Re: Re[3]: Roles in JNDIRealms
Hi Jon, thanks for your help. I´ve tested group and groupOfUniqueNames objectclass and JNDIRealm works properly. Thanks again, Cristina --- Jonathan Eric Miller [EMAIL PROTECTED] wrote: I think you can use whatever objectClass you want. The only filter that it uses for finding roles is the string that you set roleSearch to. Jon - Original Message - From: Cristina Perez Sanchez [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, June 11, 2002 3:36 AM Subject: Re: Re[3]: Roles in JNDIRealms Hi, first, thanks for your answers. I would like to ask another question. I use Tomcat 4.0.3 and so I have to set roleSearch and create group objects that contain the DNs of users associated to. Which objectclass must be these group entries? groupOfUniqueNames objectclass? group class? Are both valid? Thanks, Cristina --- Jonathan Eric Miller [EMAIL PROTECTED] wrote: Jacob, I'm happy to say that there is a new bind as user mode in Tomcat 4.1.3 which verifies the user password by binding as them to the directory, rather than querying the directory for the password. You are correct, previously it wouldn't work with Active Directory (as well as any other directory that didn't store it's passwords in the specific format that Tomcat wanted), but, now it does. Now, if you don't set the userPassword attribute, it operates in bind as user mode. They haven't updated the main end-user documentation on JNDIRealm yet, but, if you look at the Catalina developer docs, you'll see what I'm referring to if you look at the JNDIRealm class. Jon - Original Message - From: Ryan [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED]; Jacob Kjome [EMAIL PROTECTED] Sent: Monday, June 10, 2002 4:55 PM Subject: Re: Re[2]: Roles in JNDIRealms Jacob, I took a quick look at the source, but it looks like the passwords are digested here also (i.e. will not work with Active Directory). From what I understand, with AD the authentication has to be done _on_ the server. Thanks, Ryan --- Jacob Kjome [EMAIL PROTECTED] wrote: Hello Ryan, Check this out: http://www.peacetech.com/java/files/apache/tomcat/ I haven't used it (nor have I used JNDIRealm at all so far), but I grab stuff that looks like useful info off the list and put it in my Vault ( http://www.personalmicrocosms.com/ ) from time to time. Hopefully it is useful for you. Jake Monday, June 10, 2002, 3:18:15 PM, you wrote: R Jonathan, R This is sort of off subject, but does your Active R Directory setup work for Authentication?? It seems to R me that it wouldn't since there is no userPassword R attribute in AD, but I am hoping I'm wrong. R Thanks, R Ryan R --- Jonathan Eric Miller [EMAIL PROTECTED] R wrote: If you are using Tomcat 4.1.3, there are two modes that you can use for checking roles. If you set roleSearch, it will look for search for group objects that contain a list of users for each group. If you set userRoleName, it will get the group information out of the user's entry instead. i.e. you don't need separate group objects. If you are using Active Directory, I found that you can use a setup similar to the following. This goes in server.xml, Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=myadminuser@mydomain connectionPassword=myadminpassword connectionURL=ldap://mydomaincontroller; userBase=cn=Users, dc=mydomain userRoleName=memberOf userSearch=(userPrincipalName={0}@mydomain)/ Group membership is stored in an attribute named memberOf in Active Directory. myadminuser doesn't really have to be an admin user in AD. It just has to have read permission to the memberOf attribute which is visible to normal user accounts by default. This goes in web.xml, security-constraint web-resource-collection web-resource-nameTomcat/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint === message truncated === __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Re[3]: Roles in JNDIRealms
Hi, first, thanks for your answers. I would like to ask another question. I use Tomcat 4.0.3 and so I have to set roleSearch and create group objects that contain the DNs of users associated to. Which objectclass must be these group entries? groupOfUniqueNames objectclass? group class? Are both valid? Thanks, Cristina --- Jonathan Eric Miller [EMAIL PROTECTED] wrote: Jacob, I'm happy to say that there is a new bind as user mode in Tomcat 4.1.3 which verifies the user password by binding as them to the directory, rather than querying the directory for the password. You are correct, previously it wouldn't work with Active Directory (as well as any other directory that didn't store it's passwords in the specific format that Tomcat wanted), but, now it does. Now, if you don't set the userPassword attribute, it operates in bind as user mode. They haven't updated the main end-user documentation on JNDIRealm yet, but, if you look at the Catalina developer docs, you'll see what I'm referring to if you look at the JNDIRealm class. Jon - Original Message - From: Ryan [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED]; Jacob Kjome [EMAIL PROTECTED] Sent: Monday, June 10, 2002 4:55 PM Subject: Re: Re[2]: Roles in JNDIRealms Jacob, I took a quick look at the source, but it looks like the passwords are digested here also (i.e. will not work with Active Directory). From what I understand, with AD the authentication has to be done _on_ the server. Thanks, Ryan --- Jacob Kjome [EMAIL PROTECTED] wrote: Hello Ryan, Check this out: http://www.peacetech.com/java/files/apache/tomcat/ I haven't used it (nor have I used JNDIRealm at all so far), but I grab stuff that looks like useful info off the list and put it in my Vault ( http://www.personalmicrocosms.com/ ) from time to time. Hopefully it is useful for you. Jake Monday, June 10, 2002, 3:18:15 PM, you wrote: R Jonathan, R This is sort of off subject, but does your Active R Directory setup work for Authentication?? It seems to R me that it wouldn't since there is no userPassword R attribute in AD, but I am hoping I'm wrong. R Thanks, R Ryan R --- Jonathan Eric Miller [EMAIL PROTECTED] R wrote: If you are using Tomcat 4.1.3, there are two modes