Hello. I try to set up the following features : - Client authentication using client SSL certificates - Client authorization using the JNDI realm, against an iPlanet LDAP directory
I first tested a simpler configuration using the LDAP realm with BASIC authentication, and it works fine. The realm configuration, set up in the server.xml application context is : <Context path="/test" docBase="../_PHILIPPE_/TEST-CONTEXT" debug="0" reloadable="true" crossContext="true" > <Logger className="org.apache.catalina.logger.FileLogger" prefix="localhost_test-context_log." suffix=".txt" timestamp="true" /> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionName="uid=Tomcat,ou=People,dc=moon.net" connectionPassword="tomcat" connectionURL="ldap://localhost:389" roleBase="ou=Roles,ou=TomcatRealm,dc=moon.net" roleName="cn" roleSearch="(uniqueMember={0})" roleSubtree="false" userBase="ou=Users,ou=TomcatRealm,dc=moon.net" userSearch="(cn={0})" /> </Context> According to this configuration, when a user tries to access a secured URL and provides its BASIC login and password, the realm correctly checks the credentials against the directory, binding with the DN using the userBase and userSearch parameters. On the other hand, i tried another configuration, using SSL client authentication and the default realm, adding a user entry in the tomcat-users.xml file with the complete DN as username : "cn=SomeBody,ou=Users,ou=TomcatRealm,dc=moon.net". As expected, the certificate is successfully verified in the trust cacerts store, and the default realm correctly matches the user with the issuer DN extracted from the client certificate. In this last case, i assumed the DN provided by the client certificate is the exact expression used by the realm to match the users identity. Now, i don't understand how it should be possible to configure both the JNDI realm and the SSL connector to indicate how the client certificates DN must be used to check the user identity in the LDAP directory. It seems obvious that using the full DN from the client certificate as a single user identifier (cn, uid, etc.) fails, since the search filter doesn't match. Should it be sensible to use the key alias from the trust keystore as the directory identifier value ? Perhaps i don't go the right way !... Thanks for your help. Philippe Maseres --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]