Tomcat 4: How to get RoleName from LDAP
Hi, In my environment I want to authenticate the users against MS Active Directory by JNDI LDAP. The user authentication is ok and also the roles found by getRoles() are the right ones. But the returned roles are given in their complete distinguished name (DN. In catalina.out: 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de instead of 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role ERKUSAAdmin So I have to configure the fully DN in web.xml for a security-constraint instead of the pure role name, what is highest undesireable. I run this on tomcat 4.1.27. The funny thing is that the same configuration on tomcat 5 works. For completion, here is my realm config (user- and rolebase are the same): Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=... (substituted) userBase=CN=Users,dc=local,dc=bremereb,dc=de userSearch=(sAMAccountName={0}) userRoleName=memberOf roleBase=CN=Users,dc=local,dc=bremereb,dc=de roleName=cn roleSearch=member={0} connectionName=[EMAIL PROTECTED] connectionPassword=secret roleSubtree=true userSubtree=true / Can anybody tell me how to get the pure assigned role names for a authenticated user? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: Tomcat 4: How to get RoleName from LDAP
Hi Shane, thanks for your remarks that shows me that there is probably no solution by configuration. So I have to decide to implement my own realm security manager or migrate to Tomcat 5. What Tomcat 5.0.24 does is the return of both, the DN and the rolename so you got the double amount of roles per user defined in LDAP tree. Disfunction or rationale? Thanks in advance Michael -Ursprüngliche Nachricht- Von: Shane Linley [mailto:[EMAIL PROTECTED] Gesendet: Montag, 17. Mai 2004 09:58 An: Tomcat Users List Betreff: RE: Tomcat 4: How to get RoleName from LDAP The way that the JNDIRealm works is dependant on its implementation. Unless there is a configuration item for Tomcat 4.1.27 that allows the comparison to be done on the role name attribute (CN in this case) then you will have to put the full distinguished name into the configuration. I had a quick look at the JNDIRealm doco and I didn't see anything in there that would allow this. It is strange however that the 4.1.27 implementation takes the roleName attribute that would be used in such a comparison and doesn't use it in the way that might be expected. Because otherwise there is no point in specifying the roleName attribute as its not required to determine membership of a user to a group through an LDAP search. Of course the doco says its used as a flag as to whether the userRoleName is used instead. I would image that the rationale of this implementation to use the DN is that the DN is unambiguous and would cater for a strongly heirachial LDAP tree that may have groups of the same name under different branches, from the starting point of the LDAP search. Another option of course is to compile your own Tomcat with the required change to the code or implement your own realm security manager. But thats a bit more work :) But without looking at the source, which I don't have time!, I can only speculate! Regards, Shane. -Original Message- From: Goerlich, Michael [mailto:[EMAIL PROTECTED] Sent: Monday, 17 May 2004 3:17 PM To: [EMAIL PROTECTED] Subject: Tomcat 4: How to get RoleName from LDAP Hi, In my environment I want to authenticate the users against MS Active Directory by JNDI LDAP. The user authentication is ok and also the roles found by getRoles() are the right ones. But the returned roles are given in their complete distinguished name (DN. In catalina.out: 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de instead of 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role ERKUSAAdmin So I have to configure the fully DN in web.xml for a security-constraint instead of the pure role name, what is highest undesireable. I run this on tomcat 4.1.27. The funny thing is that the same configuration on tomcat 5 works. For completion, here is my realm config (user- and rolebase are the same): Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=... (substituted) userBase=CN=Users,dc=local,dc=bremereb,dc=de userSearch=(sAMAccountName={0}) userRoleName=memberOf roleBase=CN=Users,dc=local,dc=bremereb,dc=de roleName=cn roleSearch=member={0} connectionName=[EMAIL PROTECTED] connectionPassword=secret roleSubtree=true userSubtree=true / Can anybody tell me how to get the pure assigned role names for a authenticated user? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 4: JNDI LDAP - Can't get single role name
