UnknownAccountException with LDAPRealm

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

UnknownAccountException with LDAPRealm

braus
Hi everyone,

I've noticed that there is a specific exception for unknown accounts. This
seems useful to me in a specific login flow that i've been working on.
Unfortunately I haven't been able to trigger said exception with the
DefaultLDAPRealm.

Does anyone have insight on how to get this exception with the
DefaultLDAPRealm?


On a different note; I can't seem to check if a user exists through the
DefaultLDAPRealm. Is there a way to check this? I could build a seperate
LDAP module to check this but I would say that checking if a username exists
would be Realm behaviour. But I could be wrong here.

Kind regards,

Sjoerd Brauer



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: UnknownAccountException with LDAPRealm

Brian Demers
Not all realm implementations are able to determine if an account exists or not.  For example, most remote user stores would return the same result if a user does not exist or the password was incorrect.
And you may not want to propagate that type of exception to your end-users (to avoid leaking usernames). This is up to use, some folks make the argument of increased usability is worth it.

LDAP is a bit complicated as well, depending on how your server is configured.  Setups that query for a user before authenticating require a "system" user to make the initial connection. Otherwise, you use the username/password of the user login to make the connection.

Is there something specific you are trying to do?

On Tue, Jun 9, 2020 at 5:06 AM braus <[hidden email]> wrote:
Hi everyone,

I've noticed that there is a specific exception for unknown accounts. This
seems useful to me in a specific login flow that i've been working on.
Unfortunately I haven't been able to trigger said exception with the
DefaultLDAPRealm.

Does anyone have insight on how to get this exception with the
DefaultLDAPRealm?


On a different note; I can't seem to check if a user exists through the
DefaultLDAPRealm. Is there a way to check this? I could build a seperate
LDAP module to check this but I would say that checking if a username exists
would be Realm behaviour. But I could be wrong here.

Kind regards,

Sjoerd Brauer



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: UnknownAccountException with LDAPRealm

braus
Hi Brian,

I just want to check if a username exists or not for registration purposes
(not login). I only allow accounts registered from the LDAP realm to be used
in my different realms.
So my basic problem would be to see if there is a simple method of checking
if a username exists within a LDAPRealm.

I could query the LDAP with seperate frameworks and such, but I prefer to
have minimal dependencies.



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: UnknownAccountException with LDAPRealm

Brian Demers
Okay, I see.

Shiro doesn't provide an API for this.  You would need to handle this additional query separately.  You shouldn't need additional dependencies though, you can use javax.naming.ldap API directly.

Does that help?
-Brian


On Wed, Jun 10, 2020 at 8:23 AM braus <[hidden email]> wrote:
Hi Brian,

I just want to check if a username exists or not for registration purposes
(not login). I only allow accounts registered from the LDAP realm to be used
in my different realms.
So my basic problem would be to see if there is a simple method of checking
if a username exists within a LDAPRealm.

I could query the LDAP with seperate frameworks and such, but I prefer to
have minimal dependencies.



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: UnknownAccountException with LDAPRealm

braus
Hi Brian,

Thanks for thinking along.
I solved it by using the ldap api as you described.

Kind regards



--
Sent from: http://shiro-user.582556.n2.nabble.com/