Re: Re[3]: Roles in JNDIRealms
Hi Jon,
thanks for your help. I´ve tested group and
groupOfUniqueNames objectclass and JNDIRealm works
properly.
Thanks again,
Cristina
--- Jonathan Eric Miller [EMAIL PROTECTED]
wrote:
I think you can use whatever objectClass you want.
The only filter that it
uses for finding roles is the string that you set
roleSearch to.
Jon
- Original Message -
From: Cristina Perez Sanchez [EMAIL PROTECTED]
To: Tomcat Users List
[EMAIL PROTECTED]
Sent: Tuesday, June 11, 2002 3:36 AM
Subject: Re: Re[3]: Roles in JNDIRealms
Hi,
first, thanks for your answers.
I would like to ask another question. I use Tomcat
4.0.3 and so I have to set roleSearch and create
group
objects that contain the DNs of users associated
to.
Which objectclass must be these group entries?
groupOfUniqueNames objectclass? group class? Are
both
valid?
Thanks,
Cristina
--- Jonathan Eric Miller [EMAIL PROTECTED]
wrote:
Jacob,
I'm happy to say that there is a new bind as
user
mode in Tomcat 4.1.3
which verifies the user password by binding as
them
to the directory, rather
than querying the directory for the password.
You
are correct, previously it
wouldn't work with Active Directory (as well as
any
other directory that
didn't store it's passwords in the specific
format
that Tomcat wanted), but,
now it does. Now, if you don't set the
userPassword
attribute, it operates
in bind as user mode. They haven't updated the
main end-user documentation
on JNDIRealm yet, but, if you look at the
Catalina
developer docs, you'll
see what I'm referring to if you look at the
JNDIRealm class.
Jon
- Original Message -
From: Ryan [EMAIL PROTECTED]
To: Tomcat Users List
[EMAIL PROTECTED]; Jacob Kjome
[EMAIL PROTECTED]
Sent: Monday, June 10, 2002 4:55 PM
Subject: Re: Re[2]: Roles in JNDIRealms
Jacob,
I took a quick look at the source, but it
looks
like
the passwords are digested here also (i.e.
will
not
work with Active Directory). From what I
understand,
with AD the authentication has to be done _on_
the
server.
Thanks,
Ryan
--- Jacob Kjome [EMAIL PROTECTED] wrote:
Hello Ryan,
Check this out:
http://www.peacetech.com/java/files/apache/tomcat/
I haven't used it (nor have I used JNDIRealm
at
all
so far), but I
grab stuff that looks like useful info off
the
list
and put it in my
Vault ( http://www.personalmicrocosms.com/ )
from
time to time. Hopefully it is useful for
you.
Jake
Monday, June 10, 2002, 3:18:15 PM, you
wrote:
R Jonathan,
R This is sort of off subject, but does
your
Active
R Directory setup work for Authentication??
It
seems to
R me that it wouldn't since there is no
userPassword
R attribute in AD, but I am hoping I'm
wrong.
R Thanks,
R Ryan
R --- Jonathan Eric Miller
[EMAIL PROTECTED]
R wrote:
If you are using Tomcat 4.1.3, there are
two
modes
that you can use for
checking roles. If you set roleSearch, it
will
look
for search for group
objects that contain a list of users for
each
group.
If you set
userRoleName, it will get the group
information
out
of the user's entry
instead. i.e. you don't need separate
group
objects.
If you are using Active Directory, I
found
that
you
can use a setup similar
to the following.
This goes in server.xml,
Realm
className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionName=myadminuser@mydomain
connectionPassword=myadminpassword
connectionURL=ldap://mydomaincontroller;
userBase=cn=Users, dc=mydomain
userRoleName=memberOf
userSearch=(userPrincipalName={0}@mydomain)/
Group membership is stored in an
attribute
named
memberOf in Active
Directory. myadminuser doesn't really
have to
be
an
admin user in AD. It
just has to have read permission to the
memberOf
attribute which is visible
to normal user accounts by default.
This goes in web.xml,
security-constraint
web-resource-collection
web-resource-nameTomcat/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
=== message truncated ===
__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Re[3]: Roles in JNDIRealms
Hi,
first, thanks for your answers.
