Hello Tomcat-Users, I've got a problem and I don't know if it's my lack (...but I've already scanned this list).
In my environment I want to authenticate the users against MS AD by JNDI LDAP. The user authentication is ok and also the roles found by getRoles() are the right ones. But the returned roles are given in the complete distinguished name (DN) of the role (i.e. "CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de") instead of the single role name (attribute cn) (i.e. "ERKUSAAdmin") so I have to configure the fully DN in web.xml for a security-constraint what is very undesireable: Log in catalina.out (tomcat 4.1.7): 2004-05-13 11:33:44 JNDIRealm[Standalone]: Searching for goerlich 2004-05-13 11:33:44 JNDIRealm[Standalone]: base: CN=Users,dc=local,dc=bremereb,dc=de filter: (sAMAccountName=goerlich) 2004-05-13 11:33:44 JNDIRealm[Standalone]: entry found for goerlich with dn CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: retrieving values for attribute memberOf 2004-05-13 11:33:44 JNDIRealm[Standalone]: validating credentials by binding as the user 2004-05-13 11:33:44 JNDIRealm[Standalone]: binding as CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: Username goerlich successfully authenticated 2004-05-13 11:33:44 JNDIRealm[Standalone]: getRoles(CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de) 2004-05-13 11:33:44 JNDIRealm[Standalone]: Searching role base 'CN=Users,dc=local,dc=bremereb,dc=de' for attribute 'cn' 2004-05-13 11:33:44 JNDIRealm[Standalone]: With filter expression 'member=CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de' 2004-05-13 11:33:44 JNDIRealm[Standalone]: Returning 7 roles 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=erkusaverwalter,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=tomcat,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=manager,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=_Gewerbekunden,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=_Dokumentation,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=_Team_SAP,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:33:44 JNDIRealm[Standalone]: Username goerlich has role CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:33:57 JNDIRealm[Standalone]: Username goerlich does NOT have role ERKUSAAdmin 2004-05-13 11:33:57 JNDIRealm[Standalone]: Username goerlich does NOT have role ERKUSAVerwalter 2004-05-13 11:33:57 JNDIRealm[Standalone]: Username goerlich does NOT have role ERKUSAAdmin My configured JNDI-realm in server.xml: <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="... (substituted)" userBase="CN=Users,dc=local,dc=bremereb,dc=de" userSearch="(sAMAccountName={0})" userRoleName="memberOf" roleBase="CN=Users,dc=local,dc=bremereb,dc=de" roleName="cn" roleSearch="member={0}" connectionName="[EMAIL PROTECTED]" connectionPassword="secret" roleSubtree="true" userSubtree="true" /> I run this on tomcat 4.1.27. The funny thing is that the same configuration on tomcat 5 return 14 roles (for the given example) what work for me, but I need that functionality in tomcat 4: Log in catalina.out (tomcat 5.0.24) 2004-05-13 11:59:31 JNDIRealm[Catalina]: Searching for goerlich 2004-05-13 11:59:31 JNDIRealm[Catalina]: base: CN=Users,dc=local,dc=bremereb,dc=de filter: (sAMAccountName=goerlich) 2004-05-13 11:59:31 JNDIRealm[Catalina]: entry found for goerlich with dn CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de 2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for attribute memberOf 2004-05-13 11:59:31 JNDIRealm[Catalina]: validating credentials by binding as the user 2004-05-13 11:59:31 JNDIRealm[Catalina]: binding as CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de 2004-05-13 11:59:31 JNDIRealm[Catalina]: Username goerlich successfully authenticated 2004-05-13 11:59:31 JNDIRealm[Catalina]: getRoles(CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de) 2004-05-13 11:59:31 JNDIRealm[Catalina]: Searching role base 'CN=Users,DC=local,DC=bremereb,DC=de' for attribute 'cn' 2004-05-13 11:59:31 JNDIRealm[Catalina]: With filter expression 'member=CN=Goerlich\5c, Michael,CN=Users,dc=local,dc=bremereb,dc=de' 2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for attribute cn 2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for attribute cn 2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for attribute cn 2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for attribute cn 2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for attribute cn 2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for attribute cn 2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for attribute cn 2004-05-13 11:59:31 JNDIRealm[Catalina]: Returning 14 roles 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role CN=erkusaverwalter,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role CN=tomcat,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role CN=manager,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role CN=_Gewerbekunden,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role CN=_Dokumentation,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role CN=_Team_SAP,CN=Users,DC=local,DC=bremereb,DC=de 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role _Team_SAP 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role _Dokumentation 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role _Gewerbekunden 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role ERKUSAAdmin 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role manager 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role tomcat 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role erkusaverwalter --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]