2008/9/23 Jérôme Delattre <[EMAIL PROTECTED]> > Hello, > > Env: Tomcat 6.0.18 / Java 6 / Windows > > I am trying to configure a JNDIRealm to authenticate against an Active > Directory. > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm > > The authentication seems to work but I wonder how to map LDAP groups > to security roles. > I do not want to add groups in the LDAP server, but to map existing > ones to the roles defined in my web application instead. > > Is it possible ? I did not found any doc / post about this topic. > > Thanks, > Jerome >
So for the log and if it can help someone, here is how I resolved my issue: I've extended the JNDIRealm class to override the getRoles(...) method. package org.apache.catalina.realm; ... public class CustomJNDIRealm extends JNDIRealm { ... @Override protected List<String> getRoles(DirContext context, User user) throws NamingException { List<String> ldapRoles = super.getRoles(context, user); // customized part return ldapRoles; } ... } The package needs to be the same as JNDIRealm class otherwise the class User is not visible. In the "custom part" of the method I read a properties file that describe the mapping between ldap roles and security roles. And I simply add security roles to the ldapRoles list before returning it. The properties file is in Tomcat's lib directory and looks like: securityrole1=group1,group2,group4 securityrole2=group3 securityrole3=group5,group6 ... And to be exhaustive, here is the realm configuration for Active Directory that works in my env: <Realm className="org.apache.catalina.realm.CustomJNDIRealm" debug="99" connectionURL="ldap://myADserver:389" connectionName="myADreadonlyUser" connectionPassword="password" referrals="follow" userBase="DC=mycompany,DC=com" userSearch="(sAMAccountName={0})" userSubtree="true" roleBase="DC=mycompany,DC=com" roleName="cn" roleSearch="(member={0})" roleSubtree="true"/> Cheers, Jerome