We had problems with the JNDIRealm using Netscape Directory Server (iPlanet/SUN One).
It was related to digests and the encoding of passwords, so we simply subclassed to fix it. That was a while ago (4.0.6), and I havent tried the last version. One thing that I wondering is how you implement "Password Expiration" using the realm. As far as I can see from looking at the code, the realm just checks wether a user exists in the directory server, and then checks the password of that user against the entered password. I know for a fact that LDAP itself has the concept of passwords expiring, but does anyone know wether using the JNDI API, we can extract this variable from the directory server (At the same time as the password and roles are extracted) and then compare it with the current date. The next problem I'm having is, how can I tell tomcat while inside my realm that the users password was correct, but they need to change it. I'm thinking the only way to achieve this is to create my own custom authenticator, and a user principal to hold the expiry date. I'd be interested if anyone has done this before. Thanks Rob -----Original Message----- From: Gabriel Santonja [mailto:[EMAIL PROTECTED] Sent: Thursday, 3 April 2003 7:41 PM To: Tomcat Users List Subject: Re: Tomcat with LDAP On Wed, 2 Apr 2003 15:33:42 -0600 "Jonathan Eric Miller" <[EMAIL PROTECTED]> wrote: > JNDIRealm is broken and unusable. really? on what version?. Because it's working not so bad in 4.1.18. realm documentation is good for this. exemple of conf in server.xml: <Valve className="org.apache.catalina.authenticator.SingleSignOn" debug="0"/> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionName="cn=ldapadmin,ou=admin,o=XXXX" connectionPassword="YYYYYYYYY" connectionURL="ldap://zz.zz.zz.zz:389"; userPassword="userPassword" userPattern="uid={0},ou=users,ou=jetspeed,ou=applications,ou=fr,o=XXXX" roleBase="ou=groups,ou=tomcat,ou=jetspeed,ou=applications,ou=fr,o=XXXX" roleName="cn" roleSearch="(uniqueMember={0})" /> ... </Host> </Engine> </Service> you can use the ldif in the documentation and change the path dn to userPattern and roleBase. I'm using tomcat with jetspeed ldap and it's not simple. in some condition (ldap correctly configure) you can delete the two lines connectionName="cn=ldapadmin,ou=admin,o=XXXX" connectionPassword="YYYYYYYYY" and use the ldap binding with encrypted passwords Cordialy. > > Jon > > ----- Original Message ----- > From: "Karamat Adil IHMD" <[EMAIL PROTECTED]> > To: "'Tomcat Users List'" <[EMAIL PROTECTED]> > Sent: Wednesday, April 02, 2003 2:08 PM > Subject: Tomcat with LDAP > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
