I didn’t give any manager account. And I doubt that without manager account it works that way.
I’ve browsed the source code, doGetAuthenticationInfo and doGetAuthorizationInfo are two relatively independent processes, they don’t use the same ldapContext. 在 16/8/22 下午10:15,“Brian Demers”<brian.dem...@gmail.com> 写入: >That is how it should work if you do not set the system user/password. >Can you confirm that your configuration does not set them ? > >On Mon, Aug 22, 2016 at 12:17 AM, vlhf刘海峰 <hf...@ctrip.com> wrote: >> Hi all, >> >> As some AD forbid search operation with anonymous binding, >> org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm will fail to get >> authorization info without a manager account. But, since user has logged in >> before, which means user has bound successfully and able to do search over >> LDAP, I'd prefer using user’s account to search for it’s LDAP attributes, >> and I think the manager account is totally unnecessary. >> >> There is at least two ways to achieve this, but both has blocked after read >> the source code: >> >> 1) search LDAP attributes right after binding: >> Problem is no straight way to put roles to authorization cache, related >> methods are mostly private >> 2) bind again while get authorization info: >> Problem is at this step the only information of authentication is >> principals, no credentials >> >> I hope Shiro dev team deal with this, or let me know if there is better >> solution. >> >> Thank you all.
