Re: JNDIRealm - Active Directory Roles

Sat, 15 Mar 2014 13:52:51 -0700 

Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de:

Hello,

I try to implement the authentification for the tomcat manager application 
against active directory.

Unfortunately I don't understand the role concept. I like to give the users 
permissions to open the manager when they're in this group:


memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle 
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de

server.xml:
         <Realm className="org.apache.catalina.realm.JNDIRealm"  debug="99"
                 connectionName="CN=SVC,OU=Service 
Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de"
                 connectionPassword="_2VK!WHzybn1SJ8P"
                 
connectionURL="ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)"
userSearch="(sAMAccountName={0})" 
                 userSubtree="true"

                 roleSearch="(memberof={0})"
                 roleSubtree="true"
                 userRoleName="CN=Tomcat Admins,OU=Roles,OU=Spezielle 
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de "
             />

<!--            roleBase="DC=DOM,DC=de"
                 roleName="cn"
-->

With this configuration I can open the Manager, but got no permissions.

Even if the user role relationship will found, I don't understand how I can 
assign tomcat roles (e.g. manager-gui) to the user.
Looking at the documentation on http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm you have three settings which are most probably not correct.
* roleSearch will only be used, if roleName is set (which is commented out in your configuration) * roleSearch will be used to search for objects that match the given filter. In your case you would find user objects instead of group objects. * userRoleName should be the name of an attribute in the user object (cn=... is not a name of an attribute, but rather a value)
So given your goal, that cn=tomcat admins,... should be a role, you have two options.
* You could activate roleName=cn (or another attribute name) and change the roleSearch to member={0}. Then the realm would (hopefully) find the object cn=tomcat admins,... 
 * You could change userRoleName to memberOf
In the first case your user would have a role with the name "Tomcat Admins". The second option would lead to a role name of "cn=Tomcat Admins,...".
In both cases you would have to change the security constraints in the webapp (those are defined in the WEB-INF/web.xml file).
If your role objects had other attributes with values that match the roles defined in web.xml you could simply change roleName in the first option above. 

Regards
 Felix


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to