Hello Tomcat-Users, I've got a problem and I don't know if it's my lack (...but I've already scanned this list). In my environment I want to authenticate the users against MS AD by JNDI LDAP. The user authentication is ok and also the roles found by getRoles() are the right ones. But the returned roles are given in the complete distinguished name (DN) of the role (i.e. CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de) instead of the single role name (attribute cn) (i.e. ERKUSAAdmin) so I have to configure the fully DN in web.xml for a security-constraint what is very undesireable: Log in catalina.out (tomcat 4.1.7): 2004-05-13 11:33:44 JNDIRealm[Standalone]: Searching for goerlich 2004-05-13 11:33:44 JNDIRealm[Standalone]: base: CN=Users,dc=local,dc=bremereb,dc=de filter: (sAMAccountName=goerlich) 2004-05-13 11:33:44 JNDIRealm[Standalone]: entry found for goerlich with dn CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: retrieving values for attribute memberOf 2004-05-13 11:33:44 JNDIRealm[Standalone]: validating credentials by binding as the user 2004-05-13 11:33:44 JNDIRealm[Standalone]: binding as CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: Username goerlich successfully authenticated 2004-05-13 11:33:44 JNDIRealm[Standalone]: getRoles(CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de) 2004-05-13 11:33:44 JNDIRealm[Standalone]: Searching role base 'CN=Users,dc=local,dc=bremereb,dc=de' for attribute 'cn' 2004-05-13 11:33:44 JNDIRealm[Standalone]: With filter expression 'member=CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de' 2004-05-13 11:33:44 JNDIRealm[Standalone]: Returning 7 roles 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=erkusaverwalter,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=tomcat,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=manager,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=_Gewerbekunden,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=_Dokumentation,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=_Team_SAP,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: Username goerlich has role CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:33:57 JNDIRealm[Standalone]: Username goerlich does NOT have role ERKUSAAdmin 2004-05-13 11:33:57 JNDIRealm[Standalone]: Username goerlich does NOT have role ERKUSAVerwalter 2004-05-13 11:33:57 JNDIRealm[Standalone]: Username goerlich does NOT have role ERKUSAAdmin My configured JNDI-realm in server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=... (substituted) userBase=CN=Users,dc=local,dc=bremereb,dc=de userSearch=(sAMAccountName={0}) userRoleName=memberOf roleBase=CN=Users,dc=local,dc=bremereb,dc=de roleName=cn roleSearch=member={0} connectionName=[EMAIL PROTECTED] connectionPassword=secret roleSubtree=true userSubtree=true / I run this on tomcat 4.1.27. The funny thing is that the same configuration on tomcat 5 return 14 roles (for the given example) what work for me, but I need that functionality in tomcat 4: Log in catalina.out (tomcat 5.0.24) 2004-05-13 11:59:31 JNDIRealm[Catalina]: Searching for goerlich 2004-05-13 11:59:31 JNDIRealm[Catalina]: base: CN=Users,dc=local,dc=bremereb,dc=de filter: (sAMAccountName=goerlich) 2004-05-13 11:59:31 JNDIRealm[Catalina]: entry found for goerlich with dn CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de 2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for attribute memberOf 2004-05-13 11:59:31 JNDIRealm[Catalina]: validating credentials by binding as the user 2004-05-13 11:59:31 JNDIRealm[Catalina]: binding as CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de 2004-05-13 11:59:31 JNDIRealm[Catalina]: Username goerlich successfully authenticated 2004-05-13 11:59:31 JNDIRealm[Catalina]: getRoles(CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de) 2004-05-13 11:59:31 JNDIRealm[Catalina]: Searching role base 'CN=Users,DC=local,DC=bremereb,DC=de' for attribute 'cn' 2004-05-13 11:59:31 JNDIRealm[Catalina]: With filter expression 'member=CN=Goerlich\5c, Michael,CN=Users,dc=local,dc=bremereb,dc=de' 2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for attribute cn 2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for attribute cn 2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for attribute cn 2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for attribute cn 2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for attribute