I would like to ask another question. I use Tomcat
4.0.3 and so I have to set roleSearch and create group
objects that contain the DNs of users associated to.
Which objectclass must be these group entries?
groupOfUniqueNames objectclass? group class? Are both
valid?
Thanks,
Cristina
--- Jonathan Eric Miller [EMAIL PROTECTED]
wrote:
Jacob,
I'm happy to say that there is a new bind as user
mode in Tomcat 4.1.3
which verifies the user password by binding as them
to the directory, rather
than querying the directory for the password. You
are correct, previously it
wouldn't work with Active Directory (as well as any
other directory that
didn't store it's passwords in the specific format
that Tomcat wanted), but,
now it does. Now, if you don't set the userPassword
attribute, it operates
in bind as user mode. They haven't updated the
main end-user documentation
on JNDIRealm yet, but, if you look at the Catalina
developer docs, you'll
see what I'm referring to if you look at the
JNDIRealm class.
Jon
- Original Message -
From: Ryan [EMAIL PROTECTED]
To: Tomcat Users List
[EMAIL PROTECTED]; Jacob Kjome
[EMAIL PROTECTED]
Sent: Monday, June 10, 2002 4:55 PM
Subject: Re: Re[2]: Roles in JNDIRealms
Jacob,
I took a quick look at the source, but it looks
like
the passwords are digested here also (i.e. will
not
work with Active Directory). From what I
understand,
with AD the authentication has to be done _on_ the
server.
Thanks,
Ryan
--- Jacob Kjome [EMAIL PROTECTED] wrote:
Hello Ryan,
Check this out:
http://www.peacetech.com/java/files/apache/tomcat/
I haven't used it (nor have I used JNDIRealm at
all
so far), but I
grab stuff that looks like useful info off the
list
and put it in my
Vault ( http://www.personalmicrocosms.com/ )
from
time to time. Hopefully it is useful for you.
Jake
Monday, June 10, 2002, 3:18:15 PM, you wrote:
R Jonathan,
R This is sort of off subject, but does your
Active
R Directory setup work for Authentication?? It
seems to
R me that it wouldn't since there is no
userPassword
R attribute in AD, but I am hoping I'm wrong.
R Thanks,
R Ryan
R --- Jonathan Eric Miller
[EMAIL PROTECTED]
R wrote:
If you are using Tomcat 4.1.3, there are two
modes
that you can use for
checking roles. If you set roleSearch, it
will
look
for search for group
objects that contain a list of users for each
group.
If you set
userRoleName, it will get the group
information
out
of the user's entry
instead. i.e. you don't need separate group
objects.
If you are using Active Directory, I found
that
you
can use a setup similar
to the following.
This goes in server.xml,
Realm
className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionName=myadminuser@mydomain
connectionPassword=myadminpassword
connectionURL=ldap://mydomaincontroller;
userBase=cn=Users, dc=mydomain
userRoleName=memberOf
userSearch=(userPrincipalName={0}@mydomain)/
Group membership is stored in an attribute
named
memberOf in Active
Directory. myadminuser doesn't really have to
be
an
admin user in AD. It
just has to have read permission to the
memberOf
attribute which is visible
to normal user accounts by default.
This goes in web.xml,
security-constraint
web-resource-collection
web-resource-nameTomcat/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
R
role-nameCN=Tomcat,CN=Users,DC=mydomain/role-name
/auth-constraint
/security-constraint
login-config
auth-methodBASIC/auth-method
realm-nameTomcat/realm-name
/login-config
In the above example, I created a group in
the
Users
container named Tomcat.
If you want to see how things are organized
in
Active Directory, you can use
LDIFDE to dump the directory into an LDIF
file.
That's how I figured it out.
Jon
- Original Message -
From: Cristina Perez Sanchez
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, June 10, 2002 9:10 AM
Subject: Roles in JNDIRealms
Hi,
could anyone tell me what objectclass must
be
group
entries that represent roles associated to
users
in
JNDIRealms?? I use groupOfUniqueNames as
objectclass
but I would like to know if the objectclass
group
is
more proper or if the objectclass isn´t
relevant.
Thanks for advance,
Cristina
__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA
World
Cup
http://fifaworldcup.yahoo.com
=== message truncated ===
Re: Re[3]: Roles in JNDIRealms
I think you can use whatever objectClass you want. The only filter that it
uses for finding roles is the string that you set roleSearch to.
