On Tue, 2019-07-30 at 09:59 -0400, Brian Demers wrote:
> `grabbing` -> I was going to say maybe you could grab the email
> address from the record instead of taking the user input and use that
> for the query
Brian,
sorry for asking again. I believe, the relevant line is:
/home/are/data/src/shiro/core/src/main/java/org/apache/shiro/realm/acti
vedirectory/ActiveDirectoryRealm.java158 protected Set<String>
getRoleNamesForUser(String username, LdapContext ldapContext) throws
NamingException {
159 Set<String> roleNames;
160 roleNames = new LinkedHashSet<String>();
161
162 SearchControls searchCtls = new SearchControls();
163 searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
164
165 String userPrincipalName = username;
166 if (principalSuffix != null) {
167 userPrincipalName += principalSuffix;
168 }
169
170 Object[] searchArguments = new Object[]{userPrincipalName};
171
172 NamingEnumeration answer = ldapContext.search(searchBase,
searchFilter, searchArguments, searchCtls);
173
174 while (answer.hasMoreElements()) {
175 SearchResult sr = (SearchResult) answer.next();
176
177 if (log.isDebugEnabled()) {
178 log.debug("Retrieving group names for user [" +
sr.getName() + "]");
179 }
180
181 Attributes attrs = sr.getAttributes();
With protected String searchFilter =
"(&(objectClass=*)(userPrincipalName={0}))";
In my limited understanding, would it not be possible/sufficient to
modify that SEARCHFILTER and use one of the many like
"(&(objectClass=*)(email -eq [email protected]))" or
"(&(objectClass=*)(email -like [email protected]))"?
Can we set SEARCHFILTER in shiro.ini?
Thanks for your patience and best regards
Andreas
