CODEWITHSUNDEEP
javaldapshiro
user2602386
user2602386

Reputation: 130

Java- Retrieving permissions from LDAP for shiro

im trying to get the User Permissions (read, write, browse,...) for LDAP objects using a java application with shiro. I dont have much experience with LDAP. I set up a server with Apache Directory Studio for testing purpose. Then i created a domain (dc=testdomain) and added a subentry with the "accessControlSubentry" objectclass and added the "prescriptiveACI" attribute. Everthing works the way it should if i browse the server with Apache DS and i can connect to the server in my java app.

In order to get the permissions i subclassed the ActiveDirectoryRealm from shiro. But i cant manage to make the query get the subentrys. 

private Set<String> getPermissionsForUser(String username, LdapContext ldapContext) throws NamingException{
    Set<String> permissions;
    permissions = new LinkedHashSet<String>();

    SearchControls searchCtls = new SearchControls();
    searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
    searchCtls.setReturningAttributes(new String[]{"prescriptiveACI"});

    String searchFilter = "(objectClass=subentry)";
    String searchBase = "dc=testdomain";
    NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchCtls);

    while (answer.hasMoreElements()) {
        SearchResult sr = (SearchResult) answer.next();
        if (log.isDebugEnabled()) {
            log.debug("Retrieving permissions for user [" + sr.getName() + "]");
        }

        Attributes attrs = sr.getAttributes();

        if (attrs != null) {
            NamingEnumeration ae = attrs.getAll();
            while (ae.hasMore()) {
                Attribute attr = (Attribute) ae.next();

                if (attr.getID().equals("prescriptiveACI")) {

                    if (log.isDebugEnabled()) {
                        log.debug("Permissions found");
                    }
                }
            }
        }
    }
    return permissions;

}

When I change the searchFilter to "(objectClass=*)" i get all the OrganisationUnits in the domain. But i just cant seem to find the subentry objects that i need for the prescriptiveACI attribute.

Here is the content of my Shiro.ini file

activeDirectoryRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealmPermissions
activeDirectoryRealm.systemUsername = uid=admin,ou=system
activeDirectoryRealm.systemPassword = secret
activeDirectoryRealm.url = ldap://localhost:10389
activeDirectoryRealm.searchBase = ""

How can i make the search query subentries? Or is there a better/alternative way to get the permission from the LDAP server?

Upvotes: 3

Views: 1214

Answers (1)

Mike DiBaggio
Mike DiBaggio

Reputation: 143

So you want to find all instances of accessControlSubentry objects with a prescriptiveACI attribute?

Try this:

(&(objectClass=accessControlSubentry)(prescriptiveACI=*))

Upvotes: 1

Related Questions