2008/9/23 Jérôme Delattre <[EMAIL PROTECTED]>
> Hello,
>
> Env: Tomcat 6.0.18 / Java 6 / Windows
>
> I am trying to configure a JNDIRealm to authenticate against an Active
> Directory.
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm
>
> The authentication seems to work but I wonder how to map LDAP groups
> to security roles.
> I do not want to add groups in the LDAP server, but to map existing
> ones to the roles defined in my web application instead.
>
> Is it possible ? I did not found any doc / post about this topic.
>
> Thanks,
> Jerome
>
So for the log and if it can help someone, here is how I resolved my issue:
I've extended the JNDIRealm class to override the getRoles(...) method.
package org.apache.catalina.realm;
...
public class CustomJNDIRealm extends JNDIRealm {
...
@Override
protected List<String> getRoles(DirContext context, User user) throws
NamingException {
List<String> ldapRoles = super.getRoles(context, user);
// customized part
return ldapRoles;
}
...
}
The package needs to be the same as JNDIRealm class otherwise the class User
is not visible.
In the "custom part" of the method I read a properties file that describe
the mapping between ldap roles and security roles.
And I simply add security roles to the ldapRoles list before returning it.
The properties file is in Tomcat's lib directory and looks like:
securityrole1=group1,group2,group4
securityrole2=group3
securityrole3=group5,group6
...
And to be exhaustive, here is the realm configuration for Active Directory
that works in my env:
<Realm
className="org.apache.catalina.realm.CustomJNDIRealm"
debug="99"
connectionURL="ldap://myADserver:389";
connectionName="myADreadonlyUser"
connectionPassword="password"
referrals="follow"
userBase="DC=mycompany,DC=com"
userSearch="(sAMAccountName={0})"
userSubtree="true"
roleBase="DC=mycompany,DC=com"
roleName="cn"
roleSearch="(member={0})"
roleSubtree="true"/>
Cheers,
Jerome
