Re: JNDIRealm - Active Directory Roles

Mon, 17 Mar 2014 07:12:07 -0700 

Am 17.03.2014 13:05, schrieb bjoern.bec...@easycash.de:

Hallo Felix,

thanks for explaination! I got it now!

What helps was to enable debugging:

# conf/logging.conf
# This would turn on trace-level for everything
# the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST 
or ALL
#org.apache.catalina.level = ALL
#org.apache.catalina.handlers = 2localhost.org.apache.juli.FileHandler
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true

I got this realm config now:

        <Realm className="org.apache.catalina.realm.JNDIRealm"
                        connectionName="CN=SVC_TomcatLdapQuery,OU=Service 
Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC= "
                        connectionPassword="PASS"
                        
connectionURL="ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*)"
                        userSearch="(sAMAccountName={0})"
                        userSubtree="true"
                        roleSubtree="true"
                        roleName="CN"
                        userRoleName="memberOf"
         />
You should leave roleName und roleSubtree out of your configuration, since you are using userRoleName. 

Regards
 Felix


And I copy the manager-gui constraint in web.xml of the manager application and 
put in my new role:

<role-name>CN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle 
Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=easycash,DC=de</role-name>

Thanks a lot!

Best Regards,
Bjoern

-----Ursprüngliche Nachricht-----
Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
Gesendet: Samstag, 15. März 2014 21:52
An: users@tomcat.apache.org
Betreff: Re: JNDIRealm - Active Directory Roles

Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de:

Hello,

I try to implement the authentification for the tomcat manager application 
against active directory.

Unfortunately I don't understand the role concept. I like to give the users 
permissions to open the manager when they're in this group:


memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de

server.xml:
          <Realm className="org.apache.catalina.realm.JNDIRealm"  debug="99"
                  connectionName="CN=SVC,OU=Service 
Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de"
                  connectionPassword="_2VK!WHzybn1SJ8P"
                  
connectionURL="ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)"
userSearch="(sAMAccountName={0})" 
                  userSubtree="true"

                  roleSearch="(memberof={0})"
                  roleSubtree="true"
                  userRoleName="CN=Tomcat Admins,OU=Roles,OU=Spezielle 
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de "
              />

<!--            roleBase="DC=DOM,DC=de"
                  roleName="cn"
-->

With this configuration I can open the Manager, but got no permissions.

Even if the user role relationship will found, I don't understand how I can 
assign tomcat roles (e.g. manager-gui) to the user.

Looking at the documentation on
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
you have three settings which are most probably not correct.

   * roleSearch will only be used, if roleName is set (which is commented out 
in your configuration)
   * roleSearch will be used to search for objects that match the given filter. 
In your case you would find user objects instead of group objects.
   * userRoleName should be the name of an attribute in the user object (cn=... 
is not a name of an attribute, but rather a value)

So given your goal, that cn=tomcat admins,... should be a role, you have two 
options.

   * You could activate roleName=cn (or another attribute name) and change the 
roleSearch to member={0}. Then the realm would (hopefully) find the object 
cn=tomcat admins,...
   * You could change userRoleName to memberOf

In the first case your user would have a role with the name "Tomcat Admins". The second 
option would lead to a role name of "cn=Tomcat Admins,...".

In both cases you would have to change the security constraints in the webapp 
(those are defined in the WEB-INF/web.xml file).

If your role objects had other attributes with values that match the roles 
defined in web.xml you could simply change roleName in the first option above.

Regards
   Felix


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to