tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Philippe Maseres" <p.mase...@citb.bull.net>
Subject SSL client authentication + LDAP realm / Tomcat 4.1.18
Date Thu, 13 Mar 2003 14:59:25 GMT
Hello.

I sent this message first to the users list, but as few (or none !) answers
arrived, i post it again to this list.
I read some messages around the same questions in the list archives, but
none if them seems to solve it actually...

I try to set up the following features :
- Client authentication using client SSL certificates
- Client authorization using the JNDI realm, against an iPlanet LDAP
directory

I first tested a simpler configuration using the LDAP realm with BASIC
authentication, and it works fine. The realm configuration, set up in the
server.xml application context is :

		<Context	path="/test"
					docBase="../_PHILIPPE_/TEST-CONTEXT"
					debug="0"
					reloadable="true"
					crossContext="true"
			>
			<Logger	className="org.apache.catalina.logger.FileLogger"
					prefix="localhost_test-context_log."
					suffix=".txt"
					timestamp="true"
			/>
			<Realm	className="org.apache.catalina.realm.JNDIRealm"
					debug="99"
					connectionName="uid=Tomcat,ou=People,dc=moon.net"
					connectionPassword="tomcat"
					connectionURL="ldap://localhost:389"
					roleBase="ou=Roles,ou=TomcatRealm,dc=moon.net"
					roleName="cn"
					roleSearch="(uniqueMember={0})"
					roleSubtree="false"
					userBase="ou=Users,ou=TomcatRealm,dc=moon.net"
					userSearch="(cn={0})"
			/>
		</Context>

According to this configuration, when a user tries to access a secured URL
and provides its BASIC login and password, the realm correctly checks the
credentials against the directory, binding with the DN using the userBase
and userSearch parameters.

On the other hand, i tried another configuration, using SSL client
authentication and the default realm, adding a user entry in the
tomcat-users.xml file with the complete DN as username :
"cn=SomeBody,ou=Users,ou=TomcatRealm,dc=moon.net". As expected, the
certificate is successfully verified in the trust cacerts store, and the
default realm correctly matches the user with the issuer DN extracted from
the client certificate.

In this last case, i assumed the DN provided by the client certificate is
the exact expression used by the realm to match the users identity.

Now, i don't understand how it should be possible to configure both the JNDI
realm and the SSL connector to indicate how the client certificates DN must
be used to check the user identity in the LDAP directory. It seems obvious
that using the full DN from the client certificate as a single user
identifier (cn, uid, etc.) fails, since the search filter doesn't match.
Should it be sensible to use the key alias from the trust keystore as the
directory identifier value ? Perhaps i don't go the right way !...

Thanks for your help.

Philippe Maseres


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message