Hey Andreas, Sounds like the easiest option would be to fix the case sensitivity of that field. Email addresses are _generally_ considered case insensitive.
If that doesn't work (I'm guessing you already tried that route), You can extend the ActiveDirectoryRealm, and replace the `getRoleNamesForUser` https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java#L158-L203 On Tue, Jul 30, 2019 at 9:32 AM Andreas Reichel < [email protected]> wrote: > Dear All, > > first of all, thank you a lot for providing Shiro, which we use to > authenticate and authorize against Active Directory. > > Unfortunately one of our clients uses case sensitive spelling for the > definition of the MAIL attribute, e.g. > [email protected] > > When the user logs-on to our application with exactly that spelling, we > will confirm all the assigned roles according to the MEMBEROF attribute. > > However, when any different upper-case or lower-case spelling is used > (like [email protected]), we can authenticate the > user, but we fail to get the roles. > > What looks like a minor issue is a maintenance nightmare, because the user > did everything correct (username/password has been accepted), the AD admins > did everything correct, we do not see any error -- but still the user does > not get authorized. > > Is there any way to: > a) switch of case-sensitivity for the authorization and/or (role will be > found case-insensitive) > b) make it consistent with the authentication (either case sensitive or > case-insensitive). > > Thank you all in advance and cheers > Andreas > > >
