Tomcat 4: JNDI LDAP - Can't get single role name

Goerlich, Michael Thu, 13 May 2004 03:04:38 -0700

Hello Tomcat-Users,

I've got a problem and I don't know if it's my lack (...but I've already
scanned this list).


In my environment I want to authenticate the users against MS AD by JNDI
LDAP. The user authentication is ok and also the roles found by
getRoles() are the right ones. But the returned roles are given in the
complete distinguished name (DN) of the role (i.e.
"CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de") instead of the
single role name (attribute cn) (i.e. "ERKUSAAdmin") so I have to
configure the fully DN in web.xml for a security-constraint what is very
undesireable:

Log in catalina.out (tomcat 4.1.7):

2004-05-13 11:33:44 JNDIRealm[Standalone]:   Searching for goerlich
2004-05-13 11:33:44 JNDIRealm[Standalone]:   base:
CN=Users,dc=local,dc=bremereb,dc=de  filter: (sAMAccountName=goerlich)
2004-05-13 11:33:44 JNDIRealm[Standalone]:   entry found for goerlich
with dn CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de
2004-05-13 11:33:44 JNDIRealm[Standalone]:   retrieving values for
attribute memberOf
2004-05-13 11:33:44 JNDIRealm[Standalone]:   validating credentials by
binding as the user
2004-05-13 11:33:44 JNDIRealm[Standalone]:   binding as CN=Goerlich\,
Michael,CN=Users,dc=local,dc=bremereb,dc=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Username goerlich
successfully authenticated
2004-05-13 11:33:44 JNDIRealm[Standalone]:   getRoles(CN=Goerlich\,
Michael,CN=Users,dc=local,dc=bremereb,dc=de)
2004-05-13 11:33:44 JNDIRealm[Standalone]:   Searching role base
'CN=Users,dc=local,dc=bremereb,dc=de' for attribute 'cn'
2004-05-13 11:33:44 JNDIRealm[Standalone]:   With filter expression
'member=CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de'
2004-05-13 11:33:44 JNDIRealm[Standalone]:   Returning 7 roles
2004-05-13 11:33:44 JNDIRealm[Standalone]:   Found role
CN=erkusaverwalter,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]:   Found role
CN=tomcat,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]:   Found role
CN=manager,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]:   Found role
CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]:   Found role
CN=_Gewerbekunden,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]:   Found role
CN=_Dokumentation,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]:   Found role
CN=_Team_SAP,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Username goerlich has role
CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:57 JNDIRealm[Standalone]: Username goerlich does NOT
have role ERKUSAAdmin
2004-05-13 11:33:57 JNDIRealm[Standalone]: Username goerlich does NOT
have role ERKUSAVerwalter
2004-05-13 11:33:57 JNDIRealm[Standalone]: Username goerlich does NOT
have role ERKUSAAdmin

My configured JNDI-realm in server.xml:

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="... (substituted)"
userBase="CN=Users,dc=local,dc=bremereb,dc=de"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="CN=Users,dc=local,dc=bremereb,dc=de"
roleName="cn"
roleSearch="member={0}"
connectionName="[EMAIL PROTECTED]"
connectionPassword="secret"
roleSubtree="true"
userSubtree="true" />

I run this on tomcat 4.1.27.

The funny thing is that the same configuration on tomcat 5 return 14
roles (for the given example) what work for me, but I need that
functionality in tomcat 4:

Log in catalina.out (tomcat 5.0.24)

2004-05-13 11:59:31 JNDIRealm[Catalina]:   Searching for goerlich
2004-05-13 11:59:31 JNDIRealm[Catalina]:   base:
CN=Users,dc=local,dc=bremereb,dc=de  filter: (sAMAccountName=goerlich)
2004-05-13 11:59:31 JNDIRealm[Catalina]:   entry found for goerlich with
dn CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de
2004-05-13 11:59:31 JNDIRealm[Catalina]:   retrieving values for
attribute memberOf
2004-05-13 11:59:31 JNDIRealm[Catalina]:   validating credentials by
binding as the user
2004-05-13 11:59:31 JNDIRealm[Catalina]:   binding as CN=Goerlich\,
Michael,CN=Users,dc=local,dc=bremereb,dc=de
2004-05-13 11:59:31 JNDIRealm[Catalina]: Username goerlich successfully
authenticated
2004-05-13 11:59:31 JNDIRealm[Catalina]:   getRoles(CN=Goerlich\,
Michael,CN=Users,dc=local,dc=bremereb,dc=de)
2004-05-13 11:59:31 JNDIRealm[Catalina]:   Searching role base
'CN=Users,DC=local,DC=bremereb,DC=de' for attribute 'cn'
2004-05-13 11:59:31 JNDIRealm[Catalina]:   With filter expression
'member=CN=Goerlich\5c, Michael,CN=Users,dc=local,dc=bremereb,dc=de'
2004-05-13 11:59:31 JNDIRealm[Catalina]:   retrieving values for
attribute cn
2004-05-13 11:59:31 JNDIRealm[Catalina]:   retrieving values for
attribute cn
2004-05-13 11:59:31 JNDIRealm[Catalina]:   retrieving values for
attribute cn
2004-05-13 11:59:31 JNDIRealm[Catalina]:   retrieving values for
attribute cn
2004-05-13 11:59:31 JNDIRealm[Catalina]:   retrieving values for
attribute cn
2004-05-13 11:59:31 JNDIRealm[Catalina]:   retrieving values for
attribute cn
2004-05-13 11:59:31 JNDIRealm[Catalina]:   retrieving values for
attribute cn
2004-05-13 11:59:31 JNDIRealm[Catalina]:   Returning 14 roles
2004-05-13 11:59:31 JNDIRealm[Catalina]:   Found role
CN=erkusaverwalter,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:59:31 JNDIRealm[Catalina]:   Found role
CN=tomcat,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:59:31 JNDIRealm[Catalina]:   Found role
CN=manager,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:59:31 JNDIRealm[Catalina]:   Found role
CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:59:31 JNDIRealm[Catalina]:   Found role
CN=_Gewerbekunden,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:59:31 JNDIRealm[Catalina]:   Found role
CN=_Dokumentation,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:59:31 JNDIRealm[Catalina]:   Found role
CN=_Team_SAP,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:59:31 JNDIRealm[Catalina]:   Found role _Team_SAP
2004-05-13 11:59:31 JNDIRealm[Catalina]:   Found role _Dokumentation
2004-05-13 11:59:31 JNDIRealm[Catalina]:   Found role _Gewerbekunden
2004-05-13 11:59:31 JNDIRealm[Catalina]:   Found role ERKUSAAdmin
2004-05-13 11:59:31 JNDIRealm[Catalina]:   Found role manager
2004-05-13 11:59:31 JNDIRealm[Catalina]:   Found role tomcat
2004-05-13 11:59:31 JNDIRealm[Catalina]:   Found role erkusaverwalter


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat 4: JNDI LDAP - Can't get single role name

Reply via email to