tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Seth Leger <seth.le...@raritan.com>
Subject Re: JNDIRealm
Date Tue, 22 Apr 2008 17:30:25 GMT
Henri Gomez wrote:
> I do some search today and debugged TC 6.0.x trunk from my eclipse.
> Authentification works great and the only remaining problem it so
> setup roles in AD for users.
>
> I used :
>
>     <Realm   className="org.apache.catalina.realm.JNDIRealm"
>          connectionURL="ldap://ldap.mycorp.com:389"
>          alternateURL="ldap://ldap.mycorp.com:389"
>          connectionName="cn=someldapaccounttobind,ou=MyCorp
> Users,dc=mycorp,dc=com"
>          connectionPassword="someldapaccounttobindpassword"
>            userBase="ou=MyCorp Users,dc=mycorp,dc=com"
>            userSearch="(sAMAccountName={0})"
>            userSubtree="true"
>            referrals="follow"
>            userRoleName="memberOf"
>            debug="true"
>            />
>   
Yes, this use case will work with the current Tomcat 6.0.X JNDIRealm 
code because your Active Directory administrator has given you search 
credentials for the Active Directory server
(cn=someldapaccounttobind,ou=MyCorpUsers,dc=mycorp,dc=com/someldapaccounttobindpassword).

But not all Active Directory administrators are willing to give out a 
set of credentials like this (for instance, a strict, enterprise 
environment where password access is strictly controlled).

My patch removes that requirement from the JNDIRealm. Instead of relying 
on a hard-coded value for authentication, it can fall back to using the 
credentials being supplied to the authenticate() call to perform the 
JNDI search (which will succeed because users have permissions to view 
their own LDAP object instance, as far as I know this is always true). 
The password is never stored; it is only transmitted at login time to 
the server (and this transmission can be protected from interception 
with LDAP over SSL).

It's a pretty minor change, written similarly to the way that the 
current JNDIRealm code retries during connection timeouts.

Seth Leger
Sr. Software Engineer
Raritan, Inc.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message