LDAP Configuration with Shiro:

What is LDAP?

LDAP is Lightweight Directory Access Protocol. LDAP is a global directory service, industry-standard protocol, which is based on client-server model and runs on a layer

above the TCP/IP stack. The LDAP provides a facility to connect to, access, modify, and search the internet directory.The LDAP servers contain information which is organized in the

form of a directory tree. The clients ask server to provide information or to perform some operation on a particular information.

• Configuring LDAP with Shiro: By Default Shiro supports Ldap by using JndiLdapRealm API Class.

           import org.apache.shiro.realm.ldap.JndiLdapRealm;

Step 1: 

Create Custom Class and extends the JndiLdapRealm

public class LdapRealmSample extends JndiLdapRealm {

Step 2: 

Shiro will look for Realms configured when doing authentication .It will look for the Overridden doGetAuthenticationInfo for authenticating, so form your overridden method like this. 

@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
super.setUserDnTemplate("cn={0}," + "userDn"); -> userDN-Directory Structure of the User .
super.setContextFactory(getUpdatedContextFactory()); -> Details Check Step 3.

try {
info = super.doGetAuthenticationInfo(token);
return info;
} catch (Exception e) {
e.printStackTrace();
}

Step 3: 

Setting Contect Factory to JndiLdapRealm:

Your JndiLdapRealm needs to configure with Ldap Server Details for Context, follow below steps to configure it.

           private JndiLdapContextFactory context;
           public JndiLdapContextFactory getUpdatedContextFactory() 

      {
           ->  context = new JndiLdapContextFactory();

• Authentication Mechanism to authenticate Ldap Server: Ldap supports three types of authentication: anonymous, simple and SASL authentication. A client that sends a LDAP request without doing a "bind" is treated as an anonymous client. Simple authentication consists of sending the LDAP server the fully qualified DN of the client (user) and the client's clear-text password. This mechanism has security problems because the password can be read from the network. To avoid exposing the password in this way, you can use the simple authentication mechanism within an encrypted channel (such as SSL), provided that this is supported by the LDAP server. 

         -> context.setAuthenticationMechanism(“mechanism”);

• HostName : Ldap Serve Installed machine hostname or ipaddress.
• PortNumber: Port Number where Ldap Server is running.

      Check your port where LDAP server is running. Using below command in Linux:

              ps -ef | grep -i ldap             -> String url = "ldap://" + hostName + ":"+ portNumber;
             context.setUrl(url);

• TimeOut: Time used to contact and Ldap Server and Authenticate,it wll be in milli seconds. 

          -> context.getEnvironment().put("com.sun.jndi.ldap.read.timeout",5000);

• UserName: User Name created while installing Ldap Server .

• Password: Password given for that User.UserName and Password represents the Ldap Server Level not User Level. 

       -> if(ldap.getSystemUserName() != null) {
      ->  context.setSystemUsername(userName);
       -> }
       ->if (ldap.getSystemUserPassword() != null) {
       -> context.setSystemPassword(password);
        ->}

• Whole Context factory Setup looks like:

      public JndiLdapContextFactory getUpdatedContextFactory() {

            context = new JndiLdapContextFactory(); 

            context.setAuthenticationMechanism(“mechanism”); 

            String url = "ldap://" + hostName + ":"+ portNumber;

            context.setUrl(url); 

            context.getEnvironment().put("com.sun.jndi.ldap.read.timeout", 5000);

           if (ldap.getSystemUserName() != null) {

           context.setSystemUsername(“UserName”); 

           }

             if (ldap.getSystemUserPassword() != null) { 

         context.setSystemPassword(“Password”);

          } 

         return context;

     } 

Thanks,

Pearl

Search Ldap Server Special User Attributes:

In LDAP Server ,if you create a user ,the user has many built  in attributes like dn,and cn.this properties can be retrieved from the Ldap server using any of the Java available Ldap Client Search Query . But several special attributes like group attributes ,ex:memberof can not be retreived from Ldap server using any Search queries. Because by default the special attributes are not available to the Clients search filter ,  so to retrieve the Special attributes via Ldap Client add the below lines in your Ldap Client Search Query.Here i am using Java available LDAP Supporting Client.


The classes used are imported from javax API.
//import javax.naming.directory.SearchControls;
//import javax.naming.directory.SearchResult;


Frame your Search Control as mentioned here:

                SearchControls searchControls = new SearchControls();
                searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                searchControls.setReturningAttributes(new String[] { "*", "+" });

 This will retreive all attributes including Special attributes like memberof and many attributes.

 Code to Search for All attributes from Ldap Server:
                     NamingEnumeration<SearchResult> resultData = context.getSystemLdapContext().search(getUserDn(userName), filterExpresssion, searchControls);
                     SearchResult result = resultData.next();
                     Attribute att = result.getAttributes().get("memberOf");


Any doubts add in comment.