[jira] Commented: (SHIRO-127) Improvements to Shiro's LDAP support

Thu, 22 Jul 2010 15:54:16 -0700 

    [ 
https://issues.apache.org/jira/browse/SHIRO-127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12891380#action_12891380
 ] 

Emmanuel Lecharny commented on SHIRO-127:
-----------------------------------------

Checking the code at ActiveDirectoryRealm.java, it's *very* likely that you'll 
have a lot of troubles if you don't take care of some few points :

- code like (line 190) :
    ...
    if (attr.getID().equals("memberOf")) {
    ...
won't work if the attr stores the ID in uper case, or all in lower case. 
attr.getID() may return one of those values :
* memberof
* MEMBEROF
* MemberOf
* MeMbErOf
* the OID (I don't know what is the memberOf's OID, but be ready to deal with 
things like 2.5.4.11...)

- when creating a NamingEnumeration, *always* close it, otherwise you'll get 
some nasty errors (like very long delay if you are using a Ldap connection 
pool). Good luck to find the origin of those delays if you don't know that NE 
must be closed ...

so 
try {
  <use a NamingEnumeration>
} finally {
  <close the NamingEnumeration>
}
 
- filters like (line 171) :
String searchFilter = "(&(objectClass=*)(userPrincipalName={0}))";
is strictly equivalent to 
String searchFilter = "(userPrincipalName={0})";

Of course, check that the userPrincipalName is indexed, otherwise a search 
using this filter will do a full scan...

- be *very* careful when manipulation a DN. For the same reason than in point 
#1, a DN may have multiple forms. Using the DN as a String is likely to carry 
some strange errors too (like you don't find a match with a given DN). 
Comparing 2 DNs is *not* something simple, you won't be able to whip it in less 
than one week, trust me on that.

If you want a way to identify an entry by an invariant value, don't use the DN, 
use the entryUUID attribute. It's unique, it's invariant, it's case non 
sensitive.



> Improvements to Shiro's LDAP support
> ------------------------------------
>
>                 Key: SHIRO-127
>                 URL: https://issues.apache.org/jira/browse/SHIRO-127
>             Project: Shiro
>          Issue Type: Improvement
>          Components: Realms 
>            Reporter: Philippe Laflamme
>         Attachments: shiro-127.patch
>
>
> Following this mailing list discussion: 
> http://n2.nabble.com/Confusion-with-the-LDAP-Realm-tp4268254p4268254.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to