that you can use for checking roles. If you set roleSearch, it will look for search for group objects that contain a list of users for each group. If you set userRoleName, it will get the group information out of the user's entry instead. i.e. you don't need separate group objects. If you are using Active Directory, I found that you can use a setup similar to the following. This goes in server.xml, Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=myadminuser@mydomain connectionPassword=myadminpassword connectionURL=ldap://mydomaincontroller; userBase=cn=Users, dc=mydomain userRoleName=memberOf userSearch=(userPrincipalName={0}@mydomain)/ Group membership is stored in an attribute named memberOf in Active Directory. myadminuser doesn't really have to be an admin user in AD. It just has to have read permission to the memberOf attribute which is visible to normal user accounts by default. This goes in web.xml, security-constraint web-resource-collection web-resource-nameTomcat/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint R role-nameCN=Tomcat,CN=Users,DC=mydomain/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameTomcat/realm-name /login-config In the above example, I created a group in the Users container named Tomcat. If you want to see how things are organized in Active Directory, you can use LDIFDE to dump the directory into an LDIF file. That's how I figured it out. Jon - Original Message - From: Cristina Perez Sanchez [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 10, 2002 9:10 AM Subject: Roles in JNDIRealms Hi, could anyone tell me what objectclass must be group entries that represent roles associated to users in JNDIRealms?? I use groupOfUniqueNames as objectclass but I would like to know if the objectclass group is more proper or if the objectclass isn´t relevant. Thanks for advance, Cristina __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com === message truncated ===
Re: Re[3]: Roles in JNDIRealms
I think you can use whatever objectClass you want. The only filter that it uses for finding roles is the string that you set roleSearch to. Jon - Original Message - From: Cristina Perez Sanchez [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, June 11, 2002 3:36 AM Subject: Re: Re[3]: Roles in JNDIRealms Hi, first, thanks for your answers. I would like to ask another question. I use Tomcat 4.0.3 and so I have to set roleSearch and create group objects that contain the DNs of users associated to. Which objectclass must be these group entries? groupOfUniqueNames objectclass? group class? Are both valid? Thanks, Cristina --- Jonathan Eric Miller [EMAIL PROTECTED] wrote: Jacob, I'm happy to say that there is a new bind as user mode in Tomcat 4.1.3 which verifies the user password by binding as them to the directory, rather than querying the directory for the password. You are correct, previously it wouldn't work with Active Directory (as well as any other directory that didn't store it's passwords in the specific format that Tomcat wanted), but, now it does. Now, if you don't set the userPassword attribute, it operates in bind as user mode. They haven't updated the main end-user documentation on JNDIRealm yet, but, if you look at the Catalina developer docs, you'll see what I'm referring to if you look at the JNDIRealm class. Jon - Original Message - From: Ryan [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED]; Jacob Kjome [EMAIL PROTECTED] Sent: Monday, June 10, 2002 4:55 PM Subject: Re: Re[2]: Roles in JNDIRealms Jacob, I took a quick look at the source, but it looks like the passwords are digested here also (i.e. will not work with Active Directory). From what I understand, with AD the authentication has to be done _on_ the server. Thanks, Ryan --- Jacob Kjome [EMAIL PROTECTED] wrote: Hello Ryan, Check this out: http://www.peacetech.com/java/files/apache/tomcat/ I haven't used it (nor have I used JNDIRealm at all so far), but I grab stuff that looks like useful info off the list and put it in my Vault ( http://www.personalmicrocosms.com/ ) from time to time. Hopefully it is useful for you. Jake Monday, June 10, 2002, 3:18:15 PM, you wrote: R Jonathan, R This is sort of off subject, but does your Active R Directory setup work for Authentication?? It seems to R me that it wouldn't since there is no userPassword R attribute in AD, but I am hoping I'm wrong. R Thanks, R Ryan R --- Jonathan Eric Miller [EMAIL PROTECTED] R wrote: If you are using Tomcat 4.1.3, there are two modes that you can use for checking roles. If you set roleSearch, it will look for search for group objects that contain a list of users for each group. If you set userRoleName, it will get the group information out of the user's entry instead. i.e. you don't need separate group objects. If you are using Active Directory, I found that you can use a setup similar to the following. This goes in server.xml, Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=myadminuser@mydomain connectionPassword=myadminpassword connectionURL=ldap://mydomaincontroller; userBase=cn=Users, dc=mydomain userRoleName=memberOf userSearch=(userPrincipalName={0}@mydomain)/ Group membership is stored in an attribute named memberOf in Active Directory. myadminuser doesn't really have to be an admin user in AD. It just has to have read permission to the memberOf attribute which is visible to normal user accounts by default. This goes in web.xml, security-constraint web-resource-collection web-resource-nameTomcat/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint R role-nameCN=Tomcat,CN=Users,DC=mydomain/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameTomcat/realm-name /login-config In the above example, I created a group in the Users container named Tomcat. If you want to see how things are organized in Active Directory, you can use LDIFDE to dump the directory into an LDIF file. That's how I figured it out. Jon - Original Message - From: Cristina Perez Sanchez [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 10, 2002 9:10 AM Subject: Roles in JNDIRealms Hi, could anyone tell me what objectclass must be group