Jon
- Original Message -
From: Cristina Perez Sanchez [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Tuesday, June 11, 2002 3:36 AM
Subject: Re: Re[3]: Roles in JNDIRealms
Hi,
first, thanks for your answers.
I would like to ask another question. I use Tomcat
4.0.3 and so I have to set roleSearch and create group
objects that contain the DNs of users associated to.
Which objectclass must be these group entries?
groupOfUniqueNames objectclass? group class? Are both
valid?
Thanks,
Cristina
--- Jonathan Eric Miller [EMAIL PROTECTED]
wrote:
Jacob,
I'm happy to say that there is a new bind as user
mode in Tomcat 4.1.3
which verifies the user password by binding as them
to the directory, rather
than querying the directory for the password. You
are correct, previously it
wouldn't work with Active Directory (as well as any
other directory that
didn't store it's passwords in the specific format
that Tomcat wanted), but,
now it does. Now, if you don't set the userPassword
attribute, it operates
in bind as user mode. They haven't updated the
main end-user documentation
on JNDIRealm yet, but, if you look at the Catalina
developer docs, you'll
see what I'm referring to if you look at the
JNDIRealm class.
Jon
- Original Message -
From: Ryan [EMAIL PROTECTED]
To: Tomcat Users List
[EMAIL PROTECTED]; Jacob Kjome
[EMAIL PROTECTED]
Sent: Monday, June 10, 2002 4:55 PM
Subject: Re: Re[2]: Roles in JNDIRealms
Jacob,
I took a quick look at the source, but it looks
like
the passwords are digested here also (i.e. will
not
work with Active Directory). From what I
understand,
with AD the authentication has to be done _on_ the
server.
Thanks,
Ryan
--- Jacob Kjome [EMAIL PROTECTED] wrote:
Hello Ryan,
Check this out:
http://www.peacetech.com/java/files/apache/tomcat/
I haven't used it (nor have I used JNDIRealm at
all
so far), but I
grab stuff that looks like useful info off the
list
and put it in my
Vault ( http://www.personalmicrocosms.com/ )
from
time to time. Hopefully it is useful for you.
Jake
Monday, June 10, 2002, 3:18:15 PM, you wrote:
R Jonathan,
R This is sort of off subject, but does your
Active
R Directory setup work for Authentication?? It
seems to
R me that it wouldn't since there is no
userPassword
R attribute in AD, but I am hoping I'm wrong.
R Thanks,
R Ryan
R --- Jonathan Eric Miller
[EMAIL PROTECTED]
R wrote:
If you are using Tomcat 4.1.3, there are two
modes
that you can use for
checking roles. If you set roleSearch, it
will
look
for search for group
objects that contain a list of users for each
group.
If you set
userRoleName, it will get the group
information
out
of the user's entry
instead. i.e. you don't need separate group
objects.
If you are using Active Directory, I found
that
you
can use a setup similar
to the following.
This goes in server.xml,
Realm
className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionName=myadminuser@mydomain
connectionPassword=myadminpassword
connectionURL=ldap://mydomaincontroller;
userBase=cn=Users, dc=mydomain
userRoleName=memberOf
userSearch=(userPrincipalName={0}@mydomain)/
Group membership is stored in an attribute
named
memberOf in Active
Directory. myadminuser doesn't really have to
be
an
admin user in AD. It
just has to have read permission to the
memberOf
attribute which is visible
to normal user accounts by default.
This goes in web.xml,
security-constraint
web-resource-collection
web-resource-nameTomcat/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
R
role-nameCN=Tomcat,CN=Users,DC=mydomain/role-name
/auth-constraint
/security-constraint
login-config
auth-methodBASIC/auth-method
realm-nameTomcat/realm-name
/login-config
In the above example, I created a group in
the
Users
container named Tomcat.
If you want to see how things are organized
in
Active Directory, you can use
LDIFDE to dump the directory into an LDIF
file.
That's how I figured it out.
Jon
- Original Message -
From: Cristina Perez Sanchez
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, June 10, 2002 9:10 AM
Subject: Roles in JNDIRealms
Hi,
could anyone tell me what objectclass must
be
group
