LDAP Authentication with LDAP search query?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP Authentication with LDAP search query?

remast
Hi All,

is it possible to perform an LDAP search query before authenticating a user?

The search query I need to perform is: "(&(objectclass=user)(uid={0}))". The start of the search query is something like "dc=my-company,dc=de". This query should be performed using a special user and login.

-> Is that possible?

Thanks,
Jan
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication with LDAP search query?

Brian Demers
Yeah, we do the same thing.  You will need to use a different user (or
anon) to make one query to get the user.

The only downside is you end up with 3 queries,
1.) get the user with the system user
2.) login (for authentication using a bind)
3.) get the users roles (if you are using static groups) (with the system user)

(granted you should only need to do this once)

If you happen to store the password hash in ldap and you are using
dynamic groups (groups are stored on your user object, e.g.
'memberOf') you can cut this down to one (assuming you can cache these
bits for when you need to authz)

Hope this helps,
-Brian

On Wed, Mar 30, 2011 at 5:36 AM, remast <[hidden email]> wrote:

> Hi All,
>
> is it possible to perform an LDAP search query before authenticating a user?
>
> The search query I need to perform is: "(&(objectclass=user)(uid={0}))". The
> start of the search query is something like "dc=my-company,dc=de". This
> query should be performed using a special user and login.
>
> -> Is that possible?
>
> Thanks,
> Jan
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/LDAP-Authentication-with-LDAP-search-query-tp6222489p6222489.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication with LDAP search query?

remast
Hi Brian,

thanks for your help. I already know what queries need to be performed on ldap. What I need to know is whether this is supported by Shiro. Is it?

We are thinking about replacing our in house custom coded ldap access with shiro. This is only possible if shiro supports these kinds of queries...

Thanks,
remast
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication with LDAP search query?

Brian Demers
My ldap realm just extends the Abstract one.  If your using the
JndiLdapRealm and all your users are under the same subtree you could
configure the realm (from the javadoc):
[main]
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = uid={0},ou=users,dc=mycompany,dc=com

Otherwise I think you will need to extend one of the classes.

On Thu, Mar 31, 2011 at 2:59 AM, remast <[hidden email]> wrote:

> Hi Brian,
>
> thanks for your help. I already know what queries need to be performed on
> ldap. What I need to know is whether this is supported by Shiro. Is it?
>
> We are thinking about replacing our in house custom coded ldap access with
> shiro. This is only possible if shiro supports these kinds of queries...
>
> Thanks,
> remast
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/LDAP-Authentication-with-LDAP-search-query-tp6222489p6226095.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication with LDAP search query?

Les Hazlewood
Administrator
I'm going to open a thread related to this in just a second - please
check it out.

On Thu, Mar 31, 2011 at 9:17 AM, Brian Demers <[hidden email]> wrote:

> My ldap realm just extends the Abstract one.  If your using the
> JndiLdapRealm and all your users are under the same subtree you could
> configure the realm (from the javadoc):
> [main]
> ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
> ldapRealm.userDnTemplate = uid={0},ou=users,dc=mycompany,dc=com
>
> Otherwise I think you will need to extend one of the classes.
>
> On Thu, Mar 31, 2011 at 2:59 AM, remast <[hidden email]> wrote:
>> Hi Brian,
>>
>> thanks for your help. I already know what queries need to be performed on
>> ldap. What I need to know is whether this is supported by Shiro. Is it?
>>
>> We are thinking about replacing our in house custom coded ldap access with
>> shiro. This is only possible if shiro supports these kinds of queries...
>>
>> Thanks,
>> remast
>>
>> --
>> View this message in context: http://shiro-user.582556.n2.nabble.com/LDAP-Authentication-with-LDAP-search-query-tp6222489p6226095.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>