Hallo Felix, thanks for explaination! I got it now!
What helps was to enable debugging: # conf/logging.conf # This would turn on trace-level for everything # the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL #org.apache.catalina.level = ALL #org.apache.catalina.handlers = 2localhost.org.apache.juli.FileHandler org.apache.catalina.realm.level = ALL org.apache.catalina.realm.useParentHandlers = true org.apache.catalina.authenticator.level = ALL org.apache.catalina.authenticator.useParentHandlers = true I got this realm config now: <Realm className="org.apache.catalina.realm.JNDIRealm" connectionName="CN=SVC_TomcatLdapQuery,OU=Service Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC= " connectionPassword="PASS" connectionURL="ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*)" userSearch="(sAMAccountName={0})" userSubtree="true" roleSubtree="true" roleName="CN" userRoleName="memberOf" /> And I copy the manager-gui constraint in web.xml of the manager application and put in my new role: <role-name>CN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=easycash,DC=de</role-name> Thanks a lot! Best Regards, Bjoern -----Ursprüngliche Nachricht----- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Samstag, 15. März 2014 21:52 An: users@tomcat.apache.org Betreff: Re: JNDIRealm - Active Directory Roles Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de: > Hello, > > I try to implement the authentification for the tomcat manager application > against active directory. > > Unfortunately I don't understand the role concept. I like to give the users > permissions to open the manager when they're in this group: > >> memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle >> Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de > server.xml: > <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" > connectionName="CN=SVC,OU=Service > Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de" > connectionPassword="_2VK!WHzybn1SJ8P" > > connectionURL="ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)" > > userSearch="(sAMAccountName={0})" > userSubtree="true" > > roleSearch="(memberof={0})" > roleSubtree="true" > userRoleName="CN=Tomcat Admins,OU=Roles,OU=Spezielle > Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de " > /> > > <!-- roleBase="DC=DOM,DC=de" > roleName="cn" > --> > > With this configuration I can open the Manager, but got no permissions. > > Even if the user role relationship will found, I don't understand how I can > assign tomcat roles (e.g. manager-gui) to the user. Looking at the documentation on http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm you have three settings which are most probably not correct. * roleSearch will only be used, if roleName is set (which is commented out in your configuration) * roleSearch will be used to search for objects that match the given filter. In your case you would find user objects instead of group objects. * userRoleName should be the name of an attribute in the user object (cn=... is not a name of an attribute, but rather a value) So given your goal, that cn=tomcat admins,... should be a role, you have two options. * You could activate roleName=cn (or another attribute name) and change the roleSearch to member={0}. Then the realm would (hopefully) find the object cn=tomcat admins,... * You could change userRoleName to memberOf In the first case your user would have a role with the name "Tomcat Admins". The second option would lead to a role name of "cn=Tomcat Admins,...". In both cases you would have to change the security constraints in the webapp (those are defined in the WEB-INF/web.xml file). If your role objects had other attributes with values that match the roles defined in web.xml you could simply change roleName in the first option above. Regards Felix --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org