Configuring authorization for JNDILdapRealm in Shiro

796 views Asked by At

My question is actually this question exactly: Shiro JndiLdapRealm authorization against LDAP

To summarize, the Shiro documentation states:

If you wish to perform authorization based on an LDAP schema, you must subclass this one (JNDILdapRealm) and override that method (doGetAuthorizationInfo) to reflect your organization's data model.

I am confused by the accepted solution, as searchBase is undefined, and it seems like something that is a part of ActiveDirectoryRealm, rather than JndiLdapRealm. getRoleNamesForGroups is also undefined, but I assume that in my mapping the group name would be the role name.

I am trying to get the authorization to map ldap groups -> shiro roles for Forumsys's Test Ldap Server, and then return those in the doGetAuthorizationInfo. The code I am using to configure my subclass LdapRealm (which extends JndiLdapRealm, and which works for authentication) is as follows:

LdapRealm ldapRealm = new LdapRealm();
ldapRealm.setUserDnTemplate("uid={0},dc=example,dc=com");
JndiLdapContextFactory cf1 = new JndiLdapContextFactory();
cf1.setUrl("ldap://ldap.forumsys.com:389");
ldapRealm.setContextFactory(cf1);

Does anyone have an example of what the functional authorization code should look like? Or is there a simple modification to the accepted answer on the other question that would work?

Alternatively, is there a way to get Forumsys's test server to work with ActiveDirectoryRealm instead (which to my understand, implements authorization)?

1

There are 1 answers

1
vgm On BEST ANSWER

So, I suppose the answer to this question is: Authorization will depend on how the ldap server stores roles, and how you want roles to be perceived. Jxplorer was useful to see what the structure was.

As for making it work with forumsys, the searchbase should be "dc=example,dc=com" and instead of checking for "memberOf", it should check for "ou"