Jacob, I'm happy to say that there is a new "bind as user" mode in Tomcat 4.1.3 which verifies the user password by binding as them to the directory, rather than querying the directory for the password. You are correct, previously it wouldn't work with Active Directory (as well as any other directory that didn't store it's passwords in the specific format that Tomcat wanted), but, now it does. Now, if you don't set the userPassword attribute, it operates in "bind as user" mode. They haven't updated the main end-user documentation on JNDIRealm yet, but, if you look at the Catalina developer docs, you'll see what I'm referring to if you look at the JNDIRealm class.
Jon ----- Original Message ----- From: "Ryan" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]>; "Jacob Kjome" <[EMAIL PROTECTED]> Sent: Monday, June 10, 2002 4:55 PM Subject: Re: Re[2]: Roles in JNDIRealms > Jacob, > I took a quick look at the source, but it looks like > the passwords are digested here also (i.e. will not > work with Active Directory). From what I understand, > with AD the authentication has to be done _on_ the > server. > Thanks, > Ryan > > --- Jacob Kjome <[EMAIL PROTECTED]> wrote: > > Hello Ryan, > > > > Check this out: > > http://www.peacetech.com/java/files/apache/tomcat/ > > > > I haven't used it (nor have I used JNDIRealm at all > > so far), but I > > grab stuff that looks like useful info off the list > > and put it in my > > Vault ( http://www.personalmicrocosms.com/ ) from > > time to time. Hopefully it is useful for you. > > > > Jake > > > > Monday, June 10, 2002, 3:18:15 PM, you wrote: > > > > R> Jonathan, > > R> This is sort of off subject, but does your Active > > R> Directory setup work for Authentication?? It > > seems to > > R> me that it wouldn't since there is no > > userPassword > > R> attribute in AD, but I am hoping I'm wrong. > > R> Thanks, > > R> Ryan > > > > R> --- Jonathan Eric Miller <[EMAIL PROTECTED]> > > R> wrote: > > >> If you are using Tomcat 4.1.3, there are two > > modes > > >> that you can use for > > >> checking roles. If you set roleSearch, it will > > look > > >> for search for group > > >> objects that contain a list of users for each > > group. > > >> If you set > > >> userRoleName, it will get the group information > > out > > >> of the user's entry > > >> instead. i.e. you don't need separate group > > objects. > > >> > > >> If you are using Active Directory, I found that > > you > > >> can use a setup similar > > >> to the following. > > >> > > >> This goes in server.xml, > > >> > > >> <Realm > > >> className="org.apache.catalina.realm.JNDIRealm" > > >> debug="99" > > >> connectionName="myadminuser@mydomain" > > >> connectionPassword="myadminpassword" > > >> connectionURL="ldap://mydomaincontroller"; > > >> userBase="cn=Users, dc=mydomain" > > >> userRoleName="memberOf" > > >> userSearch="(userPrincipalName={0}@mydomain)"/> > > >> > > >> Group membership is stored in an attribute named > > >> memberOf in Active > > >> Directory. myadminuser doesn't really have to be > > an > > >> admin user in AD. It > > >> just has to have read permission to the memberOf > > >> attribute which is visible > > >> to normal user accounts by default. > > >> > > >> This goes in web.xml, > > >> > > >> <security-constraint> > > >> <web-resource-collection> > > >> <web-resource-name>Tomcat</web-resource-name> > > >> <url-pattern>/*</url-pattern> > > >> </web-resource-collection> > > >> <auth-constraint> > > >> > > >> > > R> > > > <role-name>CN=Tomcat,CN=Users,DC=mydomain</role-name> > > >> </auth-constraint> > > >> </security-constraint> > > >> <login-config> > > >> <auth-method>BASIC</auth-method> > > >> <realm-name>Tomcat</realm-name> > > >> </login-config> > > >> > > >> In the above example, I created a group in the > > Users > > >> container named Tomcat. > > >> If you want to see how things are organized in > > >> Active Directory, you can use > > >> LDIFDE to dump the directory into an LDIF file. > > >> That's how I figured it out. > > >> > > >> Jon > > >> > > >> ----- Original Message ----- > > >> From: "Cristina Perez Sanchez" > > <[EMAIL PROTECTED]> > > >> To: <[EMAIL PROTECTED]> > > >> Sent: Monday, June 10, 2002 9:10 AM > > >> Subject: Roles in JNDIRealms > > >> > > >> > > >> > Hi, > > >> > > > >> > could anyone tell me what objectclass must be > > >> group > > >> > entries that represent roles associated to > > users > > >> in > > >> > JNDIRealms?? I use groupOfUniqueNames as > > >> objectclass > > >> > but I would like to know if the objectclass > > group > > >> is > > >> > more proper or if the objectclass isnīt > > relevant. > > >> > > > >> > > > >> > Thanks for advance, > > >> > > > >> > Cristina > > >> > > > >> > > > __________________________________________________ > > >> > Do You Yahoo!? > > >> > Yahoo! - Official partner of 2002 FIFA World > > Cup > > >> > http://fifaworldcup.yahoo.com > > >> > > > >> > -- > > >> > To unsubscribe, e-mail: > > >> > > <mailto:[EMAIL PROTECTED]> > > >> > For additional commands, e-mail: > > >> <mailto:[EMAIL PROTECTED]> > > >> > > > >> > > >> > > >> -- > > >> To unsubscribe, e-mail: > > >> > > <mailto:[EMAIL PROTECTED]> > > >> For additional commands, e-mail: > > >> <mailto:[EMAIL PROTECTED]> > > >> > > > > R> > > __________________________________________________ > > R> Do You Yahoo!? > > R> Yahoo! - Official partner of 2002 FIFA World Cup > > R> http://fifaworldcup.yahoo.com > > > > R> -- > > R> To unsubscribe, e-mail: > > <mailto:[EMAIL PROTECTED]> > > R> For additional commands, e-mail: > > <mailto:[EMAIL PROTECTED]> > > > > > > > > -- > > Best regards, > > Jacob > > mailto:[EMAIL PROTECTED] > > > > > > -- > > To unsubscribe, e-mail: > > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > > <mailto:[EMAIL PROTECTED]> > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
