You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by remast <ja...@cellent-fs.de> on 2011/03/30 11:36:35 UTC
LDAP Authentication with LDAP search query?
Hi All,
is it possible to perform an LDAP search query before authenticating a user?
The search query I need to perform is: "(&(objectclass=user)(uid={0}))". The
start of the search query is something like "dc=my-company,dc=de". This
query should be performed using a special user and login.
-> Is that possible?
Thanks,
Jan
--
View this message in context: http://shiro-user.582556.n2.nabble.com/LDAP-Authentication-with-LDAP-search-query-tp6222489p6222489.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: LDAP Authentication with LDAP search query?
Posted by Les Hazlewood <le...@hazlewood.com>.
I'm going to open a thread related to this in just a second - please
check it out.
On Thu, Mar 31, 2011 at 9:17 AM, Brian Demers <br...@gmail.com> wrote:
> My ldap realm just extends the Abstract one. If your using the
> JndiLdapRealm and all your users are under the same subtree you could
> configure the realm (from the javadoc):
> [main]
> ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
> ldapRealm.userDnTemplate = uid={0},ou=users,dc=mycompany,dc=com
>
> Otherwise I think you will need to extend one of the classes.
>
> On Thu, Mar 31, 2011 at 2:59 AM, remast <ja...@cellent-fs.de> wrote:
>> Hi Brian,
>>
>> thanks for your help. I already know what queries need to be performed on
>> ldap. What I need to know is whether this is supported by Shiro. Is it?
>>
>> We are thinking about replacing our in house custom coded ldap access with
>> shiro. This is only possible if shiro supports these kinds of queries...
>>
>> Thanks,
>> remast
>>
>> --
>> View this message in context: http://shiro-user.582556.n2.nabble.com/LDAP-Authentication-with-LDAP-search-query-tp6222489p6226095.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
Re: LDAP Authentication with LDAP search query?
Posted by Brian Demers <br...@gmail.com>.
My ldap realm just extends the Abstract one. If your using the
JndiLdapRealm and all your users are under the same subtree you could
configure the realm (from the javadoc):
[main]
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = uid={0},ou=users,dc=mycompany,dc=com
Otherwise I think you will need to extend one of the classes.
On Thu, Mar 31, 2011 at 2:59 AM, remast <ja...@cellent-fs.de> wrote:
> Hi Brian,
>
> thanks for your help. I already know what queries need to be performed on
> ldap. What I need to know is whether this is supported by Shiro. Is it?
>
> We are thinking about replacing our in house custom coded ldap access with
> shiro. This is only possible if shiro supports these kinds of queries...
>
> Thanks,
> remast
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/LDAP-Authentication-with-LDAP-search-query-tp6222489p6226095.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: LDAP Authentication with LDAP search query?
Posted by remast <ja...@cellent-fs.de>.
Hi Brian,
thanks for your help. I already know what queries need to be performed on
ldap. What I need to know is whether this is supported by Shiro. Is it?
We are thinking about replacing our in house custom coded ldap access with
shiro. This is only possible if shiro supports these kinds of queries...
Thanks,
remast
--
View this message in context: http://shiro-user.582556.n2.nabble.com/LDAP-Authentication-with-LDAP-search-query-tp6222489p6226095.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: LDAP Authentication with LDAP search query?
Posted by Brian Demers <br...@gmail.com>.
Yeah, we do the same thing. You will need to use a different user (or
anon) to make one query to get the user.
The only downside is you end up with 3 queries,
1.) get the user with the system user
2.) login (for authentication using a bind)
3.) get the users roles (if you are using static groups) (with the system user)
(granted you should only need to do this once)
If you happen to store the password hash in ldap and you are using
dynamic groups (groups are stored on your user object, e.g.
'memberOf') you can cut this down to one (assuming you can cache these
bits for when you need to authz)
Hope this helps,
-Brian
On Wed, Mar 30, 2011 at 5:36 AM, remast <ja...@cellent-fs.de> wrote:
> Hi All,
>
> is it possible to perform an LDAP search query before authenticating a user?
>
> The search query I need to perform is: "(&(objectclass=user)(uid={0}))". The
> start of the search query is something like "dc=my-company,dc=de". This
> query should be performed using a special user and login.
>
> -> Is that possible?
>
> Thanks,
> Jan
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/LDAP-Authentication-with-LDAP-search-query-tp6222489p6222489.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>