You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by John Vines <vi...@apache.org> on 2013/01/08 06:33:07 UTC
Re: ActiveDirectoryRealm hasRole?
Anyone have any idea on this one? This not working sorta defeats the
purpose of using LDAP as an authorization realm.
On Fri, Dec 21, 2012 at 2:46 PM, John Vines <vi...@apache.org> wrote:
> So I was able to determine that subjectPrincipalName was not being set, so
> adding that actually got the ldap query on line 174 to return something.
> However, memberOf is not part of the result set. So it returns nothing.
> However, I was able to query is successfully using ldp and see the memberOf
> attribute ( http://i.imgur.com/yhN1t.png ). Any thoughts?
>
>
> On Thu, Dec 20, 2012 at 9:59 PM, Les Hazlewood <lh...@apache.org>wrote:
>
>> Hi John,
>>
>> Here's the part of code that does the ActiveDirectory role lookup:
>>
>>
>> http://shiro.apache.org/static/current/xref/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html#136
>>
>> It uses the 'memberOf' attribute to determine Roles.
>>
>> HTH!
>>
>> --
>> Les Hazlewood | @lhazlewood
>> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>> Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
>>
>> On Thu, Dec 20, 2012 at 4:57 PM, John Vines <vi...@apache.org> wrote:
>> > I will preface this with I am fairly green when it comes to LDAP and
>> AD. The
>> > ActiveDirectoryRealm.hasRole() call, does that work against a Role or a
>> > Group? If the former, is there a way to do checks against Group
>> membership
>> > from SecurityManager? I'm having issues having hasRole work against an
>> AD
>> > instance and I find myself to be a bit stuck due to lack of knowledge of
>> > both AD/LDAP and Shiro's role/permission support.
>> >
>> > Thanks
>> > John
>>
>
>
Re: ActiveDirectoryRealm hasRole?
Posted by Les Hazlewood <lh...@apache.org>.
Please create a ticket - that'd be quite helpful, thanks!
On Tue, Jan 8, 2013 at 12:23 PM, John Vines <vi...@apache.org> wrote:
> PEBCAK, missed the groupRolesMap. Set that and got it working. On a side
> note, adding
> searchCtls.setReturningAttributes(new String[] {"memberOf"});
> to getRoleNamesForUser in ActiveDirectoryRealm (line 164 specfically)
> would be a bit more efficient, as it does the filtering remotely so not
> bringing back excess information and no self filtering necessary (though
> it's a nice sanity check) in the client side. Do you want me to create a
> ticket for this, or do you have it?
>
>
> On Tue, Jan 8, 2013 at 12:57 PM, Les Hazlewood <lh...@apache.org>wrote:
>
>> Hi John,
>>
>> I'm surprised to hear of this since I'm unaware of it failing for others
>> (but maybe others subclass it often and this isn't a problem - who knows).
>> Can you please provide a patch to fix it? We can incorporate a patch asap.
>>
>> Best,
>>
>> --
>> Les Hazlewood | @lhazlewood
>> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>> Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
>>
>>
>> On Mon, Jan 7, 2013 at 9:33 PM, John Vines <vi...@apache.org> wrote:
>>
>>> Anyone have any idea on this one? This not working sorta defeats the
>>> purpose of using LDAP as an authorization realm.
>>>
>>>
>>> On Fri, Dec 21, 2012 at 2:46 PM, John Vines <vi...@apache.org> wrote:
>>>
>>>> So I was able to determine that subjectPrincipalName was not being set,
>>>> so adding that actually got the ldap query on line 174 to return something.
>>>> However, memberOf is not part of the result set. So it returns nothing.
>>>> However, I was able to query is successfully using ldp and see the memberOf
>>>> attribute ( http://i.imgur.com/yhN1t.png ). Any thoughts?
>>>>
>>>>
>>>> On Thu, Dec 20, 2012 at 9:59 PM, Les Hazlewood <lh...@apache.org>wrote:
>>>>
>>>>> Hi John,
>>>>>
>>>>> Here's the part of code that does the ActiveDirectory role lookup:
>>>>>
>>>>>
>>>>> http://shiro.apache.org/static/current/xref/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html#136
>>>>>
>>>>> It uses the 'memberOf' attribute to determine Roles.
>>>>>
>>>>> HTH!
>>>>>
>>>>> --
>>>>> Les Hazlewood | @lhazlewood
>>>>> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>>>>> Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
>>>>>
>>>>> On Thu, Dec 20, 2012 at 4:57 PM, John Vines <vi...@apache.org> wrote:
>>>>> > I will preface this with I am fairly green when it comes to LDAP and
>>>>> AD. The
>>>>> > ActiveDirectoryRealm.hasRole() call, does that work against a Role
>>>>> or a
>>>>> > Group? If the former, is there a way to do checks against Group
>>>>> membership
>>>>> > from SecurityManager? I'm having issues having hasRole work against
>>>>> an AD
>>>>> > instance and I find myself to be a bit stuck due to lack of
>>>>> knowledge of
>>>>> > both AD/LDAP and Shiro's role/permission support.
>>>>> >
>>>>> > Thanks
>>>>> > John
>>>>>
>>>>
>>>>
>>>
>>
>
Re: ActiveDirectoryRealm hasRole?
