have to think on how to do that in a generic manner.
On 03/31/2011 04:43 PM, Les Hazlewood wrote:
> Great feedback - thanks Jared.
>
> Les
>
> On Thu, Mar 31, 2011 at 2:29 PM, Jared Bunting
> <ja...@digitalreasoning.com> wrote:
>> Basically.
>>
>> Also a "userLookupQuery" as an alternative to "userDnTemplate". I'd be happy to write the patch, but unfortunately by current work environment doesn't provide me the opportunity to test LDAP authentication. So, I'll write it if someone else can test it.
>>
>> Thanks,
>> Jared
>>
>> On 03/31/2011 04:26 PM, Les Hazlewood wrote:
>>> So you mean a 'connectionUserDn' and a 'connectionPassword' to connect
>>> to LDAP to perform ad-hoc queries, and not just the DN format that is
>>> used for authenticating end-users via a bind operation. Correct?
>>>
>>> Thanks,
>>>
>>> Les
>>>
>>> On Thu, Mar 31, 2011 at 2:03 PM, Jared Bunting
>>> <ja...@digitalreasoning.com> wrote:
>>>> As was mentioned in the other thread, the ability to do a query (potentially with a configurable username/password) in order to determine the user dn would be enormously useful. This is a fairly standard way to do ldap authentication (typically the "username" is an attribute of the dn) and shiro should probably support it by default.
>>>>
>>>> Thanks,
>>>> Jared
>>>>
>>>> On 03/31/2011 12:53 PM, Les Hazlewood wrote:
>>>>> Hi folks,
>>>>>
>>>>> The latest LDAP support currently is in the form of the JndiLdapRealm.
>>>>>
>>>>> Unfortunately, this name has confused enough people - often they think
>>>>> they need to be using JNDI in order to use it (this is not the case -
>>>>> the JNDI API itself is used as an implementation strategy, and it does
>>>>> not require that anything be actually stored in JNDI, but that's
>>>>> beside the point).
>>>>>
>>>>> Because of this, there is a Jira issue to rename it to something else
>>>>> for the next release (i.e. deprecate JndiLdapRealm and create a
>>>>> 'DefaultJndiRealm' or something like that). When we do that, we have
>>>>> the opportunity to make it better and/or add features.
>>>>>
>>>>> What is missing from Shiro's LDAP support that you would need in order
>>>>> to use it 'out-of-the-box' with your apps? Ideally I'd like to get as
>>>>> much in there such that subclassing is rarely necessary.
>>>>>
>>>>> All suggestions are welcome!
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Les
Re: Call for suggestions: how can Shiro's LDAP support be improved?
Posted by Les Hazlewood <lh...@apache.org>.
Great feedback - thanks Jared.
Les
On Thu, Mar 31, 2011 at 2:29 PM, Jared Bunting
<ja...@digitalreasoning.com> wrote:
> Basically.
>
> Also a "userLookupQuery" as an alternative to "userDnTemplate". I'd be happy to write the patch, but unfortunately by current work environment doesn't provide me the opportunity to test LDAP authentication. So, I'll write it if someone else can test it.
>
> Thanks,
> Jared
>
> On 03/31/2011 04:26 PM, Les Hazlewood wrote:
>> So you mean a 'connectionUserDn' and a 'connectionPassword' to connect
>> to LDAP to perform ad-hoc queries, and not just the DN format that is
>> used for authenticating end-users via a bind operation. Correct?
>>
>> Thanks,
>>
>> Les
>>
>> On Thu, Mar 31, 2011 at 2:03 PM, Jared Bunting
>> <ja...@digitalreasoning.com> wrote:
>>> As was mentioned in the other thread, the ability to do a query (potentially with a configurable username/password) in order to determine the user dn would be enormously useful. This is a fairly standard way to do ldap authentication (typically the "username" is an attribute of the dn) and shiro should probably support it by default.
>>>
>>> Thanks,
>>> Jared
>>>
>>> On 03/31/2011 12:53 PM, Les Hazlewood wrote:
>>>> Hi folks,
>>>>
>>>> The latest LDAP support currently is in the form of the JndiLdapRealm.
>>>>
>>>> Unfortunately, this name has confused enough people - often they think
>>>> they need to be using JNDI in order to use it (this is not the case -
>>>> the JNDI API itself is used as an implementation strategy, and it does
>>>> not require that anything be actually stored in JNDI, but that's
>>>> beside the point).
