> I preferred binding to the directory with supplied credentials because it
> allows the realm implementation to use an anonymous password for the rest
of
> what it needs.
Yes - I think binding is the better approach in general. Also the directory
can then contain password hashes rather than plaintext passwords without the
Tomcat realm having to know about the details. The only advantage I can see
for having the realm retrieve the password is that it makes http digest
authentication possible, provided that the plaintext password or a suitable
hash is stored in the directory. Whether any web browser actually supports
digest authentication is another matter ...
> To allow for DN's in the directory that may not be composed of the same
> attributes as other DN's, one thing I was thinking about doing to the one
I
> submitted was to configure what the login attribute is (cn, uid, etc.) and
> search for it (with anonymous login) to get the dn, then bind to the
> directory with the resultant DN and the user-entered password to
> authenticate. This might be a little less efficient than just searching
and
> getting the password as well, but is more secure than having the root
> password to the ldap server where it might be accessible by someone.
That too is my preferred approach, and it's how the code I originally
submitted works.
