Tomcat 4: How to get RoleName from LDAP
Hi,
In my environment I want to authenticate the users against MS Active
Directory by JNDI LDAP. The user authentication is ok and also the roles
found by getRoles() are the right ones. But the returned roles are given
in their complete distinguished name (DN.
In catalina.out:
2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role
CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de
instead of
2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role ERKUSAAdmin
So I have to configure the fully DN in web.xml for a security-constraint
instead of the pure role name, what is highest undesireable. I run this
on tomcat 4.1.27.
The funny thing is that the same configuration on tomcat 5 works.
For completion, here is my realm config (user- and rolebase are the
same):
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=... (substituted)
userBase=CN=Users,dc=local,dc=bremereb,dc=de
userSearch=(sAMAccountName={0})
userRoleName=memberOf roleBase=CN=Users,dc=local,dc=bremereb,dc=de
roleName=cn
roleSearch=member={0} connectionName=[EMAIL PROTECTED]
connectionPassword=secret
roleSubtree=true
userSubtree=true /
Can anybody tell me how to get the pure assigned role names for a
authenticated user?
Thanks
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
AW: Tomcat 4: How to get RoleName from LDAP
Hi Shane,
thanks for your remarks that shows me that there is probably no solution by
configuration. So I have to decide to implement my own realm security manager or
migrate to Tomcat 5.
What Tomcat 5.0.24 does is the return of both, the DN and the rolename so you got the
double amount of roles per user defined in LDAP tree. Disfunction or rationale?
Thanks in advance
Michael
-Ursprüngliche Nachricht-
Von: Shane Linley [mailto:[EMAIL PROTECTED]
Gesendet: Montag, 17. Mai 2004 09:58
An: Tomcat Users List
Betreff: RE: Tomcat 4: How to get RoleName from LDAP
The way that the JNDIRealm works is dependant on its implementation. Unless there is a
configuration item for Tomcat 4.1.27 that allows the comparison to be done on the role
name attribute (CN in this case) then you will have to put the full distinguished name
into the configuration. I had a quick look at the JNDIRealm doco and I didn't see
anything in there that would allow this.
It is strange however that the 4.1.27 implementation takes the roleName attribute that
would be used in such a comparison and doesn't use it in the way that might be
expected. Because otherwise there is no point in specifying the roleName attribute as
its not required to determine membership of a user to a group through an LDAP search.
Of course the doco says its used as a flag as to whether the userRoleName is used
instead.
I would image that the rationale of this implementation to use the DN is that the DN
is unambiguous and would cater for a strongly heirachial LDAP tree that may have
groups of the same name under different branches, from the starting point of the LDAP
search.
Another option of course is to compile your own Tomcat with the required change to the
code or implement your own realm security manager. But thats a bit more work :)
But without looking at the source, which I don't have time!, I can only speculate!
Regards,
Shane.
-Original Message-
From: Goerlich, Michael [mailto:[EMAIL PROTECTED]
Sent: Monday, 17 May 2004 3:17 PM
To: [EMAIL PROTECTED]
Subject: Tomcat 4: How to get RoleName from LDAP
Hi,
In my environment I want to authenticate the users against MS Active Directory by JNDI
LDAP. The user authentication is ok and also the roles found by getRoles() are the
right ones. But the returned roles are given in their complete distinguished name (DN.
In catalina.out:
2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role
CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de
instead of
2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role ERKUSAAdmin
So I have to configure the fully DN in web.xml for a security-constraint instead of
the pure role name, what is highest undesireable. I run this on tomcat 4.1.27.
The funny thing is that the same configuration on tomcat 5 works.
For completion, here is my realm config (user- and rolebase are the
same):
Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=...
(substituted) userBase=CN=Users,dc=local,dc=bremereb,dc=de
userSearch=(sAMAccountName={0})
userRoleName=memberOf roleBase=CN=Users,dc=local,dc=bremereb,dc=de
roleName=cn
roleSearch=member={0} connectionName=[EMAIL PROTECTED]
connectionPassword=secret
roleSubtree=true
userSubtree=true /
Can anybody tell me how to get the pure assigned role names for a authenticated user?
Thanks
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 4: JNDI LDAP - Can't get single role name
Hello Tomcat-Users,
I've got a problem and I don't know if it's my lack (...but I've already
scanned this list).