Posted by John Vines <vi...@apache.org>.
PEBCAK, missed the groupRolesMap. Set that and got it working. On a side
note, adding
searchCtls.setReturningAttributes(new String[] {"memberOf"});
to getRoleNamesForUser in ActiveDirectoryRealm (line 164 specfically) would
be a bit more efficient, as it does the filtering remotely so not bringing
back excess information and no self filtering necessary (though it's a nice
sanity check) in the client side. Do you want me to create a ticket for
this, or do you have it?
On Tue, Jan 8, 2013 at 12:57 PM, Les Hazlewood <lh...@apache.org>wrote:
> Hi John,
>
> I'm surprised to hear of this since I'm unaware of it failing for others
> (but maybe others subclass it often and this isn't a problem - who knows).
> Can you please provide a patch to fix it? We can incorporate a patch asap.
>
> Best,
>
> --
> Les Hazlewood | @lhazlewood
> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
> Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
>
>
> On Mon, Jan 7, 2013 at 9:33 PM, John Vines <vi...@apache.org> wrote:
>
>> Anyone have any idea on this one? This not working sorta defeats the
>> purpose of using LDAP as an authorization realm.
>>
>>
>> On Fri, Dec 21, 2012 at 2:46 PM, John Vines <vi...@apache.org> wrote:
>>
>>> So I was able to determine that subjectPrincipalName was not being set,
>>> so adding that actually got the ldap query on line 174 to return something.
>>> However, memberOf is not part of the result set. So it returns nothing.
>>> However, I was able to query is successfully using ldp and see the memberOf
>>> attribute ( http://i.imgur.com/yhN1t.png ). Any thoughts?
>>>
>>>
>>> On Thu, Dec 20, 2012 at 9:59 PM, Les Hazlewood <lh...@apache.org>wrote:
>>>
>>>> Hi John,
>>>>
>>>> Here's the part of code that does the ActiveDirectory role lookup:
>>>>
>>>>
>>>> http://shiro.apache.org/static/current/xref/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html#136
>>>>
>>>> It uses the 'memberOf' attribute to determine Roles.
>>>>
>>>> HTH!
>>>>
>>>> --
>>>> Les Hazlewood | @lhazlewood
>>>> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>>>> Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
>>>>
>>>> On Thu, Dec 20, 2012 at 4:57 PM, John Vines <vi...@apache.org> wrote:
>>>> > I will preface this with I am fairly green when it comes to LDAP and
>>>> AD. The
>>>> > ActiveDirectoryRealm.hasRole() call, does that work against a Role or
>>>> a
>>>> > Group? If the former, is there a way to do checks against Group
>>>> membership
>>>> > from SecurityManager? I'm having issues having hasRole work against
>>>> an AD
>>>> > instance and I find myself to be a bit stuck due to lack of knowledge
>>>> of
>>>> > both AD/LDAP and Shiro's role/permission support.
>>>> >
>>>> > Thanks
>>>> > John
>>>>
>>>
>>>
>>
>
Re: ActiveDirectoryRealm hasRole?
Posted by Les Hazlewood <lh...@apache.org>.
Hi John,
I'm surprised to hear of this since I'm unaware of it failing for others
(but maybe others subclass it often and this isn't a problem - who knows).
Can you please provide a patch to fix it? We can incorporate a patch asap.
Best,
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
On Mon, Jan 7, 2013 at 9:33 PM, John Vines <vi...@apache.org> wrote:
> Anyone have any idea on this one? This not working sorta defeats the
> purpose of using LDAP as an authorization realm.
>
>
> On Fri, Dec 21, 2012 at 2:46 PM, John Vines <vi...@apache.org> wrote:
>
>> So I was able to determine that subjectPrincipalName was not being set,
>> so adding that actually got the ldap query on line 174 to return something.
>> However, memberOf is not part of the result set. So it returns nothing.
>> However, I was able to query is successfully using ldp and see the memberOf
>> attribute ( http://i.imgur.com/yhN1t.png ). Any thoughts?
>>
>>
>> On Thu, Dec 20, 2012 at 9:59 PM, Les Hazlewood <lh...@apache.org>wrote:
>>
>>> Hi John,
>>>
>>> Here's the part of code that does the ActiveDirectory role lookup:
>>>
>>>
>>> http://shiro.apache.org/static/current/xref/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.html#136
>>>
>>> It uses the 'memberOf' attribute to determine Roles.
>>>
>>> HTH!
>>>
>>> --
>>> Les Hazlewood | @lhazlewood
>>> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>>> Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
>>>
>>> On Thu, Dec 20, 2012 at 4:57 PM, John Vines <vi...@apache.org> wrote:
>>> > I will preface this with I am fairly green when it comes to LDAP and
>>> AD. The
>>> > ActiveDirectoryRealm.hasRole() call, does that work against a Role or a
>>> > Group? If the former, is there a way to do checks against Group
>>> membership
>>> > from SecurityManager? I'm having issues having hasRole work against an
>>> AD
>>> > instance and I find myself to be a bit stuck due to lack of knowledge
>>> of
>>> > both AD/LDAP and Shiro's role/permission support.
>>> >
>>> > Thanks
>>> > John
>>>
>>
>>
>