I faced this same problem myself. I have an intellij project that is a
good example of how to create/use an LDAP realm. In fact what it does is
choose between two configured realms one a local ShiroDbReal and the
other LDAP. If your new to grails/groovy this is a good learning tool. I
based it off of the Scott Davis (IBM) blogito tutorial. I create some
default users that are not the plain ShiroUser but it is a trivial
modification. For my purposes I had to extend the
class ShiroUser extends com.saic.hub.HubUser
but again, I think you will find it elementary to see the effect. In the
end it is just a tweaked user class for my purposes and could be done
incorrectly but there you go.
When you run the app with grails run-app it will default to the
ShiroDbRealm. If you create a file called
file:${userHome}/.authprototype/user_config.groovy
in that file put
ldap.ldapUrls = 'ldap://localhost:389/'
ldap.search.base = 'ou=YOURVALUE,dc=YOURVALUE,dc=YOURVALUE,dc=
YOURVALUE'
ldap.search.user = "YOURVALUE"
ldap.search.pass = "YOURVALUE"
ldap.username.attribute = "YOURVALUE"
ldap.skip.credentialsCheck = false
ldap.allowEmptyPasswords = false
hub.auth.realmName = "ShiroLDAPRealm"
the hub.auth.realmName should be set to whatever name is created by
grails create-ldap-realm. I changed mine around some and ended up with
ShiroLDAPRealm. The casing is off from the original.
It will load your LDAP realm. The important value to trigger ldap
loading is
hub.auth.realmName. To test the application delete this line. It will
load the ShiroDbRealm and you can login with the dummy users created in
bootstrap. Once you have that working and understand it put the line
back in the user_config.groovy file. This will override the default
value that is in Config.groovy and load the LDAP realm. As long as you
have the LDAP settings correct ( that was the really hard part for me )
you should be good.
I guess the question now is how do I get it to you? I will send this
message first with nothing attached and try a separate message with the
app. If it bounces we can go from there.
sg
-----Original Message-----
From:
shiro-user-return-1140-stephen.a.gorman=saic....@incubator.apache.org
[mailto:[email protected]
e.org] On Behalf Of Les Hazlewood
Sent: Thursday, January 07, 2010 2:58 PM
To: [email protected]
Subject: Re: Confusion with the LDAP Realm
Hi Philippe,
You've made a great point - please open up a Jira issue so we can
track this. If there is a way to achieve generic LDAP implementation,
we'll work to have it in the 1.0 release.
I wasn't the original author of the AbstractLdapRealm hierarchy, so I
wasn't very familiar with its implementation strategy. Any pointers
or things that you see could be improved, please include them in the
Jira issue comments. Of course, if you have any implementations or
patches or test cases, those would be great as a Jira attachment as
well (if possible). Anything helpful is appreciated!
Cheers,
Les
On Thu, Jan 7, 2010 at 2:18 PM, Philippe Laflamme <[email protected]>
wrote:
>
> Hello Shiro world,
>
> I'm looking for an example LDAP Realm configuration and cannot seem to
find
> anyting. Please point me to some example if there is one.
>
> I've looked at the source and it seems that there is no implementation
of an
> LDAP Realm. The only concrete implementation is the
ActiveDirectoryRealm (I
> understand AD is similar to LDAP, but it's not == to LDAP). The
closest LDAP
> Realm I can see is AbstractLDAPRealm, which is... well... Abstract!
>
> When I read that Shiro supports LDAP realms I figured I could point it
to my
> server, specify the structure of my LDAP (DNs and so forth) and bingo!
I'd
> be able to authenticate against it. I understand that authorization
(role
> and permission mapping) is another matter, but authentication should
be
> straightforward... no?
>
> I'm no LDAP/AD expert, so am I missing something?
>
> Looking at the ActiveDirectoryRealm, I can see that the
> queryForAuthenticationInfo method is not AD-specific. Could it not
belong to
> a DefaultLDAPRealm of some sort?
>
> BTW, Atlassian Crowd has some examples of connecting to "Generic LDAP
> Directories"
> http://confluence.atlassian.com/display/CROWD/Generic+LDAP+Directories
here
> .
> --
> View this message in context:
http://n2.nabble.com/Confusion-with-the-LDAP-Realm-tp4268254p4268254.htm
l
> Sent from the Shiro User mailing list archive at Nabble.com.
>