In my environment I want to authenticate the users against MS AD by JNDI
LDAP. The user authentication is ok and also the roles found by
getRoles() are the right ones. But the returned roles are given in the
complete distinguished name (DN) of the role (i.e.
CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de) instead of the
single role name (attribute cn) (i.e. ERKUSAAdmin) so I have to
configure the fully DN in web.xml for a security-constraint what is very
undesireable:
Log in catalina.out (tomcat 4.1.7):
2004-05-13 11:33:44 JNDIRealm[Standalone]: Searching for goerlich
2004-05-13 11:33:44 JNDIRealm[Standalone]: base:
CN=Users,dc=local,dc=bremereb,dc=de filter: (sAMAccountName=goerlich)
2004-05-13 11:33:44 JNDIRealm[Standalone]: entry found for goerlich
with dn CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: retrieving values for
attribute memberOf
2004-05-13 11:33:44 JNDIRealm[Standalone]: validating credentials by
binding as the user
2004-05-13 11:33:44 JNDIRealm[Standalone]: binding as CN=Goerlich\,
Michael,CN=Users,dc=local,dc=bremereb,dc=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Username goerlich
successfully authenticated
2004-05-13 11:33:44 JNDIRealm[Standalone]: getRoles(CN=Goerlich\,
Michael,CN=Users,dc=local,dc=bremereb,dc=de)
2004-05-13 11:33:44 JNDIRealm[Standalone]: Searching role base
'CN=Users,dc=local,dc=bremereb,dc=de' for attribute 'cn'
2004-05-13 11:33:44 JNDIRealm[Standalone]: With filter expression
'member=CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de'
2004-05-13 11:33:44 JNDIRealm[Standalone]: Returning 7 roles
2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role
CN=erkusaverwalter,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role
CN=tomcat,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role
CN=manager,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role
CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role
CN=_Gewerbekunden,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role
CN=_Dokumentation,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role
CN=_Team_SAP,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Username goerlich has role
CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:57 JNDIRealm[Standalone]: Username goerlich does NOT
have role ERKUSAAdmin
2004-05-13 11:33:57 JNDIRealm[Standalone]: Username goerlich does NOT
have role ERKUSAVerwalter
2004-05-13 11:33:57 JNDIRealm[Standalone]: Username goerlich does NOT
have role ERKUSAAdmin
My configured JNDI-realm in server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=... (substituted)
userBase=CN=Users,dc=local,dc=bremereb,dc=de
userSearch=(sAMAccountName={0})
userRoleName=memberOf
roleBase=CN=Users,dc=local,dc=bremereb,dc=de
roleName=cn
roleSearch=member={0}
connectionName=[EMAIL PROTECTED]
connectionPassword=secret
roleSubtree=true
userSubtree=true /
I run this on tomcat 4.1.27.
The funny thing is that the same configuration on tomcat 5 return 14
roles (for the given example) what work for me, but I need that
functionality in tomcat 4:
Log in catalina.out (tomcat 5.0.24)
2004-05-13 11:59:31 JNDIRealm[Catalina]: Searching for goerlich
2004-05-13 11:59:31 JNDIRealm[Catalina]: base:
CN=Users,dc=local,dc=bremereb,dc=de filter: (sAMAccountName=goerlich)
2004-05-13 11:59:31 JNDIRealm[Catalina]: entry found for goerlich with
dn CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de
2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for
attribute memberOf
2004-05-13 11:59:31 JNDIRealm[Catalina]: validating credentials by
binding as the user
2004-05-13 11:59:31 JNDIRealm[Catalina]: binding as CN=Goerlich\,
Michael,CN=Users,dc=local,dc=bremereb,dc=de
2004-05-13 11:59:31 JNDIRealm[Catalina]: Username goerlich successfully
authenticated
2004-05-13 11:59:31 JNDIRealm[Catalina]: getRoles(CN=Goerlich\,
Michael,CN=Users,dc=local,dc=bremereb,dc=de)
2004-05-13 11:59:31 JNDIRealm[Catalina]: Searching role base
'CN=Users,DC=local,DC=bremereb,DC=de' for attribute 'cn'
2004-05-13 11:59:31 JNDIRealm[Catalina]: With filter expression
'member=CN=Goerlich\5c, Michael,CN=Users,dc=local,dc=bremereb,dc=de'
2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for
attribute cn
2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for
attribute cn
2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for
attribute cn
2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for
attribute cn
2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for
attribute