>>>>
>>>> Because of this, there is a Jira issue to rename it to something else
>>>> for the next release (i.e. deprecate JndiLdapRealm and create a
>>>> 'DefaultJndiRealm' or something like that). When we do that, we have
>>>> the opportunity to make it better and/or add features.
>>>>
>>>> What is missing from Shiro's LDAP support that you would need in order
>>>> to use it 'out-of-the-box' with your apps? Ideally I'd like to get as
>>>> much in there such that subclassing is rarely necessary.
>>>>
>>>> All suggestions are welcome!
>>>>
>>>> Thanks,
>>>>
>>>> Les
Re: Call for suggestions: how can Shiro's LDAP support be improved?
Posted by Jared Bunting <ja...@digitalreasoning.com>.
Basically.
Also a "userLookupQuery" as an alternative to "userDnTemplate". I'd be happy to write the patch, but unfortunately by current work environment doesn't provide me the opportunity to test LDAP authentication. So, I'll write it if someone else can test it.
Thanks,
Jared
On 03/31/2011 04:26 PM, Les Hazlewood wrote:
> So you mean a 'connectionUserDn' and a 'connectionPassword' to connect
> to LDAP to perform ad-hoc queries, and not just the DN format that is
> used for authenticating end-users via a bind operation. Correct?
>
> Thanks,
>
> Les
>
> On Thu, Mar 31, 2011 at 2:03 PM, Jared Bunting
> <ja...@digitalreasoning.com> wrote:
>> As was mentioned in the other thread, the ability to do a query (potentially with a configurable username/password) in order to determine the user dn would be enormously useful. This is a fairly standard way to do ldap authentication (typically the "username" is an attribute of the dn) and shiro should probably support it by default.
>>
>> Thanks,
>> Jared
>>
>> On 03/31/2011 12:53 PM, Les Hazlewood wrote:
>>> Hi folks,
>>>
>>> The latest LDAP support currently is in the form of the JndiLdapRealm.
>>>
>>> Unfortunately, this name has confused enough people - often they think
>>> they need to be using JNDI in order to use it (this is not the case -
>>> the JNDI API itself is used as an implementation strategy, and it does
>>> not require that anything be actually stored in JNDI, but that's
>>> beside the point).
>>>
>>> Because of this, there is a Jira issue to rename it to something else
>>> for the next release (i.e. deprecate JndiLdapRealm and create a
>>> 'DefaultJndiRealm' or something like that). When we do that, we have
>>> the opportunity to make it better and/or add features.
>>>
>>> What is missing from Shiro's LDAP support that you would need in order
>>> to use it 'out-of-the-box' with your apps? Ideally I'd like to get as
>>> much in there such that subclassing is rarely necessary.
>>>
>>> All suggestions are welcome!
>>>
>>> Thanks,
>>>
>>> Les
Re: Call for suggestions: how can Shiro's LDAP support be improved?
Posted by Les Hazlewood <lh...@apache.org>.
So you mean a 'connectionUserDn' and a 'connectionPassword' to connect
to LDAP to perform ad-hoc queries, and not just the DN format that is
used for authenticating end-users via a bind operation. Correct?
Thanks,
Les
On Thu, Mar 31, 2011 at 2:03 PM, Jared Bunting
<ja...@digitalreasoning.com> wrote:
> As was mentioned in the other thread, the ability to do a query (potentially with a configurable username/password) in order to determine the user dn would be enormously useful. This is a fairly standard way to do ldap authentication (typically the "username" is an attribute of the dn) and shiro should probably support it by default.
>
> Thanks,
> Jared
>
> On 03/31/2011 12:53 PM, Les Hazlewood wrote:
>> Hi folks,
>>
>> The latest LDAP support currently is in the form of the JndiLdapRealm.
>>
>> Unfortunately, this name has confused enough people - often they think
>> they need to be using JNDI in order to use it (this is not the case -
>> the JNDI API itself is used as an implementation strategy, and it does
>> not require that anything be actually stored in JNDI, but that's
>> beside the point).
>>
>> Because of this, there is a Jira issue to rename it to something else
>> for the next release (i.e. deprecate JndiLdapRealm and create a
>> 'DefaultJndiRealm' or something like that). When we do that, we have
>> the opportunity to make it better and/or add features.
>>
>> What is missing from Shiro's LDAP support that you would need in order
>> to use it 'out-of-the-box' with your apps? Ideally I'd like to get as
>> much in there such that subclassing is rarely necessary.
