Hi all,
As some AD forbid search operation with anonymous binding,
org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm will fail to get
authorization info without a manager account. But, since user has logged in
before, which means user has bound successfully and able to do search over
LDAP, I'd prefer using user’s account to search for it’s LDAP attributes, and I
think the manager account is totally unnecessary.
There is at least two ways to achieve this, but both has blocked after read the
source code:
1) search LDAP attributes right after binding:
Problem is no straight way to put roles to authorization cache, related
methods are mostly private
2) bind again while get authorization info:
Problem is at this step the only information of authentication is
principals, no credentials
I hope Shiro dev team deal with this, or let me know if there is better
solution.
Thank you all.
