That is how it should work if you do not set the system user/password. Can you confirm that your configuration does not set them ?
On Mon, Aug 22, 2016 at 12:17 AM, vlhf刘海峰 <[email protected]> wrote: > Hi all, > > As some AD forbid search operation with anonymous binding, > org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm will fail to get > authorization info without a manager account. But, since user has logged in > before, which means user has bound successfully and able to do search over > LDAP, I'd prefer using user’s account to search for it’s LDAP attributes, > and I think the manager account is totally unnecessary. > > There is at least two ways to achieve this, but both has blocked after read > the source code: > > 1) search LDAP attributes right after binding: > Problem is no straight way to put roles to authorization cache, related > methods are mostly private > 2) bind again while get authorization info: > Problem is at this step the only information of authentication is > principals, no credentials > > I hope Shiro dev team deal with this, or let me know if there is better > solution. > > Thank you all.