>>
>> All suggestions are welcome!
>>
>> Thanks,
>>
>> Les
Re: Call for suggestions: how can Shiro's LDAP support be improved?
Posted by Jared Bunting <ja...@digitalreasoning.com>.
As was mentioned in the other thread, the ability to do a query (potentially with a configurable username/password) in order to determine the user dn would be enormously useful. This is a fairly standard way to do ldap authentication (typically the "username" is an attribute of the dn) and shiro should probably support it by default.
Thanks,
Jared
On 03/31/2011 12:53 PM, Les Hazlewood wrote:
> Hi folks,
>
> The latest LDAP support currently is in the form of the JndiLdapRealm.
>
> Unfortunately, this name has confused enough people - often they think
> they need to be using JNDI in order to use it (this is not the case -
> the JNDI API itself is used as an implementation strategy, and it does
> not require that anything be actually stored in JNDI, but that's
> beside the point).
>
> Because of this, there is a Jira issue to rename it to something else
> for the next release (i.e. deprecate JndiLdapRealm and create a
> 'DefaultJndiRealm' or something like that). When we do that, we have
> the opportunity to make it better and/or add features.
>
> What is missing from Shiro's LDAP support that you would need in order
> to use it 'out-of-the-box' with your apps? Ideally I'd like to get as
> much in there such that subclassing is rarely necessary.
>
> All suggestions are welcome!
>
> Thanks,
>
> Les
Re: Call for suggestions: how can Shiro's LDAP support be improved?
Posted by Brian Demers <br...@gmail.com>.
I think there are basically two camps when it comes to LDAP connector
configuration.
1.) The user configures a query (&(objectClass=posixAccount) (uid=jcoder))
2.) The user configures the fields, which are then use to generate the
query, UserObjectClass = posixAccount UserIdAttribute = uid
With the first you have the ability to tune a query, the second gets
you closer to user management (if your looking to add users, you need
a little more then a query )
I'm in camp 2, but i'll admit the first option might fit better for a
stock ldap realm that just needs authc and authz.
Either of which could be mostly templated to common schemas
(posixAccount/Group, AD, etc)
Passwords are fun too, some servers, only allow you to authenticate
via a bind (logging in the server) (e.g. Active directory) other do
not support this. In order to do a bind, you need to look up the
user's DN in one query, then _login_.
Then there are passwords stored as an attribute, usually prefixed with
the type of hash "{SHA}HA5EDP455W0RD" (and a dozen variations on that)
Then lastly there are groups, which may be considered dynamic or
static. Static groups are where the user mapping is stored as
attributes in a group object. Dynamic groups are stored by as
attributes in the user object.
So some authc/authz logins may take 3 different queries, 1.) find
user's DN 2.) authenticate 3.) look up the roles. And on the flip
side, a single query 1.) query for user object. [read password
attribute, read memeberOf attributes)
And almost everybody does something different, some variations on the
above, with nested organizations [subtree], locked down permissions,
etc
Sorry for the delay,
-Brian
On Fri, Apr 1, 2011 at 2:37 AM, remast <ja...@cellent-fs.de> wrote:
> Hi All,
>
> I would be very interested in the extension of LDAP support! If that would
> be supported out of the box I could use shiro in some of our products! So
> let me know when that's implemented!
>
> Thanks,
> remast
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Call-for-suggestions-how-can-Shiro-s-LDAP-support-be-improved-tp6228100p6229849.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Call for suggestions: how can Shiro's LDAP support be improved?
Posted by Grant Genereux <gr...@shaw.ca>.
Hi Les,
Just a few other things on LDAP support.
In the past I've needed to make use of FastBind for authentication on
MS AD.
But, the more important feature I've needed is support for getting a
user's group membership list recursively.
It would be supper nice if these could be generic enough to work with MS
AD, as well as other LDAP servers. Maybe using some form of templated
query strings?
Lastly, I can offer to pitch in and help with this if interested.
Grant
Re: Call for suggestions: how can Shiro's LDAP support be improved?
Posted by remast <ja...@cellent-fs.de>.
Hi All,
I would be very interested in the extension of LDAP support! If that would
be supported out of the box I could use shiro in some of our products! So
let me know when that's implemented!
Thanks,
remast
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Call-for-suggestions-how-can-Shiro-s-LDAP-support-be-improved-tp6228100p6229849.html
Sent from the Shiro User mailing list archive at Nabble.com.