Typically the AD main.ldapRealm.userDnTemplate value looks slightly different than OpenLDAP. The value for main.ldapRealm.userDnTemplate is only required if AD authentication requires the full User DN.

	Note
	If Active Directory allows authentication based on the Common Name (CN) and password only, then no value will be required for main.ldapRealm.userDnTemplate.

<provider>
    <role>authentication</role>
    <name>ShiroProvider</name>
    <enabled>true</enabled>
    <param>
        <name>main.ldapRealm</name>
        <value>org.apache.shiro.realm.ldap.JndiLdapRealm</value>
    </param>
    <param>
        <name>main.ldapRealm.userDnTemplate</name>
        <value>cn={0},ou=people,dc-apache,dc=org</value>
    </param>
    <param>
        <name>main.ldapRealmcontextFactory.url</name>
        <value>ldap://localhost:389</value>
    </param>
    <param>
        <name>main.ldapRealm.contextFactory.authenticationMechanis</name>
        <value>simple</value>
    </param>
    <param>
        <name>urls./**</name>
        <value>authBasic</value>
    </param>
</provider>