Re: Active Directory: Can authorise and authenticate with E-Mail, but only authorise per User ID

Sun, 06 Mar 2022 16:55:09 -0800 

Compliments of the day,

after looking up the code, I figured it out. One have to set:

realm.principalSuffix = @email.com


However, there is a caveat: The principalSuffix is ALWAYS appended,
even when the userPrincipalName ends with it already. Thus either
"John.Doe" or"[email protected]" would work, but not both correct
logons.

The attached patch fixes this and allows both "John.Doe" and also
"[email protected]" to authorise against groups.

Best regards

Andreas

Index: core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java b/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java
--- a/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java	(revision 36b47fc591ca9e7ec1fc0a631edeea8b0e339350)
+++ b/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java	(revision c9673c14c159d6c9f5377829c5d83dfa81d3d8fc)
@@ -163,7 +163,7 @@
         searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
 
         String userPrincipalName = username;
-        if (principalSuffix != null) {
+        if (principalSuffix != null && userPrincipalName.toLowerCase().endsWith( principalSuffix.toLowerCase() ) ) {
             userPrincipalName += principalSuffix;
         }
 
Index: core/src/main/java/org/apache/shiro/realm/ldap/AbstractLdapRealm.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/core/src/main/java/org/apache/shiro/realm/ldap/AbstractLdapRealm.java b/core/src/main/java/org/apache/shiro/realm/ldap/AbstractLdapRealm.java
--- a/core/src/main/java/org/apache/shiro/realm/ldap/AbstractLdapRealm.java	(revision 36b47fc591ca9e7ec1fc0a631edeea8b0e339350)
+++ b/core/src/main/java/org/apache/shiro/realm/ldap/AbstractLdapRealm.java	(revision c9673c14c159d6c9f5377829c5d83dfa81d3d8fc)
@@ -63,6 +63,18 @@
     /*--------------------------------------------
     |    I N S T A N C E   V A R I A B L E S    |
     ============================================*/
+
+    /**
+     * Defines the Suffix added to the User Principal Name when looking up groups (e.g. "memberOf")
+     * AD Example:
+     * User's Principal Name be "John.Doe"
+     * User's E-Mail Address be "[email protected]"
+     *
+     * For the example below, set:
+     *      realm.principalSuffix = @email.com
+     *
+     * Only then, "John.Doe" and also "[email protected]" can authorize against groups
+     */
     protected String principalSuffix = null;
 
     protected String searchBase = null;

Reply via email to